[Samba] Samba ADS: kerberos logins seems to give users different rights/group memberships

Ferdinand Hagethorn hagethorn at stone-it.com
Mon Mar 8 09:59:00 GMT 2004 

Hi all,

I'm having some very weird issues with some users in a 
Samba ADS configuration. (:: kerberos logins seems to give 
users different rights/group memberships ::)

Sysinfo:
OS: Debian 3.0 + some backports packages
Kernel: 2.4.24-1-686-smp (from backports.org)
Samba: 3.0.2a (from debian packages fetched from samba)
Filesystem: ext3 (no acl patches or acl support)

Configuration description:
--------------------------
Samba ADS configuration
Windows 2000 DC


Situation description:
----------------------
We have a share with in it a directory:
//fileserver/export/biz/public

Unix rights on the biz share: 0755 (rwxr-xr-x)
Unix rights on the public directory are: 2770 (rwxrws---)

We have a set of users, each is member of the group biz-pub
biz-pub is defined in the Windows DC.

Now the case: 
For some users it is not possible to open the public directory 
when logged on to the samba server with kerberos identification.

Example output:
 # smbclient //fileserver/export -U peter
 Password: *****
 smb: \> cd biz
 smb: \> ls
 // lists contents correctly
 smb: \> cd biz
 // lists contents correctly
 smb: \biz\> cd biz
 smb: \biz\public\> ls
 // lists contents correctly
 smb: \biz\public\> put file
 // uploads the issue file correctly
This is all okay

Now we log in using kerberos authentification, first get a ticket:
 # kinit peter at DOM.COM
 # Password: *****
Now log in with this ticket:
 # smbclient //fileserver/export -U peter -k
 smb: \> cd biz
 smb: \biz\> ls 
 // lists contents correctly
 smb: \biz\> cd public
 smb: \biz\public\> ls
 NT_STATUS_ACCESS_DENIED listing \biz\public\*

This also applies to all the clients (w2k/wxp/w2003) which log in to the
domain

So what is happening here? Manual user+pass login works, 
but a kerberos login does but gives the user different 
group memberships ???

Note 1: nsswitch.conf is configured correctly and works 100%
(tested with 'id peter' and 'getent passwd/group -s winbindd')
No ncd is running!

Note 2: This behaviour only applies to a few users.


Thanks in advance,

  Ferdinand



-----
## smb.conf file contents follows:

[global]
        workgroup = DOM
        realm = DOM.COM
        netbios name = FILESERVER
        security = ADS
        syslog = 0
        log file = /var/log/samba/log.%m
        printcap name = cups
        os level = 10
        preferred master = No
        local master = No
        domain master = No
        idmap uid = 10000-60000
        idmap gid = 10000-60000
        template homedir = /cluster/homes/homedirs/%U
        winbind separator = +
        winbind use default domain = Yes
        printing = cups
        printer admin = Administrator, @"Domain Admins"
        log level = 0

[export]
        comment = Export share
        path = /cluster/data/export
        admin users = @"Domain Admins"
        read only = No
        create mask = 0660
        directory mask = 2770
-----

More information about the samba mailing list