samba - Dec 2003 - S3 domain member shares won't authorize secondary groups, only for W98

Hi list,

After kudos, time comes again with problems.

This time, still on the same setup as before :
- Linux PDC with ldapsam, ran by RH9, OpenLDAP 2.0.27 (stock RH9 
RPM+Solaris RootDSE patch), Samba 3.0.1rc1 recompiled from SRPM ;
- Linux BDC is the same ;

The PDC and BDC are working Ok, so I won't include the smb.conf from these.

- Solaris 9 domain member (jersey) gets Posix accounts from the OpenLDAP 
directory, Samba 3.0.1rc1 (home recompiled with nearly the same conf 
options as for Linux) is joined to the domain.

On the Solaris server, there is a share defined as follow :
[global]
         unix charset = CP850
         workgroup = DOMAIN
         server string = Jersey
         security = DOMAIN
         username level = 5
         log level = 10
         log file = /var/log/samba/%m
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         preferred master = No
         domain master = No
         wins server = 172.17.0.1
         admin users = root
         mangle case = Yes
         hide dot files = No
         fake oplocks = Yes
[dsvi]
         comment = Dossier commun DSVI
         path = /d2/dsvi
         valid users = +dsvi
         force group = dsvi
         read only = No
         create mask = 0774
         directory mask = 0775
         force directory mode = 0774

User defined in Unix as follow (Linux id command, from LDAP info) :
# id jerome
uid=1000(jerome) gid=513(domusers) 
groups=513(domusers),550(prtadmin),103(dsvi),102(susers)

In LDAP :
$ ldapsearch -h localhost -D 'cn=Manager,dc=domain,dc=com' -x 
'(uid=jerome)' -W -LLL
Enter LDAP Password: ********
dn: uid=jerome, ou=INFORMATIQUE, ou=Paris, ou=People, dc=domain,dc=com
sambaLMPassword: xxxxxxx
displayName:: SsOpcsO0bWUgRmVuYWwobjectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
shadowLastChange: 12391
sambaHomeDrive: H:
uid: jerome
uidNumber: 1000
cn: jerome
sambaLogoffTime: 2147483647
sambaPwdLastSet: 1069436848
loginShell: /bin/bash
sambaAcctFlags: [UX]
sambaNTPassword: xxxxxxxx
sambaPwdCanChange: 1066406719
sambaSID: S-1-5-21-1150874807-1180408084-429402335-3000
gecos: Jerome Fenal
description:: SsOpcsO0bWUgRmVuYWwhomeDirectory: /home/jerome
sambaKickoffTime: 2147483647
sn: jerome
sambaHomePath: \\theviec\homes
sambaPwdMustChange: 2147483647
sambaLogonScript: login\jerome.bat
gidNumber: 513
sambaPrimaryGroupSID: S-1-5-21-1150874807-1180408084-429402335-513
userPassword:: xxxxxxxxx
sambaLogonTime: 0

Secondary groups are mapped :
dsvi (S-1-5-21-1150874807-1180408084-429402335-1207) -> dsvi
susers (S-1-5-21-1150874807-1180408084-429402335-1205) -> susers
Domain Users (S-1-5-21-1150874807-1180408084-429402335-513) -> domusers
Printer Operators (S-1-5-21-1150874807-1180408084-429402335-550) -> prtadmin

Note that the group asked to connect to the \\jersey\dsvi share is a 
secondary group for the user.

Now, to the problem :
- if connecting from a WinXP client, no problem, netlogin goes ok, and 
the share \\jersey\dsvi is mounted from the login script (net use g: 
\\jersey\dsvi)

Connecting from a Win98 client lead to weird behaviour :
- I can logon, but the dsvi share won't mount, and it will ask me for a 
password
- if I use samba-2.2.8a (home recompiled with exactly samba options as 
Samba 3), I can login _and_ the \\jersey\dsvi share is mounted
- Back to Samba3, if I make the dsvi group jerome's *primary* group 
(either completely or only by the mean of sambaPrimaryGroupSID LDAP 
attr.), I can mount the share
- Still in Samba3 back with dsvi as secondary group, if I rename the 
user to uppercase (jerome->JEROME), and all memberUid: LDAP attr for the 
groups, it works, the share is mounted. I had the idea of doing that by 
seeing the account name uppercased in samba logs.

