[Samba] Altered behavior in 3.0.25 and 3.0.24-gc-1

Jean-Jacques Moulis jj at isy.liu.se
Tue May 22 11:07:44 GMT 2007

On Mon, 21 May 2007 12:31:57 -0500 "Gerald (Jerry) Carter" <jerry at samba.org> wrote:

GC> Jean-Jacques Moulis wrote:
GC> > By mistake or by design membership in a Windows Primary Group seems to be mandatory!
GC> > 
GC> > We are using printservers configured as member servers of Samba domains.
GC> > 
GC> > with the following configuration
GC> > 
GC> > security = DOMAIN
GC> > password server = PDC
GC> > encrypt passwords = yes
GC> > map to guest = Bad Password
GC> > 
GC> > The Samba PDCs use plain smbpasswd files.
GC> > 
GC> > Since upgrading to 3.0.25 and regressing to 3.0.24-gc-1 some users couldn't
GC> > print (strange considering map to guest = Bad Password)
GC> > 
GC> > they got an NT_STATUS_UNSUCCESSFUL in log files and were refused printing.
GC> > 
GC> > The common denominator for users with print problems was 
GC> > the lack of mapping from their GID to a SID
GC> > 
GC> > net groupmap add ntgroup="A new group" unixgroup=gidgroupname
GC> > solved the problem but it took a while to find out :-)

GC> Please test the gc-2 snapshot. This might be related to
GC> the regression from the CVE-2007-2444 patch.

The gc-2 snapshot gives the same result for people with an unmapped GID
(or not explicitly in the Domain User group -513)

I have a log level 10 for both the PDC and the domain member.
How should I made it available to you?

As I said, mapping the GID to a SID solves the problem, I'm prepared
to accept the behavior as feature :-)

Jean-Jacques   Moulis                              Tel:  (013) 281684
ISY                                                Fax:  (013) 139282
Linköping University                            E-mail: jj at isy.liu.se
581 83 Linköping

More information about the samba mailing list