[Samba] force group to Unix group in 3.0.25
Hansjörg Maurer
Hansjoerg.Maurer at dlr.de
Mon May 21 07:42:50 GMT 2007
Hi
I have a similar problem with a
valid users = @cad
entry which does not work anymore
The server is a member of a AD Domain and the Unix sysstem get the user
and group info
over NIS
We use
idmap domains = DOM
idmap config DOM:backend = nss
idmap config DOM:readonly = yes
which works fine now (groups and users are shown in a WinXP security
dialog asl DOM\user an DOM\group) , but we can't
get the valid user parameter working
I have testet
valid users = @cad
and
valid users = DOM\cad
The group is found by winbind
[root at rmvbs02 samba]# wbinfo -g | grep cad
DOM\cad
Is this the same issue like with the force group problem?
valid users = DOM\USERNAME
works by spezifying individual users.
I have noticed no difference if the group is a primary group or a
secondary group.
If this is not the same problem like decribed in the force group thread,
let me know, and I will provide detaild logs
Is there already a patch I could test?
regrads
Hansjörg
Mike wrote:
> Thanks Jerry, for the fast response to this issue.
> v3.0.24, as well as gc-1 and gc-2 didn't have the problem for me.
> (btw, gc-2 is still reported as gc-1 when I did "smbd -V". I had to change
> include/version.h manually). Only 3.0.25 had this problem for me.
> I have tried patching uid.c in 3.0.25 (following the patch you posted in another mail)
> and it's still not working for me (I have attached more logs/info below).
> The interesting thing is the winbindd_cache.tdb file (I do purge all the tdbs between
> each test to be sure nothing is leftover). There are some entries which are
> created by 3.0.25 for local Unix groups (gid 561 (localgrp) and gid 60001 (nobody))
> which are not found in the same file for v3.0.24.
> Are these cache entries causing the local Unixgroups to be reported as not
> mapped ?
>
> Thanks,
> Mike
>
> ---------------------------
> The log.smbd errors are still the same as before so I didn't re-include them.
> ----------------------------
> Excerpt from winbindd_cache.tdb for 3.0.25 (3.0.24 doesn't have these entries)
>
> {
> key(15) = "SN/S-1-22-2-561" <<== 561 is the gid for the Unix group localgrp
> data(8) = "s\00\00\C0\1B\FA\B6\05"
> }
> .....
> {
> key(17) = "SN/S-1-22-2-60001" <<== 60001 is the gid for the Unix group nobody
> data(8) = "s\00\00\C0\1B\FA\B6\05"
> }
>
> ----------------------------
> log.winbindd - 3.0.25 (patched uid.c)
>
> [2007/05/21 10:33:55, 10] nsswitch/winbindd.c:process_request(311)
> process_request: request fn LOOKUPNAME
> [2007/05/21 10:33:55, 3] nsswitch/winbindd_sid.c:winbindd_lookupname(103)
> [ 0]: lookupname Unix Group\localgrp
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
> Retrieving response for pid 24151
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
> Retrieving response for pid 24151
> [2007/05/21 10:33:55, 5] nsswitch/winbindd_async.c:lookupname_recv2(801)
> lookup_name returned an error
> [2007/05/21 10:33:55, 5] nsswitch/winbindd_sid.c:lookupname_recv(116)
> lookupname returned an error
> [2007/05/21 10:33:55, 10] nsswitch/winbindd.c:process_request(311)
> process_request: request fn SID_TO_GID
> [2007/05/21 10:33:55, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
> [ 0]: sid to gid S-1-22-2-561
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(681)
> find_lookup_domain_from_sid(S-1-22-2-561)
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(691)
> calling find_our_domain
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2299)
> Retrieving response for pid 24151
> [2007/05/21 10:33:55, 5] nsswitch/winbindd_async.c:lookupsid_recv(706)
> lookupsid returned an error
> [2007/05/21 10:33:55, 5] nsswitch/winbindd_sid.c:sid2gid_lookupsid_recv(274)
> sid2gid_lookupsid_recv: Could not convert get sid type for S-1-22-2-561
>
>
> -------------------
> log.wb-DOMAIN - 3.0.25 (patched uid.c)
>
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_dual.c:child_process_request(410)
> process_request: request fn LOOKUPSID
> [2007/05/21 10:33:55, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(754)
> [24150]: lookupsid S-1-22-2-561
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(681)
> find_lookup_domain_from_sid(S-1-22-2-561)
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(691)
> calling find_our_domain
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(465)
> refresh_sequence_number: DOMAIN time ok
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(499)
> refresh_sequence_number: DOMAIN seq number is now 95874700
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:centry_expired(539)
> centry_expired: Key SN/S-1-22-2-561 for domain DOMAIN is good.
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:wcache_fetch(624)
> wcache_fetch: returning entry SN/S-1-22-2-561 for domain DOMAIN
> [2007/05/21 10:33:55, 10] nsswitch/winbindd_cache.c:sid_to_name(1435)
> sid_to_name: [Cached] - cached name for domain DOMAIN status: NT_STATUS_NONE_MAPPED
>
>
>
>
> --- "Gerald (Jerry) Carter" <jerry at samba.org> wrote:
>
>
>> Christian, The issue that setting force group on a share
>> was causing all additional supplementary gids to be dropped
>> from the user's token.
>>
>> So setup a share that has force group = foo and then
>> create a directory or file that the user should be able
>> to access based on supplementary groups other than
>> "foo".
>>
>> You can verify the fix by looking at the NT and UNIX user
>> token debug output in smbd's level 10 debug logs.
>>
>> Sorry for all the hassle and the regression. Jeremy
>> and I have both looked over the code and haven't seen
>> any other code paths than would be problematic so
>> I think this one patch is enough.
>>
>>
>>
>> cheers, jerry
>>
>>
>
>
>
> Powered by Gee! - Wireless Access Anywhere
>
--
_________________________________________________________________
Deutsches Zentrum fuer Luft- und Raumfahrt e.V.
in der Helmholtz-Gemeinschaft
Institut fuer Robotik und Mechatronik
Dr. Hansjörg Maurer
LAN- und Systemmanager
Münchner Strasse 20
82234 Wessling
Germany
Telefon: 08153/28-2431
Telefax: 08153/28-1134
E-Mail: Hansjoerg.Maurer at dlr.de
Internet: http://www.robotic.dlr.de/
__________________________________________________________________
There are 10 types of people in this world,
those who understand binary and those who don't.
More information about the samba
mailing list