samba - Aug 2003 - Can a user belong to two groups in Samba ???

Hi,

I'm using samba 3b3 (+ldapsam) and have created a user belonging to two
groups :

- his primary group is mapped to the "Domain Users" Windows group,
- his secondary one is mapped to the "Domain Admins" Windows group.

Unfortunately, only the first group seems to be known by Samba, since the
user doesn't become a "Domain Admin" at all (but he is a
"Domain User")...
I've googled a lot and haven't been able to find much info about
multiple-groups-per-user handling in Samba ; some users seem to get the
same problem without getting a solution ; Redhat did record this as a bug
in bugzilla...

So : Is it a bug ? Is it related to LDAP ? Finally, Is it possible to have
a user belonging to two (or more) Windows domain groups ?

Regards,
Gana?l.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 8 Aug 2003, Ganael LAPLANCHE wrote:
> Hi,
> 
> I'm using samba 3b3 (+ldapsam) and have created a user belonging to two
> groups :
> 
> - his primary group is mapped to the "Domain Users" Windows
group,
> - his secondary one is mapped to the "Domain Admins" Windows
group.
It should be fine.  Can you send me a level 10 debug log showing the 
session setup portion where the user's groups are initialized?
> Unfortunately, only the first group seems to be known by Samba, since the
> user doesn't become a "Domain Admin" at all (but he is a
"Domain User")...
You could have this problem if libc is not returning the secondary groups
for a user via NSS.
> I've googled a lot and haven't been able to find much info about
> multiple-groups-per-user handling in Samba ; some users seem to get the
> same problem without getting a solution ; Redhat did record this as a bug
> in bugzilla...
Do you know that bug #id offhand ?
> So : Is it a bug ? Is it related to LDAP ? Finally, Is it possible to have
> a user belonging to two (or more) Windows domain groups ?
It would be a bug.  Whether it is our bug or not is unknown right now.
That log file would help me to determine what is going on.  All my tests
are turning up correct results.




cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop
there."
                            --John Cusack - "Grosse Point Blank"
(1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/NXm1IR7qMdg1EfYRAjF1AJ4sOFvOMU2jnG/DH4H3CeGYEY+H9wCg7ac1
IszQGlOyDatDso1tkLo8nGA=R55j
-----END PGP SIGNATURE-----

>> Hi,
>>
>> I'm using samba 3b3 (+ldapsam) and have created a user belonging to
two
>> groups :
>>
>> - his primary group is mapped to the "Domain Users" Windows
group,
>> - his secondary one is mapped to the "Domain Admins" Windows
group.
> It should be fine.  Can you send me a level 10 debug log showing the
> session setup portion where the user's groups are initialized?
# net groupmap list
Domain Users (S-1-5-21-1320293332-2887003436-4113625284-513) -> opususers
Domain Admins (S-1-5-21-1320293332-2887003436-4113625284-512) -> opusadmins

# getent group
...
opususers:x:1001:
opusadmins:x:1002:opususer
...

# getent passwd
...
opususer:x:1002:1001::/home/opususer:/bin/bash
...

# id opususer
uid=1002(opususer) gid=1001(opususers)
groups=1001(opususers),1002(opusadmins)

# Ldap entries

dn: uid=opususer,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr
uid: opususer
sambaSID: S-1-5-21-1320293332-2887003436-4113625284-3004
sambaPrimaryGroupSID: S-1-5-21-1320293332-2887003436-4113625284-513
sambaPwdCanChange: 1060162576
sambaPwdMustChange: 1061976976
sambaLMPassword: B8AC092B6597E9E6944E2DF489A880E4
sambaNTPassword: 75892BB02A31553735DD03163476A3C8
sambaPwdLastSet: 1060162576
sambaAcctFlags: [U          ]
objectClass: sambaSamAccount
objectClass: account
sambaHomeDrive: U:
sambaLogonScript: opususer.cmd
sambaProfilePath: \\OPUS_DC1\profiles\opususer
sambaHomePath: \\OPUS_DC1\opususer

dn: cn=opususers,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1001
cn: opususers
memberUid: opususer
sambaSID: S-1-5-21-1320293332-2887003436-4113625284-513
sambaGroupType: 2
displayName: Domain Users

dn: cn=opusadmins,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1002
cn: opusadmins
memberUid: opususer
sambaSID: S-1-5-21-1320293332-2887003436-4113625284-512
sambaGroupType: 2
displayName: Domain Admins

