We are having what appears to be two main issues in our attempt to setup Samba 3.0.0 compiled from src on Solaris 8. We are using Samba to provide Unix shares on W2K clients, and to authenticate against a W2K Active Directory server. OpenLDAP is used on the Samba side for the UID/GID to SID mappings. The first issue deals with the file sharing. Even if a file gives full permission to one of a user's secondary groups, that user cannot access the file. The user can only access the file (or directory) if the file's group is the user's primary group. I've found several references on the web and in https://bugzilla.samba.org, which seem to indicate that the bug is fixed. However, we also tried this with 3.0.1rc2 and have the same problem; which makes us think it is a configuration error or something we haven't found related to nsswitch. The second issue deals with groupmap. Again, searches haven't turned up anything fruitful. When we execute commands similar to the following: groupadd elves net groupmap add ntuser=LOTR+fairfolk username=elves We always get the following error: No rid or sid specified, choosing algorithmic mapping adding entry for group LOTR+fairfolk failed! Output from the above groupmap command with debug level of 3 gives: ---- param/loadparm.c:lp_load(3917) lp_load: refreshing parameters param/loadparm.c:init_globals(1303) Initialising global parameters param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file "/h/SMBSVR/cfg/smb.conf" param/loadparm.c:do_section(3420) Processing section "[global]" lib/interface.c:add_interface(79) added interface ip=172.31.4.133 bcast=172.31.4.143 nmask=255.255.255.240 passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=4294967295))] lib/smbldap.c:smbldap_open_connection(623) smbldap_open_connection: connection opened lib/smbldap.c:smbldap_connect_system(785) ldap_connect_system: succesful connection to the LDAP server passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[(&(objectClass=posixGroup)(gidNumber=4294967295))] passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=4294967295))] << the above 4 lines repeat 10 more times >> passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[(&(objectClass=posixGroup)(gidNumber=4294967295))] passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=201))] passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[(&(objectClass=posixGroup)(gidNumber=201))] utils/net.c:main(758) return code = -1 No rid or sid specified, choosing algorithmic mapping adding entry for group LOTR+fairfolk failed! ---- Other tidbits: ---- Using the previous example, "getent group LOTR+fairfolk" returns a group id of 11959. "getent group elves" returns a group id of 201. "/usr/bin/id -a LOTR+sampleuser" gives correct user and full group list. "getent passwd LOTR+sampleuser" and "getent group | grep sampleuser" give user info and all groups. /etc/group contains the elves group with a group id of 201. "net groupmap list" returns nothing (debug > 2 shows "ldapsam_setsampwent: 0 entries in the base!"). ---- Samba compilation performed using the flags: --with-ads --with-ldap --with-included-popt --with-winbind --with-winbind-auth-challenge --with-pam --with-ldapsam --with-acl-support ---- smb.conf Contains: ldap admin dn = "cn=smbldapuser,ou=user,dc=lan,dc=subd,dc=dom,dc=com" ldap server = globalsvr.lan.subd.dom.com ldap port = 8001 ldap suffix = "ou=idmap,dc=lan,dc=subd,dc=dom,dc=com" ldap ssl = no ldap filter = "(&(uid=%u) (objectclass=sambaAccount))" winbind separator = + idmap backend = ldap:ldap://globalsvr.lan.subd.dom.com:8001 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /USERS/global/%U template shell = /bin/ksh workgroup = LOTR server string = smbdev security = ads encrypt passwords = yes password server = activedsvr.lan.subd.dom.com client use spnego = yes log file = /SMBSVR/var/log.%m max log size = 5000 realm = LOTR.REF.DOMAIN.COM socket options = TCP_NODELAY socket options = TCP_NODELAY local master = no dns proxy = yes inherit permissions = no create mask = 0774 force create mode = 0000 security mask = 0774 force security mode = 0000 directory mask = 0775 force directory mode = 0000 directory security mask = 0775 force directory security mode = 0000 [homes] comment = Home Directories path = /users/%S browseable = no writable = yes only user = yes [global_data] comment = Global Data share browseable = yes path = /globaldata read only = no public = yes ---- ldap.conf contains host activedsvr.lan.subd.dom.com base dc=lan,dc=subd,dc=dom,dc=com scope sub nss base passwd dc=lan,dc=subd,dc=dom,dc=com?sub nss base shadow dc=lan,dc=subd,dc=dom,dc=com?sub nss group dc=lan,dc=subd,dc=dom,dc=com?sub Pre-Thanks for whatever help or suggestions you can give, john
Klinger, John (N-CSC)
2003-Dec-16 16:10 UTC
[Samba] RE: Secondary Groups and Group Mapping
