samba - Apr 2004 - Bug in "force group" parameter, or group membership checking?

Hello,
I have the following situation:
Samba with ldap passdb backend.
In my setup I have a group called exact:
------------
dn: cn=exact,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup,sambaGroupMapping
cn: exact
gidNumber: 1000
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001
sambaGroupType: 4
memberUid: gerrit,piet,hornie
------------
maps to the unix group exact:
exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact

/etc/group:
exact:x:1000:


Users gerrit,piet and hornie can't use the share exact unless I specify
the parameter : force group = exact : (smb.conf entry):
[exact]
        path = /shares/exact
        browseable = no
        read only = no
        force group = exact

If I don't specify force group = exact , apparently the authorized users
(gerrit, piet and hornie) connect as members of their default group,
being "Domain Users" and they aren't allowed anyhting on the share
exact.
permissions on this share exact:
# file: shares/exact
# owner: root
# group: exact
user::rwx
group::rwx
group:exact:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:exact:rwx
default:mask::rwx
default:other::---

So I take it that there is no checking whether a user that tries to
connect to a share is , besides it's default group, the user connects
with, allso member of the group that is auhorized to connect to
that share, in this case being the group exact, so I have to set
force group = exact , so a user that connects to that share, 
connects with default group exact , and is allowed to access the
share and do it's thing. But apparently there is no checking whether
that user is actually a member of that group , because when I connect
as a completely different user, not at all listed in the group exact as a
member , I get full access allso. Now I add the parameter :
valid users = @exact

to that entry in the smb.conf, but than not one user can connect anymore,
allso not the users that are listed in the groupparameters as being a member
of that group.

Where is it going wrong?
When I make the default group of the users that are allowed to access the 
share exact , members of the group exact, there is no problem, than they
are recognized as being members of the group exact and get access, when
exact is not their default group , but just one of the groups they are allso a 
member of, there is no way to grant them access , without granting evryone
access.

TIA

Wim bakker

On Saturday 17 April 2004 20:21, Wim Bakker wrote:
> So I take it that there is no checking whether a user that tries to
> connect to a share is , besides it's default group, the user connects
> with, allso member of the group that is auhorized to connect to
> that share, in this case being the group exact, so I have to set
> force group = exact , so a user that connects to that share,
> connects with default group exact , and is allowed to access the
> share and do it's thing. But apparently there is no checking whether
> that user is actually a member of that group , because when I connect
> as a completely different user, not at all listed in the group exact as a
> member , I get full access allso. Now I add the parameter :
> valid users = @exact
Wrong , it is being checked but what is being checked?
Output from log:
[2004/04/17 21:08:35, 2] lib/access.c:check_access(324)
  Allowed connection from  (10.0.0.10)
[2004/04/17 21:08:35, 10] lib/username.c:user_in_list(521)
  user_in_list: checking user gerrit in list
[2004/04/17 21:08:35, 10] lib/username.c:user_in_list(525)
  user_in_list: checking user |gerrit| against |@exact|
[2004/04/17 21:08:35, 5] lib/username.c:user_in_netgroup_list(310)
  Unable to get default yp domain
[2004/04/17 21:08:35, 2] smbd/service.c:make_connection_snum(391)
  user 'gerrit' (from session setup) not permitted to access this share 
(exact)
[2004/04/17 21:08:35, 3] smbd/error.c:error_packet(134)

What is this "Unable to get default yp domain" doing?

TIA
Wim Bakker