Turns out that because I do not have nsswitch, I need to hack sys_getgrouplist to query winbind for domain users. Did not have to do that for 2.2.x. I should have said that I am on FreeBSD.
Anyway, thanks for all the answers. Chere On Tuesday 04 March 2003 11:48 pm, Andrew Bartlett wrote: > On Wed, 2003-03-05 at 12:27, Chere Zhou wrote: > > Dear list, > > > > I know that on 2.2.5, when we get user info from winbindd, we also > > initialize group information based on the group list got from winbind, > > and do a "setgroups" for the process, so that all of the groups the user > > is a member of is set on the smbd. > > > > Now on 3.0a21 and HEAD, I do not see any "setgroup" operation from > > winbind, and the smbd process only got the primary group of the Win2k > > domain user. So it fails when a file permission is checked for other > > groups the user is a member of. > > > > I can see that sec_ctx.c is about the only place that calls sys_setgroups > > now, when the Unix group info has only the primary group. At the same > > place the NT token has about 9 groups for my test user. > > > > Can somebody explain why we are not doing what 2.2.5 was doing? Is there > > any design issue related to this? > > If you update you HEAD checkout, you will find that I have fixed this > 'issue'. The problem is that the Win2k server does not report any > groups for these users in LDAP, and as such we only use the 'primaryGid' > attribute from the Active Directory query. There are however > alternative queries that can be made, and I have implemented logic to > detect this situation (it occurs mainly in child domains, we think). > > Unfortunately this change is only in HEAD, not Samba 3.0 at this stage. > > Andrew Bartlett