Okay, we have the "net groupmap" command running without errors. We had to add the unixgroup/gid to both the /etc/group file and samba's openldap before groupmap would work without errors. I suspect that we could remove the dependence on /etc/group by modifying nsswitch.conf to add ldap for group resolution [currently just "files winbind" for passwd and group]. We'll be looking at that today. However, after I established the groupmap, it still doesn't work as I expected. Using the example from my earlier post, if I log into Solaris with user1 that has "LOTR+fairfolk" as his primary group in AD, I thought Samba would translate that to the unix group "elves". What we are seeing is that if I log into Unix as this user and create a file, the group for that file is LOTR+fairfolk. An "id -a" lists "LOTR+fairfolk" in his groups, but not "elves". Furthermore, if I create another file owned by "user2:elves", I expected user1 to be able to access this due to the mapping. He can't; again it appears that Unix only sees him as belonging to "LOTR+fairfolk". I've reread the documentation, and it appears my understanding of groupmap is correct. What am I missing here? What is groupmap supposed to do? We've downloaded 3.0.1 with hopes it helps resolve these issues. We still have the above groupmap issues. We haven't tried the secondary group access yet. john -----Original Message----- From: Klinger, John (N-CSC) Sent: Monday, December 15, 2003 4:59 PM To: 'samba@lists.samba.org' Subject: Secondary Groups and Group Mapping We are having what appears to be two main issues in our attempt to setup Samba 3.0.0 compiled from src on Solaris 8. We are using Samba to provide Unix shares on W2K clients, and to authenticate against a W2K Active Directory server. OpenLDAP is used on the Samba side for the UID/GID to SID mappings. The first issue deals with the file sharing. Even if a file gives full permission to one of a user's secondary groups, that user cannot access the file. The user can only access the file (or directory) if the file's group is the user's primary group. I've found several references on the web and in https://bugzilla.samba.org, which seem to indicate that the bug is fixed. However, we also tried this with 3.0.1rc2 and have the same problem; which makes us think it is a configuration error or something we haven't found related to nsswitch. The second issue deals with groupmap. Again, searches haven't turned up anything fruitful. When we execute commands similar to the following: groupadd elves net groupmap add ntuser=LOTR+fairfolk username=elves We always get the following error: No rid or sid specified, choosing algorithmic mapping adding entry for group LOTR+fairfolk failed!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Klinger, John (N-CSC) wrote: | The first issue deals with the file sharing. Even if a file gives | full permission to one of a user's secondary groups, that user | cannot access the file. The user can only access the file (or | directory) if the file's group is the user's primary group. I've | fond several references on the web and in https://bugzilla.samba.org, | which seem to indicate that the bug is fixed. However, we also tried | this with 3.0.1rc2 and have the same problem; which makes us think | it is a configuration error or something we haven't found | related to nsswitch. This is an open bug ~ https://bugzilla.samba.org/show_bug.cgi?id=395 cheers, jerry ~ ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/4hwoIR7qMdg1EfYRAtwnAJ9nIh0Nb5OR9S1p7FD5Xw3bZtdk+QCff6mV yGZ5FfhVGTTkg8Xx0X1tslQ=D46D -----END PGP SIGNATURE-----
| | Klinger, John (N-CSC) wrote: | | | | The first issue deals with the file sharing. Even if a file gives | | full permission to one of a user's secondary groups, that user | | cannot access the file. The user can only access the file (or | | directory) if the file's group is the user's primary group. I've | | fond several references on the web and in https://bugzilla.samba.org, | | which seem to indicate that the bug is fixed. However, we also tried | | this with 3.0.1rc2 and have the same problem; which makes us think | | it is a configuration error or something we haven't found | | related to nsswitch. | | Gerald (Jerry) Carter wrote: | | This is an open bug | | ~ https://bugzilla.samba.org/show_bug.cgi?id=395 | | cheers, jerry Good news, Jerry; thanks for the reply. This puts a large and noticeable kink in our architecture. What can we do to help get it resolved? Bug 395 references another link describing a similar problem on Solaris 9 with patch 112960-03. However, the problem exists for us on Solaris 8 without said patch series. We've successfully executed Samba using the same configuration files on a Debian and Red Hat 9 system built from scratch using the same Samba source. We were going to build on Solaris 9 in an attempt narrow the problem when I received your reply. Again, what can we do to support Samba and help hunt this down? john
