Secondary Groups with ldapsam WAS: Re: [Samba] net groupmap / domain admins problem

Hansjörg Maurer hansjoerg.maurer at itsd.de
Fri Jan 9 11:19:04 GMT 2004 

Hi

if have done furthes testing on this issue.

Unix name resoltion seems to work (all groups are in ldap)
[sporer at server sporer]$ getent group | grep management
managementgroup:x:1001:management,root,haehnle,sporer,sporers
[sporer at server sporer]$ getent group | grep sensodrivgroup
[sporer at server sporer]$ getent group | grep sensodrive
sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root
[sporer at server sporer]$ id -a management
uid=1008(management) gid=1001(managementgroup) Gruppen=1001(managementgroup)
[sporer at server sporer]$ id -a sporer
uid=1000(sporer) gid=1000(sensodrivegroup) 
Gruppen=1000(sensodrivegroup),1001(managementgroup),1002(test1)

If I add
   valid users = +managementgroup,+sensodrivegroup
to a share
user management and user sporer can connect (primary groups are 
management and sporer)
if I remove +sensodrivegroup
user sporer can't connect and vice versa.

A level 10 debug shows in the case sporer connects  (fails)

 sys_getgrouplist: user [sporer]
[2004/01/09 12:05:18, 10] lib/system_smbd.c:sys_getgrouplist(122)
  sys_getgrouplist(): disabled winbindd for group lookup [user == sporer]
[2004/01/09 12:05:18, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 1000
  Primary group is 1000 and contains 1 supplementary groups
  Group[  0]: 1000
[2004/01/09 12:05:18, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/01/09 12:05:18, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/01/09 12:05:18, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/01/09 12:05:18, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/01/09 12:05:18, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/01/09 12:05:18, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1636)
  ldapsam_search_one_group: searching 
for:[(&(objectClass=sambaGroupMapping)(gidNumber=1000))]
[2004/01/09 12:05:18, 2] passdb/pdb_ldap.c:init_group_from_ldap(1680)
  init_group_from_ldap: Entry found for group: 1000
[2004/01/09 12:05:18, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/01/09 12:05:18, 10] passdb/passdb.c:local_gid_to_sid(1228)
  local_gid_to_sid:  gid (1000) -> SID 
S-1-5-21-3723159834-3326906825-3408399175-3001.
[2004/01/09 12:05:18, 10] passdb/lookup_sid.c:gid_to_sid(374)
  gid_to_sid: local 1000 -> S-1-5-21-3723159834-3326906825-3408399175-3001
[2004/01/09 12:05:18, 10] auth/auth_util.c:debug_nt_user_token(491)
  NT user token of user S-1-5-21-3723159834-3326906825-3408399175-3000
  contains 5 SIDs
  SID[  0]: S-1-5-21-3723159834-3326906825-3408399175-3000
  SID[  1]: S-1-5-21-3723159834-3326906825-3408399175-3001
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
...


In the case management connects (successfully)

2004/01/09 12:08:36, 10] lib/system_smbd.c:sys_getgrouplist(113)
  sys_getgrouplist: user [management]
[2004/01/09 12:08:36, 10] lib/system_smbd.c:sys_getgrouplist(122)
  sys_getgrouplist(): disabled winbindd for group lookup [user == 
management]
[2004/01/09 12:08:36, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 1008
  Primary group is 1001 and contains 1 supplementary groups
  Group[  0]: 1001
[2004/01/09 12:08:36, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/01/09 12:08:36, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/01/09 12:08:36, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/01/09 12:08:36, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/01/09 12:08:36, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/01/09 12:08:36, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1636)
  ldapsam_search_one_group: searching 
for:[(&(objectClass=sambaGroupMapping)(gidNumber=1001))]
[2004/01/09 12:08:36, 2] passdb/pdb_ldap.c:init_group_from_ldap(1680)
  init_group_from_ldap: Entry found for group: 1001
[2004/01/09 12:08:36, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/01/09 12:08:36, 10] passdb/passdb.c:local_gid_to_sid(1228)
  local_gid_to_sid:  gid (1001) -> SID 
S-1-5-21-3723159834-3326906825-3408399175-3003.
[2004/01/09 12:08:36, 10] passdb/lookup_sid.c:gid_to_sid(374)
  gid_to_sid: local 1001 -> S-1-5-21-3723159834-3326906825-3408399175-3003
[2004/01/09 12:08:36, 10] auth/auth_util.c:debug_nt_user_token(491)
  NT user token of user S-1-5-21-3723159834-3326906825-3408399175-3016
  contains 5 SIDs
  SID[  0]: S-1-5-21-3723159834-3326906825-3408399175-3016
  SID[  1]: S-1-5-21-3723159834-3326906825-3408399175-3003
  SID[  2]: S-1-1-0
...

 user_in_list: checking user management in list
[2004/01/09 12:08:36, 10] lib/username.c:user_in_list(525)
  user_in_list: checking user |management| against |+managementgroup|
[2004/01/09 12:08:36, 5] lib/username.c:Get_Pwnam(288)
  Finding user management
[2004/01/09 12:08:36, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is management
[2004/01/09 12:08:36, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals did find user [management]!
[2004/01/09 12:08:36, 10] lib/username.c:user_in_list(521)
  user_in_list: checking user management in list
[2004/01/09 12:08:36, 10] lib/username.c:user_in_list(525)
  user_in_list: checking user |management| against |+Domain Admins|
[2004/01/09 12:08:36, 3] smbd/service.c:make_connection_snum(543)


-the parsing of +managementgroup works
-both groups are valid groups
-the secondary groupmembership seems not to be recognized by samba...


I am using RH 9 with
glibc-2.3.2-27.9.7
nss_ldap-207-3
openldap-2.1.22

The problem is the same with RH7.3 and openldap 2.0

I read something about a broken getgrouplist with this glibc
Because RH fixed that bug,
I tried to compile with
 #ifdef HAVE_GETGROUPLIST 1
but with the same result..

Does anybody have some additional ideas?

Greetings

Hansjörg


[root at server root]# net groupmap list
Domain Admins (S-1-5-21-3723159834-3326906825-3408399175-512) -> Domain 
Admins
Domain Users (S-1-5-21-3723159834-3326906825-3408399175-513) -> Domain Users
Domain Guests (S-1-5-21-3723159834-3326906825-3408399175-514) -> Domain 
Guests
Administrators (S-1-5-21-3723159834-3326906825-3408399175-544) -> 
Administrators
Users (S-1-5-21-3723159834-3326906825-3408399175-545) -> Users
Guests (S-1-5-21-3723159834-3326906825-3408399175-546) -> Guests
Power Users (S-1-5-21-3723159834-3326906825-3408399175-547) -> Power Users
Account Operators (S-1-5-21-3723159834-3326906825-3408399175-548) -> 
Account Operators
Server Operators (S-1-5-21-3723159834-3326906825-3408399175-549) -> 
Server Operators
Print Operators (S-1-5-21-3723159834-3326906825-3408399175-550) -> Print 
Operators
Backup Operators (S-1-5-21-3723159834-3326906825-3408399175-551) -> 
Backup Operators
Replicators (S-1-5-21-3723159834-3326906825-3408399175-552) -> Replicators
Domain Computers (S-1-5-21-3723159834-3326906825-3408399175-553) -> 
Domain Computers
sensodrivegroup (S-1-5-21-3723159834-3326906825-3408399175-3001) -> 
sensodrivegroup
Managementgroup (S-1-5-21-3723159834-3326906825-3408399175-3003) -> 
managementgroup
test1 (S-1-5-21-3723159834-3326906825-3408399175-3005) -> test1
[root at server root]# net getlocalsid
SID for domain LINA is: S-1-5-21-3723159834-3326906825-3408399175




John H Terpstra wrote:

>Hansjoerg,
>
>Instead of:
>	valid users = @Groupe
>
>Please try:
>	valid users = +Groupe
>
>Thanks.
>
>- John T.
>
>
>On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
>
>  
>
>

More information about the samba mailing list