[Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups

Brian H. Nelson bhnelson at ysu.edu
Thu Oct 3 08:37:07 MDT 2013

Can anyone with knowledge about this issue offer any comment? Somebody 
has to have an idea about it, good or bad.


On 9/11/2013 2:20 PM, Brian H. Nelson wrote:
> I'm trying to solve this issue I'm having where using 'valid users = 
> +unixgroup' just plain doesn't work. I can't find any /documented/ 
> reason why this is so, but nevertheless, it seems to be the case. This 
> is with samba 3.6.18, but seems to exist in all of 3.6.x and most or 
> all of 3.5.x and perhaps earlier as well (see bug #6681).
> From what I can tell, the underlying reason it doesn't work is because 
> create_local_nt_token_from_info3 doesn't seem to populate the user's 
> token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm 
> not sure exactly why this is the case; the code is a bit complicated.
> Ironically, if the user is explicitly mapped (username map in 
> smb.conf) then it *does* work. This seems to be because an 
> explicitly-mapped user will follow a different code path and end up 
> using create_token_from_username which /does/ pull local UNIX groups.
> I don't understand why there is a difference in behavior between 
> explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name 
> maps to local user 'name' via idmap_nss, or some other facility). I 
> would think that either case should ultimately end with the same result.
> This seems like a very major and long-standing problem to just be a 
> bug. As such I feel like I'm missing something. Can a dev or somebody 
> with a better understanding of the code fill me in?
> Here are some reference links that sound related:
> https://bugzilla.samba.org/show_bug.cgi?id=6681
> http://marc.info/?l=samba&m=135879161014066&w=2
> http://marc.info/?l=samba&m=120886782118153&w=2
> Thanks,
> Brian

Brian H. Nelson
Data Security Analyst I
IT Infrastructure Engineering
Youngstown State University

More information about the samba mailing list