[Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups

Brian H. Nelson bhnelson at ysu.edu
Wed Sep 11 12:20:11 MDT 2013

I'm trying to solve this issue I'm having where using 'valid users = 
+unixgroup' just plain doesn't work. I can't find any /documented/ 
reason why this is so, but nevertheless, it seems to be the case. This 
is with samba 3.6.18, but seems to exist in all of 3.6.x and most or all 
of 3.5.x and perhaps earlier as well (see bug #6681).

 From what I can tell, the underlying reason it doesn't work is because 
create_local_nt_token_from_info3 doesn't seem to populate the user's 
token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm not 
sure exactly why this is the case; the code is a bit complicated.

Ironically, if the user is explicitly mapped (username map in smb.conf) 
then it *does* work. This seems to be because an explicitly-mapped user 
will follow a different code path and end up using 
create_token_from_username which /does/ pull local UNIX groups.

I don't understand why there is a difference in behavior between 
explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name 
maps to local user 'name' via idmap_nss, or some other facility). I 
would think that either case should ultimately end with the same result.

This seems like a very major and long-standing problem to just be a bug. 
As such I feel like I'm missing something. Can a dev or somebody with a 
better understanding of the code fill me in?

Here are some reference links that sound related:


Brian H. Nelson
Data Security Analyst I
IT Infrastructure Engineering
Youngstown State University

More information about the samba mailing list