> -----Original Message----- > From: Klinger, John (N-CSC) > Sent: Friday, December 19, 2003 8:14 AM > > | | Klinger, John (N-CSC) wrote: > | | > | | The first issue deals with the file sharing. Even if a file gives > | | full permission to one of a user's secondary groups, that user > | | cannot access the file. The user can only access the file (or > | | directory) if the file's group is the user's primary group. I've > | | fond several references on the web and in > https://bugzilla.samba.org, > | | which seem to indicate that the bug is fixed. However, we > also tried > | | this with 3.0.1rc2 and have the same problem; which makes us think > | | it is a configuration error or something we haven't found > | | related to nsswitch. > | > |Gerald (Jerry) Carter wrote: > | > | This is an open bug > | > | ~ https://bugzilla.samba.org/show_bug.cgi?id=395 > | > | cheers, jerry > > Good news, Jerry; thanks for the reply. > > This puts a large and noticeable kink in our architecture. > What can we do to > help get it resolved? Bug 395 references another link > describing a similar > problem on Solaris 9 with patch 112960-03. However, the > problem exists for > us on Solaris 8 without said patch series. We've successfully executed > Samba using the same configuration files on a Debian and Red Hat 9 > system built from scratch using the same Samba source. We > were going to > build on Solaris 9 in an attempt narrow the problem when I > received your > reply. > > Again, what can we do to support Samba and help hunt this down?I've now been tasked to work on this full time. Do you have any pointers or suggestions on what I should investigate first? I'll use 395 as a loose basis unless I hear otherwise (and look into the 3.0.2rc when it arrives). thanks, john
Thank you for your response. Bug 910 looks like a different issue. We are using Samba on Solaris 8, with "security = ads", with AD running on a W2K server. We cannot access someone else's file on Solaris that is owned by a group that we are a member of, if that group is not our primary group. example: Given nsswitch that have 2 lines modified for winbind: passwd: files winbind group: files winbind Given a file owned by user1:group2 such as the following: -rw-rw---- user1 group2 0 Jan 7 testfile.txt And given user2 has a primary group of group1 and a secondary group of group2. The following commands were executed on our smbdev platform, that contains the smb server. smbdev > su - user2 Password: smbdev > id uid=1001(user2) gid=10001(group1) smbdev > id -a uid=1001(user2) gid=10001(group1) groups=10001(group1) smbdev > id -a user2 uid=1001(user2) gid=10001(group1) groups=10002(group2) smbdev > getent group | grep user2 group1:x:10001:user1,user2 group2:x:10002:user1,user2 smbdev > grep user2 /etc/group smbdev > wbinfo -r user2 10002 10001 smbdev > groups group1 smbdev > cat testfile.txt cat: cannot open testfile.txt smbdev > touch testfile smbdev > chgrp group2 testfile2 chgrp: group2: Not owner smbdev > newgrp group2 $ chgrp group2 testfile2 $ ls -l testfile2 -rw-r----- user2 group2 0 Jan 7 testfile2 $exit smbdev > At the initial su to user2, there is a lot of activity in the winbindd log with "log level = 10", but it only mentions the uid of 1001 and the gid of 10001. The secondary group is not mentioned in the log. If I add group2 to the /etc/group file, it works (as one would expect due to the nsswitch.conf settings). I expect it is a problem in libnss_winbind.so. john> -----Original Message----- > From: Hansjoerg Maurer [mailto:Hansjoerg.Maurer@dlr.de] > Sent: Wednesday, January 07, 2004 12:05 AM > To: Klinger, John (N-CSC) > Cc: Gerald (Jerry) Carter > Subject: Re: [Samba] Secondary Groups and Group Mapping > > > Hi, > > this might be related to bug 910 > "domain admin rights only works for user, which primary group > is domain > admins" > I submitted last week. > > Just for your information. > If you want me doing some testing, just give me a note. > > Thank you > > > Hansj?rg > > Klinger, John (N-CSC) wrote: > > > > > > >>-----Original Message----- > >>From: Klinger, John (N-CSC) > >>Sent: Friday, December 19, 2003 8:14 AM > >> > >>| | Klinger, John (N-CSC) wrote: > >>| | > >>| | The first issue deals with the file sharing. Even if a > file gives > >>| | full permission to one of a user's secondary groups, that user > >>| | cannot access the file. The user can only access the file (or > >>| | directory) if the file's group is the user's primary group. I've > >>| | fond several references on the web and in > >>https://bugzilla.samba.org, > >>| | which seem to indicate that the bug is fixed. However, we > >>also tried > >>| | this with 3.0.1rc2 and have the same problem; which > makes us think > >>| | it is a configuration error or something we haven't found > >>| | related to nsswitch. > >>| > >>|Gerald (Jerry) Carter wrote: > >>| > >>| This is an open bug > >>| > >>| ~ https://bugzilla.samba.org/show_bug.cgi?id=395 > >>| > >>| cheers, jerry > >> > >>Good news, Jerry; thanks for the reply.
