samba - Apr 2003 - LDAP Supplementary Groups not recognised

We are implementing the following:

Solaris 9
iPlanet Directory Server 5.1 (bundled with Solaris 9)
openldap 2.1.16
    Only used for ldap libaries (samba will not compile
    without. Is this other people's experience?)
samba 2.2.8
    compiled with ./configure --with-ldapsam --with-acl-support

We have the samba server acting as a PDC with all user and machine 
accounts in LDAP as sambaAccounts.

We are successfully adding Windows XP workstations to the PDC and 
authenticating users.

However supplementary groups for users are not being recognised (i.e 
posixGroup entries with the user as a memberUid attribute).

Only the primary group (from sambaAccount) is being recognised as shown 
in the log. This results in a permission denied when accessing a 
directory with only group permissions.

[2003/04/04 09:53:59, 3] smbd/sec_ctx.c:set_sec_ctx(334)
   1 user groups:
   1000

Interestingly supplementary groups from /etc/group are being recognised.

If the same user logs into Solaris (the users have posixAccount entries 
as well) they can see and use all their supplementary groups (using 
Solaris 9 nss built in support).


Is this a bug or something we are doing wrong. Any help would be 
appreciated.

Thanks

-- 
Malcolm Gibbs, Sun Microsystems (NZ) Ltd

Thanks for the response,

Bas Goes wrote:
> Hi,
> 
> What does id <username> tell you and wat da's the ldapsearch on a
group
> say?
> it works just like the groups file only now usernames are stored as
> attributes to a group ldap entry
I can access the group protected directory fine when logged in as the 
same user in a Solaris shell.

'id -a' shows the supplementary group correctly, as does ldaplist and 
ldapsearch.

> 
> 2 things you need to check are"
> 
> 1 is the group in ldap and is the user a part in this ldapgroup ldif?
> ldapsearch -x -D <adminldapacc> -W -b <ldap groupsbase>
> "uid=<groupname>"
> i myself use ldapexplorer to browse the ldapdatabase
Unfortunately I do not have access to the LDAP directory at the moment. 
However ldapsearch's do show the group in question and the user being a 
memberUid attribute. I also have confirmed this with a GUI browser.
> 
> 2 check if nss looks in the (right) ldapbase
> if 1 isn't the case and id doesn't work this is probably the
problem
> 
> in debian it is in nsswitch.conf in /etc/ if it uses ldap
> /etc/libnss-ldap.conf if ldap is configured correctly
> /etc/ldap/slapd.conf if nss has rights to browse these ldap directories
Yes what is fustrating is that supplementary LDAP groups are working 
fine from the Solaris shell, it is only SAMBA that appears to be 
ignoring them.

Do posixGroup entries have to have any additional attributes or be in a 
particular base to be recognised by SAMBA, Solaris 9 by default puts 
them in ou=group,dc=xx,dc=com.
> 
> Good luck
> 
> regards
> Bas
> 
Thanks
Malcolm Gibbs

Jerry,

The same supplementary group works fine when used
in /etc/password for a Solaris User.

If you put the supplementary group in /etc/group 
and make the SAMBA user a member this works fine.

If you make the sambaAccount gidNumber the
supplementary group (so now the primary group) this
also works.
 
It is as if SAMBA is never looking for any
supplementary LDAP
posixGroups when attempting the directory open.

