[Samba] Re: 3.0.2rc1, LDAP, Solaris 9 and secondary group problem - Bug 395?

[Jérôme Fenal]

Sojka Reinhard wrote:
> Hi,
> 
> we have tested Samba 3.0.0 and 3.0.1 with LDAP-Support (--with-ldap) on
> Solaris 8 and it worked fine. 
> The machine authenticates against an OpenLDAP server. Patch 108993-23 is
> applied and we use native Sun LDAP client modules.
> 
> On Solaris 9 we ran into problems with secondary groups. Users cannot
> access files if the rights are based on a secondary group and if this
> information is stored on the LDAP server. 
> Note that everything is ok with information from /etc/group and Unix
> authentication is working (login, id, groups, getent, ...). We are using
> the Sun LDAP client, Patch 112960-10.

I had the same problem with Solaris 9 and Samba 3.0.?.
Only W2K and WXP clients would have their secondary groups honoured, 
Win98 would not.
This was in relation with login name case (i.e. Win98 would give it in 
UPPERCASE, no shouting here), and Win2K/XP in lowercase. And secondary 
groups would not be seen by Unix if unix login is lowercase, and tested 
login (from Samba) was uppercase.
Have a test right now, and tell us if it is the problem encountered (and 
give us the type of clients you have, and have tests on both W9x and WNT).

Simply test :
# id jerome
uid=1000(jerome) gid=513(domusers) 
groups=513(domusers),550(prtadmin),103(dsvi),102(susers),1000(ntadmin)
# id JEROME
uid=1000(jerome) gid=513(domusers) groups=513(domusers)

> 
> It seems that Samba doesn't seach the secondary groups on the LDAP server.

Was not Samba for me, it was Solaris. Posix in fact, as Linux shows the 
same behaviour.

Have a look at https://bugzilla.samba.org/show_bug.cgi?id=882.
It's supposed to be corrected, but I could not have my customer to test it.

[snip] : can't help on getgrouplist

HTH,

Jérôme

-- 
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>