[Samba] Very strange permissions issue with Samba 3.0.20(a/b)

Scrivner, Andrew ascrivner at oppenheimerfunds.com
Wed Nov 16 05:39:16 GMT 2005

Hi Guys, 

First, thanks for all the hard work! You all rock.

 I am running Samba 3.0.20a on RHEL 3 u5 x86, my configuration is working
perfectly except for cvs commits for 3 users. We are using ADS, pam_winbind, and pam_require to authenticate CVS users against AD. 

Our CVS directories are mod 2775, and the group ownership of all dirs is
the AD group "DEN-CVS-Users". Every valid user is a member of this group. But 
a few users, while they are able to authenticate, and checkout, cannot commit files to the depot. Their group membership is hosed up somehow. Everything is working perfectly except for these few troublemakers. 

The users can log into CVS, so their group membership is seen by winbind and passed to pam_require, but when it comes writing to a file with AD group 
ownership they are denied. It works for the rest of us though, so we're baffled. The files are all mod 664. 

This isn't a CVS issue, as I can login to our CVS server as an affected AD user and replicate the problem. For me, I can write to the depot just fine.

My questions:
1. Is there a limit to the number of groups a user may be a member of ( The most so far is 48 groups ) that would cause winbind problems?

2. Are the any special characters within an AD group name that would break winbind?

3. Besides a user's SID, and group membership, what could be different between users ?

 This is our setup:


# workgroup = NT-Domain-Name or Workgroup-Name
   netbios name = CVS-DR
   workgroup = DEN
   realm = DEN.FOO.COM
   security = ADS
   password server = den-dc1.den.foo.com
   winbind use default domain = no
   winbind nested groups = yes
   winbind enum users = yes
   winbind enum groups = yes
   allow trusted domains = yes
   log level = 3
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   template homedir = /cvsroot
   winbind cache time = 3600
   winbind separator = -

RHEL 3 u5 pam config

auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required     pam_require.so @DEN-CVS-Admins @DEN-CVS-Users @NY-CVS-Users @NY-CVS-Admins cvs

account     required     pam_unix.so broken_shadow
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required     pam_permit.so

password   sufficient    pam_winbind.so use_authtok
password   sufficient    pam_unix.so nullok use_authtok md5 shadow
password   required      pam_deny.so

session    required      pam_unix.so

As always, any suggestions would be much appreciated.

Andrew Scrivner

This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. OppenheimerFunds may, at its sole discretion, monitor, review, retain and/or disclose the content of all email communications.

More information about the samba mailing list