Re: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
After managed to compile HEAD on my box, I don't see that my problem is fixed on HEAD. For a user that belongs to 5 groups in an ADS domain, smbd got only the primary group. Here is something from the log: [2003/03/10 13:01:58, 3] smbd/process.c:switch_message(676) switch message SMBntcreateX (pid 11923) [2003/03/10 13:01:58, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (1, 1) - sec_ctx_stack_ndx = 0 [2003/03/10 13:01:58, 5] auth/auth_util.c:debug_nt_user_token(516) NT user token of user S-1-5-21-606747145-117609710-725345543-1005 contains 9 SIDs SID[ 0]: S-1-5-21-606747145-117609710-725345543-1005 SID[ 1]: S-1-5-21-606747145-117609710-725345543-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-606747145-117609710-725345543-3173 SID[ 6]: S-1-5-21-606747145-117609710-725345543-512 SID[ 7]: S-1-5-21-606747145-117609710-725345543-3186 SID[ 8]: S-1-5-21-606747145-117609710-725345543-3187 [2003/03/10 13:01:58, 5] auth/auth_util.c:debug_unix_user_token(530) UNIX token of user 1 Primary group is 1 and contains 2 supplementary groups Group[ 0]: 1 Group[ 1]: 1 [2003/03/10 13:01:58, 5] smbd/uid.c:change_to_user(203) change_to_user uid=(0,1) gid=(0,1) I would expect primary group is 1, and contains 5 or 6 groups, 1, 10001, 10002, 10003 etc. Is this problem familiar to anyone working on Samba 3.0? Chere On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 12:27, Chere Zhou wrote: Dear list, I know that on 2.2.5, when we get user info from winbindd, we also initialize group information based on the group list got from winbind, and do a setgroups for the process, so that all of the groups the user is a member of is set on the smbd. Now on 3.0a21 and HEAD, I do not see any setgroup operation from winbind, and the smbd process only got the primary group of the Win2k domain user. So it fails when a file permission is checked for other groups the user is a member of. I can see that sec_ctx.c is about the only place that calls sys_setgroups now, when the Unix group info has only the primary group. At the same place the NT token has about 9 groups for my test user. Can somebody explain why we are not doing what 2.2.5 was doing? Is there any design issue related to this? If you update you HEAD checkout, you will find that I have fixed this 'issue'. The problem is that the Win2k server does not report any groups for these users in LDAP, and as such we only use the 'primaryGid' attribute from the Active Directory query. There are however alternative queries that can be made, and I have implemented logic to detect this situation (it occurs mainly in child domains, we think). Unfortunately this change is only in HEAD, not Samba 3.0 at this stage. Andrew Bartlett
Re: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
Do you mean that I probably will need both your change and Ken's patch? Now I remember that I checked on SAMBA_3_0 but not HEAD, as I thought they should be pretty similar. I will check HEAD out. Thanks A. Bertlett. Chere On Tuesday 04 March 2003 11:52 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 14:38, Ken Cross wrote: The behavior you're seeing is because LDAP is being used to get the group membership rather that RPC. Last month I posted a patch to fix this, but to my knowledge it hasn't been incorporated. (I'm not bitching, just explaining...) Your patch fixed a slightly different issue, this issue was fixed in HEAD recently. Andrew Bartlett
Re: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
On Thu, 2003-03-06 at 05:38, Chere Zhou wrote: Do you mean that I probably will need both your change and Ken's patch? Ken's patch is not required for posix users of winbind (ie the NSS subsystem). It is required if you want (for a custom user interface) to know all the members of a particular group, but I'm not sure it's the right way to do it. (I think a custom winbind command would do better). Now I remember that I checked on SAMBA_3_0 but not HEAD, as I thought they should be pretty similar. I will check HEAD out. Thanks A. Bertlett. Most of the time they are, it's just new developments that I'm sometimes slow to merge (often because I don't get all the bugs out the first time I commit :-) Chere On Tuesday 04 March 2003 11:52 pm, Andrew Bartlett wrote: On Wed, 2003-03-05 at 14:38, Ken Cross wrote: The behavior you're seeing is because LDAP is being used to get the group membership rather that RPC. Last month I posted a patch to fix this, but to my knowledge it hasn't been incorporated. (I'm not bitching, just explaining...) Your patch fixed a slightly different issue, this issue was fixed in HEAD recently. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
RE: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
Ken's patch is not required for posix users of winbind (ie the NSS subsystem). It is required if you want (for a custom user interface) to know all the members of a particular group, but I'm not sure it's the right way to do it. (I think a custom winbind command would do better). I'm not being argumentative (really!), but the *main* reason for my patch is that it will give you consistent information whether you've joined an NT domain or an AD. That is, all the group members will be returned from WINBINDD_GETGRGID or WINBINDD_GETGRNAM either way. Ken Ken Cross Network Storage Solutions Phone 865.675.4070 ext 31 [EMAIL PROTECTED]
RE: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
The behavior you're seeing is because LDAP is being used to get the group membership rather that RPC. Last month I posted a patch to fix this, but to my knowledge it hasn't been incorporated. (I'm not bitching, just explaining...) If you're interested, check the archives for message entitled Finding group members - fix to winbindd_ads.c around Feb 8. Ken Ken Cross Network Storage Solutions Phone 865.675.4070 ext 31 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] amba.org] On Behalf Of Chere Zhou Sent: Tuesday, March 04, 2003 8:27 PM To: [EMAIL PROTECTED] Subject: 3.0a21 and HEAD: only primary group of a domain user is set on smbd Dear list, I know that on 2.2.5, when we get user info from winbindd, we also initialize group information based on the group list got from winbind, and do a setgroups for the process, so that all of the groups the user is a member of is set on the smbd. Now on 3.0a21 and HEAD, I do not see any setgroup operation from winbind, and the smbd process only got the primary group of the Win2k domain user. So it fails when a file permission is checked for other groups the user is a member of. I can see that sec_ctx.c is about the only place that calls sys_setgroups now, when the Unix group info has only the primary group. At the same place the NT token has about 9 groups for my test user. Can somebody explain why we are not doing what 2.2.5 was doing? Is there any design issue related to this? Thanks a lot! Chere
Re: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
On Tue, Mar 04, 2003 at 10:38:12PM -0500, Ken Cross wrote: The behavior you're seeing is because LDAP is being used to get the group membership rather that RPC. Last month I posted a patch to fix this, but to my knowledge it hasn't been incorporated. (I'm not bitching, just explaining...) Yes, it's in my inbox - 2 more patches to evaluate and incorporate before it :-). Sorry, Jeremy.
RE: 3.0a21 and HEAD: only primary group of a domain user is set onsmbd
On Wed, 2003-03-05 at 14:38, Ken Cross wrote: The behavior you're seeing is because LDAP is being used to get the group membership rather that RPC. Last month I posted a patch to fix this, but to my knowledge it hasn't been incorporated. (I'm not bitching, just explaining...) Your patch fixed a slightly different issue, this issue was fixed in HEAD recently. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part