[Samba] force group to Unix group in 3.0.25

Hansjörg Maurer Hansjoerg.Maurer at dlr.de
Mon May 21 07:42:50 GMT 2007 

Hi

I have a similar problem with a
   valid users = @cad
entry which does  not work anymore

The server is a member of a AD Domain and the Unix sysstem get the user
and group info
over NIS

We use
idmap domains =  DOM
idmap config DOM:backend  = nss
idmap config DOM:readonly = yes

which works fine now (groups and users are shown in a WinXP security
dialog asl DOM\user an DOM\group) , but we can't
get the valid user parameter working
I have testet
valid users = @cad
and
valid users = DOM\cad

The group is found by winbind
[root at rmvbs02 samba]# wbinfo -g | grep cad
DOM\cad

Is this the same issue like with the force group problem?

valid users =  DOM\USERNAME
works by spezifying individual users.

I have noticed no difference if the group is a primary group or a
secondary group.

If this is not the same problem like decribed in the force group thread,
let me know, and I will provide detaild logs
Is there already a patch I could test?

regrads

Hansjörg











Mike wrote:
> Thanks Jerry, for the fast response to this issue.
> v3.0.24, as well as gc-1 and gc-2 didn't have the problem for me.
> (btw, gc-2 is still reported as gc-1 when I did "smbd -V".  I had to change 
> include/version.h manually).  Only 3.0.25 had this problem for me.
> I have tried patching uid.c in 3.0.25 (following the patch you posted in another mail)
> and it's still not working for me (I have attached more logs/info below).
> The interesting thing is the winbindd_cache.tdb file (I do purge all the tdbs between
> each test to be sure nothing is leftover).  There are some entries which are
> created by 3.0.25 for local Unix groups (gid 561 (localgrp) and gid 60001 (nobody))
> which are not found in the same file for v3.0.24.
> Are these cache entries causing the local Unixgroups to be reported as not 
> mapped ?
>
> Thanks,
> Mike
>
> ---------------------------
> The log.smbd errors are still the same as before so I didn't re-include them.
> ----------------------------
> Excerpt from winbindd_cache.tdb for 3.0.25 (3.0.24 doesn't have these entries)
>
> {
> key(15) = "SN/S-1-22-2-561"      <<== 561 is the gid for the Unix group localgrp
> data(8) = "s\00\00\C0\1B\FA\B6\05"
> }
> .....
> {
> key(17) = "SN/S-1-22-2-60001"    <<== 60001 is the gid for the Unix group nobody
> data(8) = "s\00\00\C0\1B\FA\B6\05"
> }
>
> ----------------------------
> log.winbindd - 3.0.25 (patched uid.c)
>
> [2007/05/21 10:33:55, 10] nsswitch/winbindd.c:process_request(311)
>   process_request: request fn LOOKUPNAME
> [2007/05/21 10:33:55, 3] nsswitch/winbindd_sid.c:winbindd_lookupname(103)
>   [    0]: lookupname Unix Group\localgrp
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
>   Retrieving response for pid 24151
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
>   Retrieving response for pid 24151
> [2007/05/21 10:33:55, 5] nsswitch/winbindd_async.c:lookupname_recv2(801)
>   lookup_name returned an error
> [2007/05/21 10:33:55, 5] nsswitch/winbindd_sid.c:lookupname_recv(116)
>   lookupname returned an error
> [2007/05/21 10:33:55, 10] nsswitch/winbindd.c:process_request(311)
>   process_request: request fn SID_TO_GID
> [2007/05/21 10:33:55, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
>   [    0]: sid to gid S-1-22-2-561
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(681)
>   find_lookup_domain_from_sid(S-1-22-2-561)
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(691)
>   calling find_our_domain
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
>   Retrieving response for pid 24151
> [2007/05/21 10:33:55, 5] nsswitch/winbindd_async.c:lookupsid_recv(706)
>   lookupsid returned an error
> [2007/05/21 10:33:55, 5] nsswitch/winbindd_sid.c:sid2gid_lookupsid_recv(274)
>   sid2gid_lookupsid_recv: Could not convert get sid type for S-1-22-2-561
>
>
> -------------------
> log.wb-DOMAIN  - 3.0.25 (patched uid.c)
>
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_dual.c:child_process_request(410)
>   process_request: request fn LOOKUPSID
> [2007/05/21 10:33:55, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(754)
>   [24150]: lookupsid S-1-22-2-561
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(681)
>   find_lookup_domain_from_sid(S-1-22-2-561)
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(691)
>   calling find_our_domain
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(465)
>   refresh_sequence_number: DOMAIN time ok
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(499)
>   refresh_sequence_number: DOMAIN seq number is now 95874700
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:centry_expired(539)
>   centry_expired: Key SN/S-1-22-2-561 for domain DOMAIN is good.
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:wcache_fetch(624)
>   wcache_fetch: returning entry SN/S-1-22-2-561 for domain DOMAIN
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:sid_to_name(1435)
>   sid_to_name: [Cached] - cached name for domain DOMAIN status: NT_STATUS_NONE_MAPPED
>
>
>
>
> --- "Gerald (Jerry) Carter" <jerry at samba.org> wrote:
>
>   
>> Christian,  The issue that setting force group on a share
>> was causing all additional supplementary gids to be dropped
>> from the user's token.
>>
>> So setup a share that has force group = foo and then
>> create a directory or file that the user should be able
>> to access based on supplementary groups other than
>> "foo".
>>
>> You can verify the fix by looking at the NT and UNIX user
>> token debug output in smbd's level 10 debug logs.
>>
>> Sorry for all the hassle and the regression.  Jeremy
>> and I have both looked over the code and haven't seen
>> any other code paths than would be problematic so
>> I think this one patch is enough.
>>
>>
>>
>> cheers, jerry
>>
>>     
>  
>
>
> Powered by Gee! - Wireless Access Anywhere
>   

-- 
_________________________________________________________________

Deutsches Zentrum fuer Luft- und Raumfahrt e.V.
in der Helmholtz-Gemeinschaft

Institut fuer Robotik und Mechatronik

Dr. Hansjörg Maurer

LAN- und Systemmanager

Münchner Strasse 20
82234 Wessling
Germany 

Telefon: 08153/28-2431 
Telefax: 08153/28-1134

E-Mail: Hansjoerg.Maurer at dlr.de
Internet: http://www.robotic.dlr.de/

__________________________________________________________________


There are 10 types of people in this world, 
those who understand binary and those who don't.

More information about the samba mailing list