samba - Mar 2003 - number of groups of NT account causes authentication problems

I am facing a strange problem related to authentication of NT users 
accessing the SAMBA server.
Here are the details:
Server:  Solaris 9, SUN Ultra 60,  SAMBA 2.2.7a with PAM and WINBIND
Client: Windows XP, NT4.0, 2000

Symptoms:
Created a share \\server\test (UNIX: /export/SMB/test)  with access to 
group 'TestGoup' where 'TestUser' is a member.
'TestUser' is a member of 10 more groups along with 'TestGroup'
(Total
number of TestUser's group = 11)

With the above settings 'TestUser' can't access the share 
'\\server\test', and the following message shows up in the Client.log:

[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
  Unable to initgroups. Error was Not owner
[2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
  This is probably a problem with the account domain\testuser
[2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
 client (10.81.105.121) Can't change directory to /export/SMB/test 
(Permission denied)

If I change the number of groups the user 'TestUser' belongs from 11 to 
8 ('TestGroup'  + 7 other groups), the user can access the share 
'\\server\test' without any problems.

It looks like there is some limitation on number of NT group memberships 
'smbd' can handle.  
Note: 'wbinfo' returns all the right groups of the user without any 
problems.

Is there anyone out there who is aware of this problem and knows a 
workaround/solution to this?
I really appreciate any help from the prestigious SAMBA Team.

Thanks,
Gopal

Hi,
I did more experiments with this problem and found that 'SMBD' fails to 
authenticate when the Number of Groups an NT user belongs grows more 
than 14 (i.e. 15 or more).
Thanks,
Gopal

Gopal Bhat wrote:
> I am facing a strange problem related to authentication of NT users 
> accessing the SAMBA server.
> Here are the details:
> Server:  Solaris 9, SUN Ultra 60,  SAMBA 2.2.7a with PAM and WINBIND
> Client: Windows XP, NT4.0, 2000
>
> Symptoms:
> Created a share \\server\test (UNIX: /export/SMB/test)  with access to 
> group 'TestGoup' where 'TestUser' is a member.
> 'TestUser' is a member of 14 more groups along with
'TestGroup' (Total
> number of TestUser's group = 15)
>
> With the above settings 'TestUser' can't access the share 
> '\\server\test', and the following message shows up in the
Client.log:
>
> [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
>  Unable to initgroups. Error was Not owner
> [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
>  This is probably a problem with the account domain\testuser
> [2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
> client (10.81.105.121) Can't change directory to /export/SMB/test 
> (Permission denied)
>
> If I change the number of groups the user 'TestUser' belongs from
15
> to 8 ('TestGroup'  + 7 other groups), the user can access the share
> '\\server\test' without any problems.
>
> It looks like there is some limitation on number of NT group 
> memberships 'smbd' can handle.  Note: 'wbinfo' returns all
the right
> groups of the user without any problems.
>
> Is there anyone out there who is aware of this problem and knows a 
> workaround/solution to this?
> I really appreciate any help from the prestigious SAMBA Team.
>
> Thanks,
> Gopal
>

