samba - Jan 2004 - 3.0.2rc1, LDAP, Solaris 9 and secondary group problem - Bug 395?

Hi,

we have tested Samba 3.0.0 and 3.0.1 with LDAP-Support (--with-ldap) on
Solaris 8 and it worked fine. 
The machine authenticates against an OpenLDAP server. Patch 108993-23 is
applied and we use native Sun LDAP client modules.

On Solaris 9 we ran into problems with secondary groups. Users cannot
access files if the rights are based on a secondary group and if this
information is stored on the LDAP server. 
Note that everything is ok with information from /etc/group and Unix
authentication is working (login, id, groups, getent, ...). We are using
the Sun LDAP client, Patch 112960-10.

It seems that Samba doesn't seach the secondary groups on the LDAP server.

I'd like to ask if this is the same behaviour as described in
https://bugzilla.samba.org/show_bug.cgi?id=395 . Or is this a different 
bug or some sort of misconfiguration? I am a bit confused by the bug report
and the configuration of the server is a bit different:
* no winbind
* Sun LDAP client instead of nss_ldap from Padl
* no problem on Solaris 8 but on Solaris 9


I have a second question regarding the test program from Hansj?rg.
The program compiles on Linux, but no succes on Solaris. Is getgrouplist()
available under Solaris? And if not, what is the replacement.

Thanks in advance,
Reinhard

-- 
Reinhard Sojka <reinhard.sojka@parlinkom.gv.at>
System- & Networkadmin
Parlamentsdirektion
+43 1 40110 2824

Sojka Reinhard wrote:
> Hi,
> 
> we have tested Samba 3.0.0 and 3.0.1 with LDAP-Support (--with-ldap) on
> Solaris 8 and it worked fine. 
> The machine authenticates against an OpenLDAP server. Patch 108993-23 is
> applied and we use native Sun LDAP client modules.
> 
> On Solaris 9 we ran into problems with secondary groups. Users cannot
> access files if the rights are based on a secondary group and if this
> information is stored on the LDAP server. 
> Note that everything is ok with information from /etc/group and Unix
> authentication is working (login, id, groups, getent, ...). We are using
> the Sun LDAP client, Patch 112960-10.
I had the same problem with Solaris 9 and Samba 3.0.?.
Only W2K and WXP clients would have their secondary groups honoured, 
Win98 would not.
This was in relation with login name case (i.e. Win98 would give it in 
UPPERCASE, no shouting here), and Win2K/XP in lowercase. And secondary 
groups would not be seen by Unix if unix login is lowercase, and tested 
login (from Samba) was uppercase.
Have a test right now, and tell us if it is the problem encountered (and 
give us the type of clients you have, and have tests on both W9x and WNT).

Simply test :
# id jerome
uid=1000(jerome) gid=513(domusers) 
groups=513(domusers),550(prtadmin),103(dsvi),102(susers),1000(ntadmin)
# id JEROME
uid=1000(jerome) gid=513(domusers) groups=513(domusers)
> 
> It seems that Samba doesn't seach the secondary groups on the LDAP
server.
Was not Samba for me, it was Solaris. Posix in fact, as Linux shows the 
same behaviour.

Have a look at https://bugzilla.samba.org/show_bug.cgi?id=882.
It's supposed to be corrected, but I could not have my customer to test it.

[snip] : can't help on getgrouplist

HTH,

J?r?me

-- 
J?r?me Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>

Hi Jerome,

thank you for your quick answer. Hope you can forgive me my not so
quick response.
>Sojka Reinhard wrote:
>> Hi,
>>
>> we have tested Samba 3.0.0 and 3.0.1 with LDAP-Support (--with-ldap) on
>> Solaris 8 and it worked fine.
>> The machine authenticates against an OpenLDAP server. Patch 108993-23
is
>> applied and we use native Sun LDAP client modules.
>>
>> On Solaris 9 we ran into problems with secondary groups. Users cannot
>> access files if the rights are based on a secondary group and if this
>> information is stored on the LDAP server.
>> Note that everything is ok with information from /etc/group and Unix
>> authentication is working (login, id, groups, getent, ...). We are
using
>> the Sun LDAP client, Patch 112960-10.
>I had the same problem with Solaris 9 and Samba 3.0.?.
>Only W2K and WXP clients would have their secondary groups honoured,
>Win98 would not.
>This was in relation with login name case (i.e. Win98 would give it in
>UPPERCASE, no shouting here), and Win2K/XP in lowercase. And secondary
>groups would not be seen by Unix if unix login is lowercase, and tested
>login (from Samba) was uppercase.
>Have a test right now, and tell us if it is the problem encountered (and
>give us the type of clients you have, and have tests on both W9x and WNT).
We use W2K clients at the moment.
>Simply test :
># id jerome
>uid=1000(jerome) gid=513(domusers)
>groups=513(domusers),550(prtadmin),103(dsvi),102(susers),1000(ntadmin)
># id JEROME
>uid=1000(jerome) gid=513(domusers) groups=513(domusers)
# /usr/xpg4/bin/id  edvtest
uid=1520(edvtest) gid=150(edv)
groups=10(staff),157(et),136(eppo_apl),100(dba),5831(caddy),
# /usr/xpg4/bin/id  EDVTEST
uid=1520(edvtest) gid=150(edv)

Same result in Solaris 8 and Solaris 9, but as you have mentioned
above, this should be no problem with W2K clients.
The problem is that Samba (and Windows) can see the secondary groups
on a PDC with Solaris 8, but these groups can`t be seen on a PDC
with Solaris 9.
For testing purpose, we switched back to the Solaris 8 machine and
everything is fine. Same smb.conf, same user, same LDAP server and
database, etc. and it worked.
I think my problem is more like this one
http://lists.samba.org/archive/samba-technical/2003-December/033162.html
same thread but more interesting
http://lists.samba.org/archive/samba-technical/2003-December/033482.html
The only difference I see to my configuration is Samba 2.2.8a instead
of 3.0.x
>>
>> It seems that Samba doesn't seach the secondary groups on the LDAP
server.
>Was not Samba for me, it was Solaris. Posix in fact, as Linux shows the
>same behaviour.
You are right and I was unclear. Let's try it this way: It seems to
me that Samba can't motivate Solaris 9 to search for secondary groups
on the LDAP server.
>Have a look at https://bugzilla.samba.org/show_bug.cgi?id=882.
>It's supposed to be corrected, but I could not have my customer to test
it.
I will give it a try with my Laptop as soon as I have a working
installation :)
>[snip] : can't help on getgrouplist
>HTH,
>J?r?me
Thank you,
Reinhard
  

-- 
                          mailto:reinhard.sojka@reinhard.sojka@parlinkom.gv.at