[Samba] WARNING to those running Samba on OpenIndiana or other Illumos based systems with > 16 groups

Jeremy Allison jra at samba.org
Mon Jul 15 10:20:32 MDT 2013 

On Sun, Jul 14, 2013 at 09:50:29AM -0400, Ira Cooper wrote:
> On Sun, Jul 14, 2013 at 8:23 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> 
> > On Wed, 2013-04-24 at 10:31 +1000, Andrew Bartlett wrote:
> > > Just a heads-up, because this bug took me absolutely ages to chase down,
> > > and I want to save others the same pain.
> > >
> > > Samba is perhaps the most prominent reason why you might find a user in
> > > more than 16 groups on a Unix system, and so this bug may at first
> > > appear to be a 'Samba issue' (that certainly is why it found it's way to
> > > my attention :-)
> > >
> > > https://www.illumos.org/issues/3691
> > >
> > > In short, unless the group list we supply to setgroups() is sorted, if
> > > there are more than 16 groups, the Illumos kernel fails to honour some
> > > of the groups.  Presumably there is a bisection search being done.
> > >
> > > The symptom for Samba users is that as a user is added to more groups,
> > > they loose access to folders they previously had access too.
> > >
> > > Attached is a total hack that appears to resolve the issue, but the real
> > > fix needs to be in glibc or the kernel.
> >
> > Just as a follow-up, if you experience this please also see
> > https://www.illumos.org/issues/3577 and
> > https://bugzilla.samba.org/show_bug.cgi?id=7588 for WORKAROUNDS if you
> > cannot fix/change your host OS.  There is a patch for nss_winbind and
> > smbd attached to that bug, both of which are required to ensure both
> > Samba and other unix applications see all the windows groups.
> >
> > As we have now had success getting this fixed upstream I've not had time
> > to get back to applying these to Samba when we run on Solaris, but the
> > view was that for the small cost of a qsort we probably should.  If a
> > DENY ACL is involved, this may also be a SECURITY issue, which is how we
> > finally got the route cause addressed upstream.
> >
> >
> 
> Andrew,
> 
> As the upstream developer who fixed the issue: The fix had nothing to do
> with security.  It had to do with Bjorn posting the root cause, and that
> frankly I found sorting the list in samba beyond fugly.

May be beyong fugly, but I think Andrew was perfectly correct in
doing so :-).

> I look at the fact you sorted the list in samba and just shake my head...
>  The same qsort put in the illumos kernel fixes the issue for good.

Not everyone has the same familiarity with kernel programming as you :-).

> Given our past history with such bugs, I'd expect we'll tell people to
> upgrade their OS.

Yeah, but not everyone can do that easily. Having a fix for Samba only
is A GOOD THING (tm) even if you think it's horrible :-).

Jeremy.

More information about the samba mailing list