Hi Richard, et al;
Can't speak for Solaris, but HP-UX has a 20 group membership limit
for HP-UX users. From man setgroups: must be no more than NGROUPS_MAX,
as defined in <limits.h>.  Same applies to initgroups.
So Solaris may have some limit as well....
Hope this helps,
Don
> -----Original Message-----
> From: Richard Sharpe [mailto:rsharpe@richardsharpe.com]
> Sent: Tuesday, March 04, 2003 22:08
> To: Gopal Bhat
> Cc: samba; samba-technical
> Subject: Re: number of groups of NT account causes authentication
> problems
> 
> 
> On Tue, 4 Mar 2003, Gopal Bhat wrote:
> 
> > Hi,
> > I did more experiments with this problem and found that 
> 'SMBD' fails to 
> > authenticate when the Number of Groups an NT user belongs 
> grows more 
> > than 14 (i.e. 15 or more).
> > Thanks,
> > Gopal
> 
> I can't have a look until tomorrow, but I wonder, is it possible that 
> Solaris 9 has a restriction that the user cannot be in more that 14 
> groups? I would think not, but will find it difficult to test tonight.
> 
> Besides, I can probably only test on Solaris 8.
> 
> If that is not the problem, then I would have to look at the 
> code that 
> does setgroups and test on our platform.
> 
> > Gopal Bhat wrote:
> > 
> > > I am facing a strange problem related to authentication 
> of NT users 
> > > accessing the SAMBA server.
> > > Here are the details:
> > > Server:  Solaris 9, SUN Ultra 60,  SAMBA 2.2.7a with PAM 
> and WINBIND
> > > Client: Windows XP, NT4.0, 2000
> > >
> > > Symptoms:
> > > Created a share \\server\test (UNIX: /export/SMB/test)  
> with access to 
> > > group 'TestGoup' where 'TestUser' is a member.
> > > 'TestUser' is a member of 14 more groups along with 
> 'TestGroup' (Total 
> > > number of TestUser's group = 15)
> > >
> > > With the above settings 'TestUser' can't access the
share
> > > '\\server\test', and the following message shows up in 
> the Client.log:
> > >
> > > [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
> > >  Unable to initgroups. Error was Not owner
> > > [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
> > >  This is probably a problem with the account domain\testuser
> > > [2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
> > > client (10.81.105.121) Can't change directory to
/export/SMB/test
> > > (Permission denied)
> > >
> > > If I change the number of groups the user 'TestUser' 
> belongs from 15 
> > > to 8 ('TestGroup'  + 7 other groups), the user can access
> the share 
> > > '\\server\test' without any problems.
> > >
> > > It looks like there is some limitation on number of NT group 
> > > memberships 'smbd' can handle.  Note: 'wbinfo'
returns
> all the right 
> > > groups of the user without any problems.
> > >
> > > Is there anyone out there who is aware of this problem 
> and knows a 
> > > workaround/solution to this?
> > > I really appreciate any help from the prestigious SAMBA Team.
> > >
> > > Thanks,
> > > Gopal
> > >
> > 
> > 
> 
> -- 
> Regards
> -----
> Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
> sharpe[at]ethereal.com, http://www.richardsharpe.com
>

Solaris has a 15 member limit to groups. Since you are under that 
limit, it should not be a problem.  I have Samba running on an Ultra
60 with Solaris8, samba version 2.2.5.  I have users who are members
of at least 14 groups and not having any problems accessing shared
folders.

Mike

On Tue, 2003-03-04 at 13:35, Gopal Bhat wrote:
> I am facing a strange problem related to authentication of NT users 
> accessing the SAMBA server.
> Here are the details:
> Server:  Solaris 9, SUN Ultra 60,  SAMBA 2.2.7a with PAM and WINBIND
> Client: Windows XP, NT4.0, 2000
> 
> Symptoms:
> Created a share \\server\test (UNIX: /export/SMB/test)  with access to 
> group 'TestGoup' where 'TestUser' is a member.
> 'TestUser' is a member of 10 more groups along with
'TestGroup' (Total
> number of TestUser's group = 11)
> 
> With the above settings 'TestUser' can't access the share 
> '\\server\test', and the following message shows up in the
Client.log:
> 
> [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(244)
>   Unable to initgroups. Error was Not owner
> [2003/03/04 13:31:52, 0] smbd/sec_ctx.c:initialise_groups(247)
>   This is probably a problem with the account domain\testuser
> [2003/03/04 13:31:52, 0] smbd/service.c:make_connection(599)
>  client (10.81.105.121) Can't change directory to /export/SMB/test 
> (Permission denied)
> 
> If I change the number of groups the user 'TestUser' belongs from
11 to
> 8 ('TestGroup'  + 7 other groups), the user can access the share 
> '\\server\test' without any problems.
> 
> It looks like there is some limitation on number of NT group memberships 
> 'smbd' can handle.  
> Note: 'wbinfo' returns all the right groups of the user without any
> problems.
> 
> Is there anyone out there who is aware of this problem and knows a 
> workaround/solution to this?
> I really appreciate any help from the prestigious SAMBA Team.
> 
> Thanks,
> Gopal
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba