[Samba] Re: Re: 3.0.2rc1, LDAP, Solaris 9 and secondary group problem - Bug 395?

Reinhard Sojka "reinhard.sojka at reinhard.sojka" at parlinkom.gv.at
Fri Jan 23 22:13:25 GMT 2004

Hi Jerome,

thank you for your quick answer. Hope you can forgive me my not so
quick response.

>Sojka Reinhard wrote:
>> Hi,
>> we have tested Samba 3.0.0 and 3.0.1 with LDAP-Support (--with-ldap) on
>> Solaris 8 and it worked fine.
>> The machine authenticates against an OpenLDAP server. Patch 108993-23 is
>> applied and we use native Sun LDAP client modules.
>> On Solaris 9 we ran into problems with secondary groups. Users cannot
>> access files if the rights are based on a secondary group and if this
>> information is stored on the LDAP server.
>> Note that everything is ok with information from /etc/group and Unix
>> authentication is working (login, id, groups, getent, ...). We are using
>> the Sun LDAP client, Patch 112960-10.

>I had the same problem with Solaris 9 and Samba 3.0.?.
>Only W2K and WXP clients would have their secondary groups honoured,
>Win98 would not.
>This was in relation with login name case (i.e. Win98 would give it in
>UPPERCASE, no shouting here), and Win2K/XP in lowercase. And secondary
>groups would not be seen by Unix if unix login is lowercase, and tested
>login (from Samba) was uppercase.
>Have a test right now, and tell us if it is the problem encountered (and
>give us the type of clients you have, and have tests on both W9x and WNT).

We use W2K clients at the moment.

>Simply test :
># id jerome
>uid=1000(jerome) gid=513(domusers)
># id JEROME
>uid=1000(jerome) gid=513(domusers) groups=513(domusers)

# /usr/xpg4/bin/id  edvtest
uid=1520(edvtest) gid=150(edv) groups=10(staff),157(et),136(eppo_apl),100(dba),5831(caddy),
# /usr/xpg4/bin/id  EDVTEST
uid=1520(edvtest) gid=150(edv)

Same result in Solaris 8 and Solaris 9, but as you have mentioned
above, this should be no problem with W2K clients.
The problem is that Samba (and Windows) can see the secondary groups
on a PDC with Solaris 8, but these groups can`t be seen on a PDC
with Solaris 9.
For testing purpose, we switched back to the Solaris 8 machine and
everything is fine. Same smb.conf, same user, same LDAP server and
database, etc. and it worked.
I think my problem is more like this one
same thread but more interesting
The only difference I see to my configuration is Samba 2.2.8a instead
of 3.0.x

>> It seems that Samba doesn't seach the secondary groups on the LDAP server.

>Was not Samba for me, it was Solaris. Posix in fact, as Linux shows the
>same behaviour.
You are right and I was unclear. Let's try it this way: It seems to
me that Samba can't motivate Solaris 9 to search for secondary groups
on the LDAP server.

>Have a look at https://bugzilla.samba.org/show_bug.cgi?id=882.
>It's supposed to be corrected, but I could not have my customer to test it.
I will give it a try with my Laptop as soon as I have a working
installation :)

>[snip] : can't help on getgrouplist



Thank you,

                          mailto:reinhard.sojka at reinhard.sojka@parlinkom.gv.at

More information about the samba mailing list