After managed to compile HEAD on my box, I don't see that my problem is fixed on HEAD. For a user that belongs to 5 groups in an ADS domain, smbd got only the primary group. Here is something from the log: [2003/03/10 13:01:58, 3] smbd/process.c:switch_message(676) switch message SMBntcreateX (pid 11923) [2003/03/10 13:01:58, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (10000, 10000) - sec_ctx_stack_ndx = 0 [2003/03/10 13:01:58, 5] auth/auth_util.c:debug_nt_user_token(516) NT user token of user S-1-5-21-606747145-117609710-725345543-1005 contains 9 SIDs SID[ 0]: S-1-5-21-606747145-117609710-725345543-1005 SID[ 1]: S-1-5-21-606747145-117609710-725345543-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-606747145-117609710-725345543-3173 SID[ 6]: S-1-5-21-606747145-117609710-725345543-512 SID[ 7]: S-1-5-21-606747145-117609710-725345543-3186 SID[ 8]: S-1-5-21-606747145-117609710-725345543-3187 [2003/03/10 13:01:58, 5] auth/auth_util.c:debug_unix_user_token(530) UNIX token of user 10000 Primary group is 10000 and contains 2 supplementary groups Group[ 0]: 10000 Group[ 1]: 10000 [2003/03/10 13:01:58, 5] smbd/uid.c:change_to_user(203) change_to_user uid=(0,10000) gid=(0,10000)
I would expect primary group is 10000, and contains 5 or 6 groups, 10000, 10001, 10002, 10003 etc. Is this problem familiar to anyone working on Samba 3.0? Chere On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote: > On Wed, 2003-03-05 at 12:27, Chere Zhou wrote: > > Dear list, > > > > I know that on 2.2.5, when we get user info from winbindd, we also > > initialize group information based on the group list got from winbind, > > and do a "setgroups" for the process, so that all of the groups the user > > is a member of is set on the smbd. > > > > Now on 3.0a21 and HEAD, I do not see any "setgroup" operation from > > winbind, and the smbd process only got the primary group of the Win2k > > domain user. So it fails when a file permission is checked for other > > groups the user is a member of. > > > > I can see that sec_ctx.c is about the only place that calls sys_setgroups > > now, when the Unix group info has only the primary group. At the same > > place the NT token has about 9 groups for my test user. > > > > Can somebody explain why we are not doing what 2.2.5 was doing? Is there > > any design issue related to this? > > If you update you HEAD checkout, you will find that I have fixed this > 'issue'. The problem is that the Win2k server does not report any > groups for these users in LDAP, and as such we only use the 'primaryGid' > attribute from the Active Directory query. There are however > alternative queries that can be made, and I have implemented logic to > detect this situation (it occurs mainly in child domains, we think). > > Unfortunately this change is only in HEAD, not Samba 3.0 at this stage. > > Andrew Bartlett