[Samba] nested groups on samba 3.6 server broken

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Jul 29 14:32:22 MDT 2014


I am running a Samba 3.6.20  for my primary domain controller (+ main 
file server) and my back up domain controller.  Each domain controller 
has an LDAP backend-  the LDAP servers configured for multimaster 
replication.




I have domain trusts established with a Windows 2003 AD domain 
("WINDOMAIN") .      I have enabled nested groups in smb.conf. Winbind 
is enabled to support domain trusts.  It isn't need to for users in the 
local samba domain  ("SAMBADOMAIN") since the LDAP backend stores unix 
uid's and gid's  as well as samba user SID's.


I had a shared directory on the primary server that I wanted to make for 
easily accessible to members from the trusted Win 2003 domain.     
Domain trusts worked, and the trusted users had access to the parent 
directory .   But the problem was that every time someone in samba 
domain created a few new file in the directory, the trusted users did 
not automatically have access.  The   new file would inherit the  
primary group for the file from the parent directory,  but none of the 
ACE's for the trusted domain users. Who ever create the new file could 
add the trusted domain users to that file's ACL  but they usually forgot to.



The shared directory is owned by "projectX" group.   Originally the 
directory was a domain group for the samba domain.   In the example 
below,  the users thomas , richard and harold are members of the samba 
domain.


e.g.

version: 1

dn: cn=projectx,ou=group,o=mydomain.com
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: top
cn: staff_planning
gidNumber: 123
sambaGroupType: 2
sambaSID: S-1-5-21-111111-222222-333333-10123
description: projectx
displayName: projectx
memberUid: thomas
memberUid: richard
memberUid: harold
entrydn: cn=projectx,ou=group,o=mydomain.com


I wanted to be able to add users from the trusted domain to this 
group.   Adding a "WINDOMAIN\user" as a memberUid was not sufficient.    
So I changed  the group to a local   "local" (aka "nested" group) -  
basically by changing the group type from 2 to 4.   I could then use the 
net command to add users from the trusted domain



e.g

net  rpc group  addmem projectX  "WINDOMAIN\peter "   -U 
"SAMBADOMAIN\Administrator"



This would add the sambasidlist attribute  to the LDAP entry.

e.g.


version: 1

dn: cn=projectx,ou=group,o=mydomain.com
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: top
cn: staff_planning
gidNumber: 123
sambaGroupType: 4
sambaSID: S-1-5-21-111111-222222-333333-10123
description: projectX
displayName: projectX
memberUid: thomas
memberUid: richard
memberUid: harold
entrydn: cn=projectx,ou=group,o=mydomain.com
sambasidlist: S-1-5-21-88888-99999-00000-10001
sambasidlist: S-1-5-21-88888-99999-00000-10002
sambasidlist: S-1-5-21-88888-99999-00000-10003


I can also add users and groups from the samba domain to the group with 
the net command, but there isn't much benefit to this.

I can verify the members with "net  rpc group  members projectX."

This worked fine for maybe 6 months.  Last week (maybe 2 weeks ago) 
users from the trusted domain reported that this no longer worked. (If 
they explicitly have permissions to the file, then they have access but 
the group membership functionality no longer works.)


The "net rpc user info" command only works for local users-  but that 
had always been the ase.

E.g.

# net rpc user info  thomas   -U Administrator
Enter Administrator's password:
Domain Users
projectX


# net rpc user info  "SAMBADOMAIN\thomas"   -U Administrator
Failed to get groups for 'SAMBADOMAIN\thomas' with error: Could not map 
names to SIDs.

# net rpc user info  "WINDOMAIN\peter "   -U Administrator
Failed to get groups for 'WINDOMAIN\peter' with error: Could not map 
names to SIDs.


A few months ago I updated from Samba 3.5.x to Samba 3.6.20.  I do not 
think this corresponds to the nested groups breaking, since the problem 
was not reported until months later.


The "net  rpc group  delmem" also no longer works, tho this may be 
related to the samba upgrade.  I can still delete sambasidlist entries 
with ldap tools.



wbinfo  shows that the user id's, sids and names are all consistent for 
trusted users.   The getent and id commands work with trusted users.  I 
can make a trusted user the owner of a file.


Samba logs show the trusted users being denied access to the files, so 
it seems clear that the group membership is just not being recognized.


Any help is appreciated.

Thanks









More information about the samba mailing list