[Samba] Secondary Groups and Group Mapping

Klinger, John (N-CSC) john.klinger at lmco.com
Fri Jan 9 00:37:36 GMT 2004 

The problem was in the libnss_winbind.so code for Solaris 8. The wrapper
function to initialize the secondary groups immediately returned without
doing any work.

As Jerry mentioned previously, this is already an open bug. I've submitted
a patch to that bug report that adds the required functionality.

See: https://bugzilla.samba.org/show_bug.cgi?id=395

As I stated in the bug report:
Preliminary tests using this patch were completely successful. However, I'm
going to be performing further tests to ensure there are no side effects that
I have yet to find.

john

> -----Original Message-----
> From: Klinger, John (N-CSC) 
> 
> Thank you for your response.
> 
> Bug 910 looks like a different issue. 
> 
> We are using Samba on Solaris 8, with "security = ads",
> with AD running on a W2K server.
> 
> We cannot access someone else's file on Solaris that
> is owned by a group that we are a member of, if that
> group is not our primary group.
> 
> example:
> 
> Given nsswitch that have 2 lines modified for winbind:
> 
> passwd:     files winbind
> group:      files winbind
> 
> Given a file owned by user1:group2 such as the following:
> 
>  -rw-rw---- user1 group2 0 Jan 7 testfile.txt
> 
> And given user2 has a primary group of group1 and a 
> secondary group of group2.
> 
> The following commands were executed on our smbdev
> platform, that contains the smb server.
> 
> smbdev > su - user2
> Password:
> smbdev > id
> uid=1001(user2) gid=10001(group1)
> smbdev > id -a
> uid=1001(user2) gid=10001(group1) groups=10001(group1)
> smbdev > id -a user2
> uid=1001(user2) gid=10001(group1) groups=10002(group2)
> smbdev > getent group | grep user2
> group1:x:10001:user1,user2
> group2:x:10002:user1,user2
> smbdev > grep user2 /etc/group
> smbdev > wbinfo -r user2
> 10002
> 10001
> smbdev > groups
> group1
> smbdev > cat testfile.txt
> cat: cannot open testfile.txt
> smbdev > touch testfile
> smbdev > chgrp group2 testfile2
> chgrp: group2: Not owner
> smbdev > newgrp group2
> $ chgrp group2 testfile2
> $ ls -l testfile2
> -rw-r----- user2 group2 0 Jan 7 testfile2
> $exit
> smbdev >
> 
> At the initial su to user2, there is a lot of activity
> in the winbindd log with "log level = 10", but it only
> mentions the uid of 1001 and the gid of 10001. The
> secondary group is not mentioned in the log. If I add
> group2 to the /etc/group file, it works (as one would
> expect due to the nsswitch.conf settings).
> 
> I expect it is a problem in libnss_winbind.so.
> 
> john
> 
> > From: Hansjoerg Maurer
> > Sent: Wednesday, January 07, 2004 12:05 AM
> > 
> > Hi,
> > 
> > this might be related to bug 910
> > "domain admin rights only works for user, which primary group 
> > is domain 
> > admins"
> > I submitted last week.
> > 
> > Just for your information.
> > If you want me doing some testing, just give me a note.
> > 
> > Thank you
> > 
> > 
> > Hansjörg
> > 
> > Klinger, John (N-CSC) wrote:
> > 
> > >  
> > >
> > >>From: Klinger, John (N-CSC) 
> > >>Sent: Friday, December 19, 2003 8:14 AM
> > >>
> > >>| | The first issue deals with the file sharing. Even if a 
> > file gives
> > >>| | full permission to one of a user's secondary groups, that user
> > >>| | cannot access the file. The user can only access the file (or
> > >>| | directory) if the file's group is the user's primary 
> group. I've
> > >>| | fond several references on the web and in 
> > >>https://bugzilla.samba.org,
> > >>| | which seem to indicate that the bug is fixed. However, we 
> > >>also tried
> > >>| | this with 3.0.1rc2 and have the same problem; which 
> > makes us think
> > >>| | it is a configuration error or something we haven't found
> > >>| | related to nsswitch.
> > >>|
> > >>|Gerald (Jerry) Carter wrote:
> > >>|
> > >>| This is an open bug
> > >>|
> > >>| ~   https://bugzilla.samba.org/show_bug.cgi?id=395
> > >>|
> > >>| cheers, jerry
> > >>

More information about the samba mailing list