RE: [Samba] Secondary Groups and Group Mapping
The problem was in the libnss_winbind.so code for Solaris 8. The wrapper function to initialize the secondary groups immediately returned without doing any work. As Jerry mentioned previously, this is already an open bug. I've submitted a patch to that bug report that adds the required functionality. See: https://bugzilla.samba.org/show_bug.cgi?id=395 As I stated in the bug report: Preliminary tests using this patch were completely successful. However, I'm going to be performing further tests to ensure there are no side effects that I have yet to find. john > -Original Message- > From: Klinger, John (N-CSC) > > Thank you for your response. > > Bug 910 looks like a different issue. > > We are using Samba on Solaris 8, with "security = ads", > with AD running on a W2K server. > > We cannot access someone else's file on Solaris that > is owned by a group that we are a member of, if that > group is not our primary group. > > example: > > Given nsswitch that have 2 lines modified for winbind: > > passwd: files winbind > group: files winbind > > Given a file owned by user1:group2 such as the following: > > -rw-rw user1 group2 0 Jan 7 testfile.txt > > And given user2 has a primary group of group1 and a > secondary group of group2. > > The following commands were executed on our smbdev > platform, that contains the smb server. > > smbdev > su - user2 > Password: > smbdev > id > uid=1001(user2) gid=10001(group1) > smbdev > id -a > uid=1001(user2) gid=10001(group1) groups=10001(group1) > smbdev > id -a user2 > uid=1001(user2) gid=10001(group1) groups=10002(group2) > smbdev > getent group | grep user2 > group1:x:10001:user1,user2 > group2:x:10002:user1,user2 > smbdev > grep user2 /etc/group > smbdev > wbinfo -r user2 > 10002 > 10001 > smbdev > groups > group1 > smbdev > cat testfile.txt > cat: cannot open testfile.txt > smbdev > touch testfile > smbdev > chgrp group2 testfile2 > chgrp: group2: Not owner > smbdev > newgrp group2 > $ chgrp group2 testfile2 > $ ls -l testfile2 > -rw-r- user2 group2 0 Jan 7 testfile2 > $exit > smbdev > > > At the initial su to user2, there is a lot of activity > in the winbindd log with "log level = 10", but it only > mentions the uid of 1001 and the gid of 10001. The > secondary group is not mentioned in the log. If I add > group2 to the /etc/group file, it works (as one would > expect due to the nsswitch.conf settings). > > I expect it is a problem in libnss_winbind.so. > > john > > > From: Hansjoerg Maurer > > Sent: Wednesday, January 07, 2004 12:05 AM > > > > Hi, > > > > this might be related to bug 910 > > "domain admin rights only works for user, which primary group > > is domain > > admins" > > I submitted last week. > > > > Just for your information. > > If you want me doing some testing, just give me a note. > > > > Thank you > > > > > > Hansjörg > > > > Klinger, John (N-CSC) wrote: > > > > > > > > > > >>From: Klinger, John (N-CSC) > > >>Sent: Friday, December 19, 2003 8:14 AM > > >> > > >>| | The first issue deals with the file sharing. Even if a > > file gives > > >>| | full permission to one of a user's secondary groups, that user > > >>| | cannot access the file. The user can only access the file (or > > >>| | directory) if the file's group is the user's primary > group. I've > > >>| | fond several references on the web and in > > >>https://bugzilla.samba.org, > > >>| | which seem to indicate that the bug is fixed. However, we > > >>also tried > > >>| | this with 3.0.1rc2 and have the same problem; which > > makes us think > > >>| | it is a configuration error or something we haven't found > > >>| | related to nsswitch. > > >>| > > >>|Gerald (Jerry) Carter wrote: > > >>| > > >>| This is an open bug > > >>| > > >>| ~ https://bugzilla.samba.org/show_bug.cgi?id=395 > > >>| > > >>| cheers, jerry > > >> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Secondary Groups and Group Mapping
Thank you for your response. Bug 910 looks like a different issue. We are using Samba on Solaris 8, with "security = ads", with AD running on a W2K server. We cannot access someone else's file on Solaris that is owned by a group that we are a member of, if that group is not our primary group. example: Given nsswitch that have 2 lines modified for winbind: passwd: files winbind group: files winbind Given a file owned by user1:group2 such as the following: -rw-rw user1 group2 0 Jan 7 testfile.txt And given user2 has a primary group of group1 and a secondary group of group2. The following commands were executed on our smbdev platform, that contains the smb server. smbdev > su - user2 Password: smbdev > id uid=1001(user2) gid=10001(group1) smbdev > id -a uid=1001(user2) gid=10001(group1) groups=10001(group1) smbdev > id -a user2 uid=1001(user2) gid=10001(group1) groups=10002(group2) smbdev > getent group | grep user2 group1:x:10001:user1,user2 group2:x:10002:user1,user2 smbdev > grep user2 /etc/group smbdev > wbinfo -r user2 10002 10001 smbdev > groups group1 smbdev > cat testfile.txt cat: cannot open testfile.txt smbdev > touch testfile smbdev > chgrp group2 testfile2 chgrp: group2: Not owner smbdev > newgrp group2 $ chgrp group2 testfile2 $ ls -l testfile2 -rw-r- user2 group2 0 Jan 7 testfile2 $exit smbdev > At the initial su to user2, there is a lot of activity in the winbindd log with "log level = 10", but it only mentions the uid of 1001 and the gid of 10001. The secondary group is not mentioned in the log. If I add group2 to the /etc/group file, it works (as one would expect due to the nsswitch.conf settings). I expect it is a problem in libnss_winbind.so. john > -Original Message- > From: Hansjoerg Maurer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 12:05 AM > To: Klinger, John (N-CSC) > Cc: Gerald (Jerry) Carter > Subject: Re: [Samba] Secondary Groups and Group Mapping > > > Hi, > > this might be related to bug 910 > "domain admin rights only works for user, which primary group > is domain > admins" > I submitted last week. > > Just for your information. > If you want me doing some testing, just give me a note. > > Thank you > > > Hansjörg > > Klinger, John (N-CSC) wrote: > > > > > > >>-Original Message- > >>From: Klinger, John (N-CSC) > >>Sent: Friday, December 19, 2003 8:14 AM > >> > >>| | Klinger, John (N-CSC) wrote: > >>| | > >>| | The first issue deals with the file sharing. Even if a > file gives > >>| | full permission to one of a user's secondary groups, that user > >>| | cannot access the file. The user can only access the file (or > >>| | directory) if the file's group is the user's primary group. I've > >>| | fond several references on the web and in > >>https://bugzilla.samba.org, > >>| | which seem to indicate that the bug is fixed. However, we > >>also tried > >>| | this with 3.0.1rc2 and have the same problem; which > makes us think > >>| | it is a configuration error or something we haven't found > >>| | related to nsswitch. > >>| > >>|Gerald (Jerry) Carter wrote: > >>| > >>| This is an open bug > >>| > >>| ~ https://bugzilla.samba.org/show_bug.cgi?id=395 > >>| > >>| cheers, jerry > >> > >>Good news, Jerry; thanks for the reply. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Secondary Groups and Group Mapping
> -Original Message- > From: Klinger, John (N-CSC) > Sent: Friday, December 19, 2003 8:14 AM > > | | Klinger, John (N-CSC) wrote: > | | > | | The first issue deals with the file sharing. Even if a file gives > | | full permission to one of a user's secondary groups, that user > | | cannot access the file. The user can only access the file (or > | | directory) if the file's group is the user's primary group. I've > | | fond several references on the web and in > https://bugzilla.samba.org, > | | which seem to indicate that the bug is fixed. However, we > also tried > | | this with 3.0.1rc2 and have the same problem; which makes us think > | | it is a configuration error or something we haven't found > | | related to nsswitch. > | > |Gerald (Jerry) Carter wrote: > | > | This is an open bug > | > | ~ https://bugzilla.samba.org/show_bug.cgi?id=395 > | > | cheers, jerry > > Good news, Jerry; thanks for the reply. > > This puts a large and noticeable kink in our architecture. > What can we do to > help get it resolved? Bug 395 references another link > describing a similar > problem on Solaris 9 with patch 112960-03. However, the > problem exists for > us on Solaris 8 without said patch series. We've successfully executed > Samba using the same configuration files on a Debian and Red Hat 9 > system built from scratch using the same Samba source. We > were going to > build on Solaris 9 in an attempt narrow the problem when I > received your > reply. > > Again, what can we do to support Samba and help hunt this down? I've now been tasked to work on this full time. Do you have any pointers or suggestions on what I should investigate first? I'll use 395 as a loose basis unless I hear otherwise (and look into the 3.0.2rc when it arrives). thanks, john -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Secondary Groups and Group Mapping
| | Klinger, John (N-CSC) wrote: | | | | The first issue deals with the file sharing. Even if a file gives | | full permission to one of a user's secondary groups, that user | | cannot access the file. The user can only access the file (or | | directory) if the file's group is the user's primary group. I've | | fond several references on the web and in https://bugzilla.samba.org, | | which seem to indicate that the bug is fixed. However, we also tried | | this with 3.0.1rc2 and have the same problem; which makes us think | | it is a configuration error or something we haven't found | | related to nsswitch. | | Gerald (Jerry) Carter wrote: | | This is an open bug | | ~ https://bugzilla.samba.org/show_bug.cgi?id=395 | | cheers, jerry Good news, Jerry; thanks for the reply. This puts a large and noticeable kink in our architecture. What can we do to help get it resolved? Bug 395 references another link describing a similar problem on Solaris 9 with patch 112960-03. However, the problem exists for us on Solaris 8 without said patch series. We've successfully executed Samba using the same configuration files on a Debian and Red Hat 9 system built from scratch using the same Samba source. We were going to build on Solaris 9 in an attempt narrow the problem when I received your reply. Again, what can we do to support Samba and help hunt this down? john -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Secondary Groups and Group Mapping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Klinger, John (N-CSC) wrote: | The first issue deals with the file sharing. Even if a file gives | full permission to one of a user's secondary groups, that user | cannot access the file. The user can only access the file (or | directory) if the file's group is the user's primary group. I've | fond several references on the web and in https://bugzilla.samba.org, | which seem to indicate that the bug is fixed. However, we also tried | this with 3.0.1rc2 and have the same problem; which makes us think | it is a configuration error or something we haven't found | related to nsswitch. This is an open bug ~ https://bugzilla.samba.org/show_bug.cgi?id=395 cheers, jerry ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/4hwoIR7qMdg1EfYRAtwnAJ9nIh0Nb5OR9S1p7FD5Xw3bZtdk+QCff6mV yGZ5FfhVGTTkg8Xx0X1tslQ= =D46D -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
