[Samba] Win2003 ADS group membership: * varying * delay getting access to shares

Kel Way kpwspam-samba at yahoo.com
Wed Dec 15 22:09:23 GMT 2004 

User A is a member of Global Group Public in Windows 2003 Active Directory.  Global Group
Maintenance is a member of Domain Local Group Maintenance.  Domain Local Group Maintenance is
afforded access to Linux directory /home/maint with this smb.conf share definition:

[maintenance]
comment = Maintenance Share
valid users = "MYDOMAIN+Pulaski - Maintenance - DLoc" "MYDOMAIN+shawnadm"
path = /home/maint
writeable = yes
create mode = 0660
directory mode = 0770

the directory:

[root at pulaski-fs-001 home]# ll | grep maint
drwxrwx---   2 root     MYDOMAIN+Domain Users  4096 Dec 15 13:11 maint


getent group from the Samba box shows that user MYDOMAIN+bwatkins, for instance, IS a member of
the following Maintenance groups:


[root at pulaski-fs-001 proc]# getent group | grep Maint
MYDOMAIN+Pulaski - Maintenance
-Glo:x:10541:MYDOMAIN+tnewton,MYDOMAIN+jwillia1,MYDOMAIN+bwatkins,MYDOMAIN+rwilliam,MYDOMAIN+dkermicl,MYDOMAIN+jburress
MYDOMAIN+Pulaski - Maintenance - DLoc:x:10524:


Note group #'s 10541 and 10524.  The logs for the IP address of the machine that bwatkins logs in
from show the following.  Note that supplementary groups 10541 and 10524 are not present.  Because
of this, access is denied to the share defined above.


[2004/12/15 14:28:20, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 10002
  Primary group is 10000 and contains 8 supplementary groups
  Group[  0]: 10000
  Group[  1]: 10020
  Group[  2]: 10035
  Group[  3]: 10037
  Group[  4]: 10039
  Group[  5]: 10042
  Group[  6]: 10507
  Group[  7]: 10508


We've noticed that after some time - and it certainly seems to vary - access is granted.  Until
then, the user is denied access and is challenged for credentials.  *** Is there some GID cache
that I'm not aware of? ***

Relevant System Info:

	Fedora Core 2: Linux version 2.6.5-1.358

	[root at pulaski-fs-001 home]# rpm -qa | grep samba
	samba-common-3.0.9-1.fc2
	samba-client-3.0.9-1.fc2
	samba-3.0.9-1.fc2


	smb.conf global section: 
	
	[global]
	unix charset = LOCALE
	workgroup = MYDOMAIN
	realm = MYDOMAIN.ORG
	server string = PULASKI-FS-001
	security = ADS
	username map = /etc/samba/smbusers
	log level = 9
	syslog = 0
	log file = /var/log/samba/%M
	max log size = 50
	printcap name = CUPS
	ldap ssl = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template primary group = "Domain Users"
	template shell = /bin/bash
	winbind separator = +
	winbind cache time = 10
	printing = cups
	client use spnego = yes
	invalid users = root bin daemon adm sync shutdown halt mail news uucp operator
	printer admin = "MYDOMAIN+Americas Zone Admins" "MYDOMAIN+shawnadm"
	# commented out 12-15-04 by Kel: encrypt password = yes
	oplocks = no
	level2 oplocks = no

More information about the samba mailing list