samba - Jun 2002 - What is so bad about primaryGroupID=513?

I try to set up Samba 2.2.4 / LDAP as a PDC and it almost works. The
only thing I don't understand is why a domain user can't have a
primaryGroupID of 513 (which looks like it should be a safe default).
But if I set it, login is denied with an error C0000078 on the client,
and something like

[2002/06/03 10:32:28, 3] smbd/sec_ctx.c:set_sec_ctx(314)
    setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2002/06/03 10:32:28, 3] smbd/sec_ctx.c:set_sec_ctx(319)
    1 user groups:
    65534

(i.e. nobody/nogroup) on the server. If I set primaryGroupId to any
sufficienly random number (like 51223), login works as expected

[2002/06/03 10:42:32, 3] smbd/sec_ctx.c:set_sec_ctx(314)
    setting sec ctx (2001, 100) - sec_ctx_stack_ndx = 0
[2002/06/03 10:42:32, 3] smbd/sec_ctx.c:set_sec_ctx(319)
    1 user groups:
    100

In addition, in the case of a successful login, the second transaction
in the log file performs a "switch message SMBsesssetupX (pid 7865)",
the C0000078 logins have a "switch message SMBtrans" in this position.

This is slightly puzzling.

Yours, Florian Hars.

PS: isn't there a return(True) missing in uid.c/change_to_user:

        if((lp_security() == SEC_SHARE) && (current_user.conn == conn)
&&
            (current_user.uid == conn->uid)) {
                 DEBUG(4,("change_to_user: Skipping user change - already
user\n"));
                 return(True);
         } else if ((current_user.conn == conn) &&
                    (vuser != 0) && (current_user.vuid == vuid)
&&
                    (current_user.uid == vuser->uid)) {
                 DEBUG(4,("change_to_user: Skipping user change - already
user\n"));
/************** HERE ??? ***************************/
         }

On Mon, 3 Jun 2002, Florian Hars wrote:
> I try to set up Samba 2.2.4 / LDAP as a PDC and it almost works. The
> only thing I don't understand is why a domain user can't have a
> primaryGroupID of 513 (which looks like it should be a safe default).
> But if I set it, login is denied with an error C0000078 on the client,
> and something like
All users have the Domain Users group set automatically
(on a Samba PDC).  The domain group support in 2.2.x
is incomplete to put it nicely. :-)  I wou;dn't even bother setting 
this.  Let the posixGroup membership handle it.

A correct solution will be implemented in 3.0

> PS: isn't there a return(True) missing in uid.c/change_to_user:
> 
>         if((lp_security() == SEC_SHARE) && (current_user.conn ==
conn) &&
>             (current_user.uid == conn->uid)) {
>                  DEBUG(4,("change_to_user: Skipping user change -
already user\n"));
>                  return(True);
>          } else if ((current_user.conn == conn) &&
>                     (vuser != 0) && (current_user.vuid == vuid)
&&
>                     (current_user.uid == vuser->uid)) {
>                  DEBUG(4,("change_to_user: Skipping user change -
already user\n"));
> /************** HERE ??? ***************************/
>          }
Looks that way.  Thanks.






cheers, jerry
 ---------------------------------------------------------------------
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN
0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--