Wait, I can also see the following :
On Solaris (/usr/xpg4/bin/id) :
root@jersey:/root# id jerome
uid=1000(JEROME) gid=513(domusers)
root@jersey:/root# id JEROME
uid=1000(JEROME) gid=513(domusers) groups=103(dsvi),102(susers)

On Linux PDC :
# id jerome
uid=1000(JEROME) gid=513(domusers) groups=513(domusers),550(prtadmin)
# id JEROME
uid=1000(JEROME) gid=513(domusers) 
groups=513(domusers),103(dsvi),102(susers)

Seems the problem come from there...

I rename the account to lowercase, and id gives (on Linux) :
# id jerome
uid=1000(jerome) gid=513(domusers) 
groups=513(domusers),550(prtadmin),103(dsvi),102(susers)
# id JEROME
uid=1000(jerome) gid=513(domusers) groups=513(domusers)

Same 'id' result on Solaris 9.

This problem appears whatever value is given to the 'username level=' 
clause in smb.conf.

So I suspect that either 'username level=' is not honored for the search
   of secondary groups membership, or that the username is not 
lower-cased anymore as it could have been in Samba 2.2.8a.

Or a change of behaviour between 2.2.8 and 3.0 'valid users=' clause.

I can keep Samba 2.2.8a for a while on the member server, but I'd like 
to see this behaviour fixed. I'd like to provide a patch, but it's been 
years I didn't program in C...

I can submit level 10 logs on thursday upon request on private mail (too 
much security info in them).

Regards,

Jerome

-- 
J?r?me Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>

Hi list,

Last message on the topic is long so I won't reproduce it here. You can 
still read it at :
http://marc.theaimsgroup.com/?l=samba&m=107099931908523&w=2.

I have more news on this front.

I made level 10 logs from win98 with samba 3.0.1rc2 and 2.2.8a.
It seems that 2.2.8a converts the usename given by win98 to lowercase, 
which in turn makes unix return all the groups of the unix user :

[2003/12/12 10:31:35, 10] smbd/password.c:register_vuid(288)
   register_vuid: (1000,513) jerome JEROME DOMAIN guest=0
[2003/12/12 10:31:35, 10] smbd/password.c:register_vuid(298)
   register_vuid: allocated vuid = 100
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:push_sec_ctx(297)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/12 10:31:35, 3] smbd/uid.c:push_conn_ctx(286)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:set_sec_ctx(329)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:get_current_groups(172)
   get_current_groups: user is in 4 groups: 513, 550, 103, 102
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:pop_sec_ctx(436)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:get_current_groups(172)
   get_current_groups: user is in 4 groups: 513, 550, 103, 102
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
   sid_to_gid: winbind lookup for sid 
S-1-5-21-1150874807-1180408084-429402335-513 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
   sid_to_gid: winbind lookup for sid 
S-1-5-21-1150874807-1180408084-429402335-550 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
   sid_to_gid: winbind lookup for sid 
S-1-5-21-1150874807-1180408084-429402335-1207 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
   sid_to_gid: winbind lookup for sid 
S-1-5-21-1150874807-1180408084-429402335-1205 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:uid_to_sid(758)
   uid_to_sid: local 1000 -> S-1-5-21-889427125-3291125262-439525394-3000
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
   gid_to_sid: local 513 -> S-1-5-21-889427125-3291125262-439525394-2027
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
   gid_to_sid: local 550 -> S-1-5-21-889427125-3291125262-439525394-2101
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
   gid_to_sid: local 103 -> S-1-5-21-889427125-3291125262-439525394-1207
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
   gid_to_sid: local 102 -> S-1-5-21-889427125-3291125262-439525394-1205

As you can see, all the lookups are done with a lowercase account name. 
And thus find all the groups that the user belongs to.

