[Samba] Secondary Groups and Group Mapping

Klinger, John (N-CSC) john.klinger at lmco.com
Wed Jan 7 22:10:51 GMT 2004 

Thank you for your response.

Bug 910 looks like a different issue. 

We are using Samba on Solaris 8, with "security = ads",
with AD running on a W2K server.

We cannot access someone else's file on Solaris that
is owned by a group that we are a member of, if that
group is not our primary group.

example:

Given nsswitch that have 2 lines modified for winbind:

passwd:     files winbind
group:      files winbind

Given a file owned by user1:group2 such as the following:

 -rw-rw---- user1 group2 0 Jan 7 testfile.txt

And given user2 has a primary group of group1 and a 
secondary group of group2.

The following commands were executed on our smbdev
platform, that contains the smb server.

smbdev > su - user2
Password:
smbdev > id
uid=1001(user2) gid=10001(group1)
smbdev > id -a
uid=1001(user2) gid=10001(group1) groups=10001(group1)
smbdev > id -a user2
uid=1001(user2) gid=10001(group1) groups=10002(group2)
smbdev > getent group | grep user2
group1:x:10001:user1,user2
group2:x:10002:user1,user2
smbdev > grep user2 /etc/group
smbdev > wbinfo -r user2
10002
10001
smbdev > groups
group1
smbdev > cat testfile.txt
cat: cannot open testfile.txt
smbdev > touch testfile
smbdev > chgrp group2 testfile2
chgrp: group2: Not owner
smbdev > newgrp group2
$ chgrp group2 testfile2
$ ls -l testfile2
-rw-r----- user2 group2 0 Jan 7 testfile2
$exit
smbdev >

At the initial su to user2, there is a lot of activity
in the winbindd log with "log level = 10", but it only
mentions the uid of 1001 and the gid of 10001. The
secondary group is not mentioned in the log. If I add
group2 to the /etc/group file, it works (as one would
expect due to the nsswitch.conf settings).

I expect it is a problem in libnss_winbind.so.

john


> -----Original Message-----
> From: Hansjoerg Maurer [mailto:Hansjoerg.Maurer at dlr.de]
> Sent: Wednesday, January 07, 2004 12:05 AM
> To: Klinger, John (N-CSC)
> Cc: Gerald (Jerry) Carter
> Subject: Re: [Samba] Secondary Groups and Group Mapping
> 
> 
> Hi,
> 
> this might be related to bug 910
> "domain admin rights only works for user, which primary group 
> is domain 
> admins"
> I submitted last week.
> 
> Just for your information.
> If you want me doing some testing, just give me a note.
> 
> Thank you
> 
> 
> Hansjörg
> 
> Klinger, John (N-CSC) wrote:
> 
> >  
> >
> >>-----Original Message-----
> >>From: Klinger, John (N-CSC) 
> >>Sent: Friday, December 19, 2003 8:14 AM
> >>
> >>| | Klinger, John (N-CSC) wrote:
> >>| |
> >>| | The first issue deals with the file sharing. Even if a 
> file gives
> >>| | full permission to one of a user's secondary groups, that user
> >>| | cannot access the file. The user can only access the file (or
> >>| | directory) if the file's group is the user's primary group. I've
> >>| | fond several references on the web and in 
> >>https://bugzilla.samba.org,
> >>| | which seem to indicate that the bug is fixed. However, we 
> >>also tried
> >>| | this with 3.0.1rc2 and have the same problem; which 
> makes us think
> >>| | it is a configuration error or something we haven't found
> >>| | related to nsswitch.
> >>|
> >>|Gerald (Jerry) Carter wrote:
> >>|
> >>| This is an open bug
> >>|
> >>| ~   https://bugzilla.samba.org/show_bug.cgi?id=395
> >>|
> >>| cheers, jerry
> >>
> >>Good news, Jerry; thanks for the reply.

More information about the samba mailing list