I was wondering if any one else is having issues with supplementary groups not being recognized. It seems as if Samba is ignoring the sup.groups. I'm using RH9.0 on Intel with samba-3.0.0-2_rh9 and OpenLDAP 2.0.27. When I do a "id -a username" the user is in all the necessary groups but when accessing shares the users' primary GID is used only. For example, uid=1001(jgray) gid=512(domainadmin) groups=512(domainadmin),0(root),513(domainusers),1536(SpiderAdmin) can only access shares that are defined this way: drwxrwx--- 2 jgray domainusers 48 Feb 5 18:12 test But not this way drwxrwx--- 2 root domainusers 48 Feb 5 18:12 test The user jgray should have access to the share as either root or domainuser but cannot. user jgray can only access if ownership is either jgray or part of group domainadmin. Thanks, Jason
Hi, All> I was wondering if any one else is having issues with supplementary groups > not being recognized. It seems as if Samba is ignoring the sup.groups. I'm > using RH9.0 on Intel with samba-3.0.0-2_rh9 and OpenLDAP 2.0.27. When I do > a "id -a username" the user is in all the necessary groups but when > accessing shares the users' primary GID is used only.I have the same problem using samba 3.0.2a SUN Solaris-9 SUN One Directory Server 5.2 Supplementary groups are recognized quite correct under unix shell environment, but samba can recognize them only from /etc/group file ignoring content of /etc/nsswithch.conf Is it bug or samba-3.* feature?> For example, > > uid=1001(jgray) gid=512(domainadmin) > groups=512(domainadmin),0(root),513(domainusers),1536(SpiderAdmin) > > can only access shares that are defined this way: > > drwxrwx--- 2 jgray domainusers 48 Feb 5 18:12 test > > But not this way > > drwxrwx--- 2 root domainusers 48 Feb 5 18:12 test > > The user jgray should have access to the share as either root or domainuser > but cannot. user jgray can only access if ownership is either jgray or part > of group domainadmin. > > Thanks, > > > Jason-- Dmitry Monakhov System Administrator Open Technologies, tel: +7(095)787-7027 e-mail: monakhv@ot.ru, http://www.ot.ru/
> -----Original Message----- > From: Dmitry Monakhov > To: J?r?me Fenal > Cc: samba@lists.samba.org > Sent: 2/24/2004 3:43 PM > Subject: Re: [Samba] Re: Supplementary Group Issues > > Test user login name is ssi > > The output of id -a ssi command is > > uid=225(ssi) gid=1(other) groups=112(support),1000(users) > > Nevertheless samba has found only 1 group (gid=1)Ok, I don't see anything beside the following : Define the right suffixes and ous (should be People&Group in Solaris 9) : ldap suffix = o=ot.ru,o=ot ldap user suffix = ou=People ldap group suffix = ou=Group Try to remove : ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) to get the default : (uid=%u) Also double check that the SID for your groups are derived from the domain's one Last thing, I remember having seen some problems with Solaris 9 nss_ldap client due to Sun patches on the list this or last month. The bug seems to be from Sun's fault. See : http://marc.theaimsgroup.com/?l=samba&m=107636136823095&w=2 and bug 395 (https://bugzilla.samba.org/show_bug.cgi?id=395). Please test the program in comment #19 and report. Regards, J. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Hi Dmitry, hi Jerome, as I am having the same problem with native Sun nss_client, I'd like to jump here in the thread.>> Last thing, I remember having seen some problems with Solaris 9 >> nss_ldap client due to Sun patches on the list this or last month. >> The bug seems to be from Sun's fault.it was me> Ok. I knew it. So, I'm using nss_ldap-211 from padl.com and it is > definitely working good within Unix framework (id -a, ls -l... show > right information). However according to the LDAP SERVER log file > samba even do not request for supplementary groups. By the way samba > log file level 10 I sent you also do not show any requests to LDAP for > supplementary groups.This behaviour is identical to my experiences with native Solaris 9 nss_ldap. In my understanding, Samba requests supplementary group information from Solaris, and Solaris has to request this information from the LDAP server (after checking nsswitch.conf). If you have a working und a non-working system, the difference can be seen easily in the LDAP server logs. Note that /etc/group works. We bypass this problem for the first time by using Patch-ID 112960-03. BTW, Patch-ID 112960-11 (Feb/23/2004) doesn't help either.>> http://marc.theaimsgroup.com/?l=samba&m=107636136823095&w=2 >> and bug 395 (https://bugzilla.samba.org/show_bug.cgi?id=395). >> Please test the program in comment #19 and report.I would also be willing to test and report, but the program doesn't compile in Solaris. AFAIR the program was written for Linux. Anyway, Solaris doesn't provide getgrouplist(). Can anybody provide me with workarounds or hints? Cheers, Reinhard -- Reinhard Sojka <reinhard.sojka@parlinkom.gv.at> System- & Networkadmin Parlamentsdirektion +43 1 40110 2824