# Log extract (logon time)

[2003/08/11 07:07:21, 2] lib/smbldap.c:smbldap_search_suffix(1056)
  smbldap_search_suffix: searching for:
[(&(uid=opususer)(objectclass=sambaSamAccount))]
[2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(456)
  Entry found for user: opususer
[2003/08/11 07:07:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2003/08/11 07:07:21, 4] auth/auth_sam.c:sam_password_ok(218)
  sam_password_ok: Checking NT MD4 password
[2003/08/11 07:07:21, 4] auth/auth_sam.c:sam_account_ok(324)
  sam_account_ok: Checking SMB password for user opususer
[2003/08/11 07:07:21, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 1002
  Primary group is 1001 and contains 2 supplementary groups
  Group[  0]: 1001
  Group[  1]: 1002
[2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619)
  ldapsam_search_one_group: searching for:
[(&(objectClass=sambaGroupMapping)(gidNumber=1001))]
[2003/08/11 07:07:21, 0] lib/smbldap.c:smbldap_open(799)
  smbldap_open: cannot access LDAP when not root..
[2003/08/11 07:07:21, 1] lib/smbldap.c:smbldap_retry_open(888)
  Connection to LDAP Server failed for the 1 try!
[2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Insufficient access)ldapsam_search_one_group: Query was:
ou=Opus,dc=der,dc=edf,dc=fr, (&(obj
ectClass=sambaGroupMapping)(gidNumber=1001))
[2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619)
  ldapsam_search_one_group: searching for:
[(&(objectClass=sambaGroupMapping)(gidNumber=1002))]
[2003/08/11 07:07:21, 0] lib/smbldap.c:smbldap_open(799)
  smbldap_open: cannot access LDAP when not root..
[2003/08/11 07:07:21, 1] lib/smbldap.c:smbldap_retry_open(888)
  Connection to LDAP Server failed for the 1 try!
[2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634)
[2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Insufficient access)ldapsam_search_one_group: Query was:
ou=Opus,dc=der,dc=edf,dc=fr, (&(obj
ectClass=sambaGroupMapping)(gidNumber=1002))
[2003/08/11 07:07:21, 10] auth/auth_util.c:debug_nt_user_token(491)
  NT user token of user S-1-5-21-1320293332-2887003436-4113625284-3004
  contains 7 SIDs
  SID[  0]: S-1-5-21-1320293332-2887003436-4113625284-3004
  SID[  1]: S-1-5-21-1320293332-2887003436-4113625284-513
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-1320293332-2887003436-4113625284-3003
  SID[  6]: S-1-5-21-1320293332-2887003436-4113625284-3005
[2003/08/11 07:07:21, 5] auth/auth_util.c:make_server_info_sam(815)
  make_server_info_sam: made server info for user opususer -> opususer
[2003/08/11 07:07:21, 3] auth/auth.c:check_ntlm_password(265)
  check_ntlm_password: sam authentication for user [opususer] succeeded
[2003/08/11 07:07:21, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2003/08/11 07:07:21, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2003/08/11 07:07:21, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/08/11 07:07:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2003/08/11 07:07:21, 5] auth/auth.c:check_ntlm_password(289)
  check_ntlm_password:  PAM Account for user [opususer] succeeded
[2003/08/11 07:07:21, 2] auth/auth.c:check_ntlm_password(302)
  check_ntlm_password:  authentication for user [opususer] -> [opususer]
->
[opususer] succeeded

# Log extract (trying to change date/time on the workstation)

[2003/08/11 07:06:07, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(283)
  Got user=[opususer] domain=[OPUS] workstation=[OPUSWKS] len1=24 len2=24
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info_map(216)
  make_user_info_map: Mapping user [OPUS]\[opususer] from workstation
[OPUSWKS]
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(132)
  attempting to make a user_info for opususer (opususer)
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(142)
  making strings for opususer's user_info struct
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(184)
  making blobs for opususer's user_info struct
[2003/08/11 07:06:07, 10] auth/auth_util.c:make_user_info(193)
  made an encrypted user_info for opususer (opususer)
[2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(216)
  check_ntlm_password:  Checking password for unmapped user [OPUS]
\[opususer]@[OPUSWKS] with the new password interface
[2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  mapped user is: [OPUS]\[opususer]@[OPUSWKS]
[2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(228)
  check_ntlm_password: auth_context challenge created by random
[2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(230)
  challenge is:
[2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(256)
  check_ntlm_password: guest had nothing to say
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 2] lib/smbldap.c:smbldap_search_suffix(1056)
  smbldap_search_suffix: searching for:
[(&(uid=opususer)(objectclass=sambaSamAccount))]
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(456)
  Entry found for user: opususer
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 4] auth/auth_sam.c:sam_password_ok(218)
  sam_password_ok: Checking NT MD4 password
[2003/08/11 07:06:07, 4] auth/auth_sam.c:sam_account_ok(324)
  sam_account_ok: Checking SMB password for user opususer
?[2003/08/11 07:06:07, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 1002
  Primary group is 1001 and contains 2 supplementary groups
  Group[  0]: 1001
  Group[  1]: 1002
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619)
  ldapsam_search_one_group: searching for:
[(&(objectClass=sambaGroupMapping)(gidNumber=1001))]
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_group_from_ldap(1665)
  Entry found for group: 1001
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619)
  ldapsam_search_one_group: searching for:
[(&(objectClass=sambaGroupMapping)(gidNumber=1002))]
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_group_from_ldap(1665)
  Entry found for group: 1002
[2003/08/11 07:06:07, 10] auth/auth_util.c:debug_nt_user_token(491)
  NT user token of user S-1-5-21-1320293332-2887003436-4113625284-3004
  contains 6 SIDs
  SID[  0]: S-1-5-21-1320293332-2887003436-4113625284-3004
  SID[  1]: S-1-5-21-1320293332-2887003436-4113625284-513
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-1320293332-2887003436-4113625284-512
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_server_info_sam(815)
  make_server_info_sam: made server info for user opususer -> opususer
[2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(265)
  check_ntlm_password: sam authentication for user [opususer] succeeded
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 5] auth/auth.c:check_ntlm_password(289)
  check_ntlm_password:  PAM Account for user [opususer] succeeded
[2003/08/11 07:06:07, 2] auth/auth.c:check_ntlm_password(302)
  check_ntlm_password:  authentication for user [opususer] -> [opususer]
->
[opususer] succeeded

I thought my troubles were related to the "cannot access LDAP when not root
" error, but the SID table finally contains the "Domain Admins"
RID, very
strange... And I can't change time on my windows machine...

Either the "Domain Admins" group hasn't been mapped to the
"Local Admins"
group on Windows (unlikely to be possible, if I set opusadmins as a primary
group for opususer, he becomes a "Domain Admin" and then a "Local
Admin"
and can change time/date), or samba ignores the "Domain Admins" group
listed in the user's SIDs.
>> Unfortunately, only the first group seems to be known by Samba, since
the
>> user doesn't become a "Domain Admin" at all (but he is a
"Domain
User")...
> You could have this problem if libc is not returning the secondary groups
> for a user via NSS.
A precision : I'm using nss to access /etc/passwd and /etc/group ; I'm
not
using libnss_ldap at all.
I've created every account/group on my unix box before creating it under
samba.
>> I've googled a lot and haven't been able to find much info
about
>> multiple-groups-per-user handling in Samba ; some users seem to get the
>> same problem without getting a solution ; Redhat did record this as a
bug
>> in bugzilla...
> Do you know that bug #id offhand ?
Well, the bug is closed, here is the link :
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=91768 ;
but doesn't seem to be what I'm in trouble with : it is related to
libnss-ldap !
>> So : Is it a bug ? Is it related to LDAP ? Finally, Is it possible to
have
>> a user belonging to two (or more) Windows domain groups ?
>It would be a bug.  Whether it is our bug or not is unknown right now.
>That log file would help me to determine what is going on.  All my tests
>are turning up correct results.
Thank you very much,
Regards,

Ganael.