The problem was in the libnss_winbind.so code for Solaris 8. The wrapper function to initialize the secondary groups immediately returned without doing any work. As Jerry mentioned previously, this is already an open bug. I've submitted a patch to that bug report that adds the required functionality. See: https://bugzilla.samba.org/show_bug.cgi?id=395 As I stated in the bug report: Preliminary tests using this patch were completely successful. However, I'm going to be performing further tests to ensure there are no side effects that I have yet to find. john> -----Original Message----- > From: Klinger, John (N-CSC) > > Thank you for your response. > > Bug 910 looks like a different issue. > > We are using Samba on Solaris 8, with "security = ads", > with AD running on a W2K server. > > We cannot access someone else's file on Solaris that > is owned by a group that we are a member of, if that > group is not our primary group. > > example: > > Given nsswitch that have 2 lines modified for winbind: > > passwd: files winbind > group: files winbind > > Given a file owned by user1:group2 such as the following: > > -rw-rw---- user1 group2 0 Jan 7 testfile.txt > > And given user2 has a primary group of group1 and a > secondary group of group2. > > The following commands were executed on our smbdev > platform, that contains the smb server. > > smbdev > su - user2 > Password: > smbdev > id > uid=1001(user2) gid=10001(group1) > smbdev > id -a > uid=1001(user2) gid=10001(group1) groups=10001(group1) > smbdev > id -a user2 > uid=1001(user2) gid=10001(group1) groups=10002(group2) > smbdev > getent group | grep user2 > group1:x:10001:user1,user2 > group2:x:10002:user1,user2 > smbdev > grep user2 /etc/group > smbdev > wbinfo -r user2 > 10002 > 10001 > smbdev > groups > group1 > smbdev > cat testfile.txt > cat: cannot open testfile.txt > smbdev > touch testfile > smbdev > chgrp group2 testfile2 > chgrp: group2: Not owner > smbdev > newgrp group2 > $ chgrp group2 testfile2 > $ ls -l testfile2 > -rw-r----- user2 group2 0 Jan 7 testfile2 > $exit > smbdev > > > At the initial su to user2, there is a lot of activity > in the winbindd log with "log level = 10", but it only > mentions the uid of 1001 and the gid of 10001. The > secondary group is not mentioned in the log. If I add > group2 to the /etc/group file, it works (as one would > expect due to the nsswitch.conf settings). > > I expect it is a problem in libnss_winbind.so. > > john > > > From: Hansjoerg Maurer > > Sent: Wednesday, January 07, 2004 12:05 AM > > > > Hi, > > > > this might be related to bug 910 > > "domain admin rights only works for user, which primary group > > is domain > > admins" > > I submitted last week. > > > > Just for your information. > > If you want me doing some testing, just give me a note. > > > > Thank you > > > > > > Hansj?rg > > > > Klinger, John (N-CSC) wrote: > > > > > > > > > > >>From: Klinger, John (N-CSC) > > >>Sent: Friday, December 19, 2003 8:14 AM > > >> > > >>| | The first issue deals with the file sharing. Even if a > > file gives > > >>| | full permission to one of a user's secondary groups, that user > > >>| | cannot access the file. The user can only access the file (or > > >>| | directory) if the file's group is the user's primary > group. I've > > >>| | fond several references on the web and in > > >>https://bugzilla.samba.org, > > >>| | which seem to indicate that the bug is fixed. However, we > > >>also tried > > >>| | this with 3.0.1rc2 and have the same problem; which > > makes us think > > >>| | it is a configuration error or something we haven't found > > >>| | related to nsswitch. > > >>| > > >>|Gerald (Jerry) Carter wrote: > > >>| > > >>| This is an open bug > > >>| > > >>| ~ https://bugzilla.samba.org/show_bug.cgi?id=395 > > >>| > > >>| cheers, jerry > > >>