Thanks
Malcolm

----- Original Message -----
From: "Gerald (Jerry) Carter" <jerry@samba.org>
Date: Sunday, April 6, 2003 2:09 am
Subject: Re: [Samba] LDAP Supplementary Groups not
recognised
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sat, 5 Apr 2003, Malcolm Gibbs wrote:
> 
> > Yes what is fustrating is that supplementary
LDAP groups are working
> > fine from the Solaris shell, it is only SAMBA
that appears to be
> > ignoring them.
> > 
> > Do posixGroup entries have to have any
additional attributes or 
> be in a 
> > particular base to be recognised by SAMBA,
Solaris 9 by default 
> puts 
> > them in ou=group,dc=xx,dc=com.
> 
> I don't think this is related to LDAP.  Can you
test using a 
> standard 
> /etc/passwd file and see if you get the same
behavior.   I've got 
> unconfirmed reports of a possible generic bug in
this area.
> 
> 
> 
> 
> cheers, jerry
>
-------------------------------------------------------------------
> ---
> Hewlett-Packard            ------------------------- 
> http://www.hp.com SAMBA Team                
---------------------- 
> http://www.samba.org GnuPG Key                  ---- 
> http://www.plainjoe.org/gpg_public.asc "You can
never go home 
> again, Oatman, but I guess you can shop there."  
>                            --John Cusack - "Grosse
Point Blank" 
> (1997)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
> Comment: For info see
http://quantumlab.net/pine_privacy_guard/
> 
>
iD8DBQE+juOvIR7qMdg1EfYRAi3MAKCozIM5aQMrWx0L6wfFJZDe0/PXvQCgzwiH
> /FeyoIcmzqGj78WgdQ8rybY> =yMVB
> -----END PGP SIGNATURE-----
> 
>

It would appear my problem is caused by Solaris 9
libsldap patch 112960-06.

When reverting from 112960-06 to 112960-03 that is
bundled with Solaris 9 12/02 my problem disappeared.

So if you are implementing SAMBA/LDAP on Solaris 9
12/02 avoid this patch, otherwise supplementary LDAP
groups will not work in SAMBA.

As I work for Sun you could say 'sweet justice'. I
will be following this up internally.

Thanks to all that responded.

Malcolm

----- Original Message -----
From: "Gerald (Jerry) Carter" <jerry@samba.org>
Date: Sunday, April 6, 2003 2:09 am
Subject: Re: [Samba] LDAP Supplementary Groups not
recognised
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sat, 5 Apr 2003, Malcolm Gibbs wrote:
> 
> > Yes what is fustrating is that supplementary
LDAP groups are working
> > fine from the Solaris shell, it is only SAMBA
that appears to be
> > ignoring them.
> > 
> > Do posixGroup entries have to have any
additional attributes or 
> be in a 
> > particular base to be recognised by SAMBA,
Solaris 9 by default 
> puts 
> > them in ou=group,dc=xx,dc=com.
> 
> I don't think this is related to LDAP.  Can you
test using a 
> standard 
> /etc/passwd file and see if you get the same
behavior.   I've got 
> unconfirmed reports of a possible generic bug in
this area.
> 
> 
> 
> 
> cheers, jerry
>
-------------------------------------------------------------------
> ---
> Hewlett-Packard            ------------------------- 
> http://www.hp.com SAMBA Team                
---------------------- 
> http://www.samba.org GnuPG Key                  ---- 
> http://www.plainjoe.org/gpg_public.asc "You can
never go home 
> again, Oatman, but I guess you can shop there."  
>                            --John Cusack - "Grosse
Point Blank" 
> (1997)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
> Comment: For info see
http://quantumlab.net/pine_privacy_guard/
> 
>
iD8DBQE+juOvIR7qMdg1EfYRAi3MAKCozIM5aQMrWx0L6wfFJZDe0/PXvQCgzwiH
> /FeyoIcmzqGj78WgdQ8rybY> =yMVB
> -----END PGP SIGNATURE-----
> 
>

I have this problem as well, however, my groups ARE recognized up to about 80
users in any group.  If I put more than 80 users in a group, Samba does not
authenticate.  This DOES NOT happen on 2.2.7a but does on 2.2.8 and 2.2.8a.  I
am running Redhat 8 with ldapsam on openldap database.  If I run getent, etc.
the users do show what group they are a member of but Samba just does not
authenticate over the 80 users.  I have other applications that use the same
LDAP database per user/group setup and works just fine so it does not seem to be
linked to openldap.