But samba 3 keeps the user given by win98 in all uppercase :

It starts by the use of username level parameter :
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam(288)
   Finding user DOMAIN\JEROME
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(223)
   Trying _Get_Pwnam(), username as lowercase is domain\jerome
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(230)
   Trying _Get_Pwnam(), username as given is DOMAIN\JEROME
[2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(247)
   Checking combinations of 8 uppercase letters in domain\jerome
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(251)
   Get_Pwnam_internals didn't find user [DOMAIN\JEROME]!
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam(288)
   Finding user JEROME
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(223)
   Trying _Get_Pwnam(), username as lowercase is jerome
[2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(251)
   Get_Pwnam_internals did find user [JEROME]!
[2003/12/12 10:17:15, 10] passdb/pdb_get_set.c:pdb_set_username(593)
   pdb_set_username: setting username jerome, was

So one may think that username 'jerome' (all lowercase is used).

Then comes the group membership determination :

[2003/12/12 10:17:15, 10] lib/system_smbd.c:sys_getgrouplist(113)
   sys_getgrouplist: user [JEROME]
[2003/12/12 10:17:15, 10] lib/system_smbd.c:sys_getgrouplist(122)
   sys_getgrouplist(): disabled winbindd for group lookup [user == JEROME]
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:push_sec_ctx(256)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/12 10:17:15, 3] smbd/uid.c:push_conn_ctx(287)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_nt_user_token(486)
   NT user token: (NULL)
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2003/12/12 10:17:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
   UNIX token of user 1000
   Primary group is 513 and contains 2 supplementary groups
   Group[  0]: 513
   Group[  1]: 513

As /usr/xpg4/bin/id says, JEROME is only member of its primary group 
(see precedent posting).

Something funnier (but normal as SIDs come from the SMB wire, and Unix's 
come from local PAM) : samba get the secondary group SIDs, but not the 
Unix ones.

[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_nt_user_token(491)
   NT user token of user S-1-5-21-1150874807-1180408084-429402335-3000
   contains 8 SIDs
   SID[  0]: S-1-5-21-1150874807-1180408084-429402335-3000
   SID[  1]: S-1-5-21-1150874807-1180408084-429402335-513
   SID[  2]: S-1-1-0
   SID[  3]: S-1-5-2
   SID[  4]: S-1-5-11
   SID[  5]: S-1-5-21-1150874807-1180408084-429402335-550
   SID[  6]: S-1-5-21-1150874807-1180408084-429402335-1207
   SID[  7]: S-1-5-21-1150874807-1180408084-429402335-1205
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505)
   UNIX token of user 1000
   Primary group is 513 and contains 2 supplementary groups
   Group[  0]: 513
   Group[  1]: 513

So, when the windows 98 client tries to mount the share authorized to 
the rid=1207 (gid=103) group, it ends by the refusal :

[2003/12/12 10:17:15, 10] lib/username.c:user_in_list(521)
   user_in_list: checking user JEROME in list
[2003/12/12 10:17:15, 10] lib/username.c:user_in_list(525)
   user_in_list: checking user |JEROME| against |+dsvi|
[2003/12/12 10:17:15, 2] smbd/service.c:make_connection_snum(391)
   user 'JEROME' (from session setup) not permitted to access this share
(dsvi)

One thing I have not trid is to use winbind (with an LDAP idmap 
reference). I think it would work, but it would be a little overkill as 
I already have the LDAP Posix accounts distributed to my Solaris domain 
member.

So, dose anybody can tell me if this behaviour change was intentional, 
or if :
- it is a bug in the pam libraries (bot in Solaris and in PADL used by 
Linux, which should be returning group membership regardless of the 
username case ?
- it is a bug in my LDAP directory implementation, eg. I should add both 
lowercase *and* uppercase usernames to memberUid attributes to my groups ?
- it is a bug in Samba 2.2.8a, which should behave as samba 3 does ?
- it is a bug in Samba 3.0.x, which finds a username in lowercase 
(thanks to username level=8) but does not use it in the call to 
sys_getgrouplist?

I'd appreciate an answer, even if it ? keep samba 2.2.8a while you're 
ripping off your win98 clients ?, but that one is an easy one ;-)

Best regards,

J?r?me

-- 
J?r?me Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>