samba - Oct 2006 - Wrong groups with 'wbinfo -r user' but right groups with 'id user'

Hello,

Using samba 3.0.23c on Debian 3.1 (package version 3.0.23c-1~bpo.1 from
sarge-backports) or version 3.0.14a (package version 3.0.14a-3sarge2 from
sarge), I experience the following problem on a file server on a Windows
2003 domain with Active Directory.

Some test user can access group shares of groups he is not in, or
cannot access group shares of groups he is in.  The output of the
following 2 commands show different group IDs:

    wbinfo -r 'DOMAIN\test_user'
    id 'DOMAIN\test_user'

The first command shows a total of 30 GIDs, some of which are correct and
some are not.  The second command shows 14 groups, all of which seem to be
correct (except that using version 3.0.23c from the backports, I get a
spurious GID which does not have a group name, but this might be a side
issue).

Another test I ran was the command id (without arguments) after
"su - 'DOMAIN\test_user'".  This also shows 30 groups, as with
the first
command.

It seems to me that my problem might not be really similar to the
problem(s) described in those 2 messages:
http://lists.samba.org/archive/samba/2006-September/125643.html
http://lists.samba.org/archive/samba/2006-October/126101.html

Indeed, in those messages, there is only one group listed by the second
command.  I also have this kind of result with a certain smb.conf
configuration (I think it is the case when I comment out the variable
"winbind enum groups").

Here is some parts of my smb.conf file:

   winbind cache time = 300
   security = ads
   domain master = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash
   client use spnego = yes
   client ntlmv2 auth = yes
   winbind use default domain = no
   winbind trusted domains only = no
   restrict anonymous = 2
   winbind nested groups = yes
   auth methods = winbind
   winbind enum users = yes
   winbind enum groups = yes

Also, when I tried samba version 3.0.23c, I also had this line:

   idmap backend = ad

My /etc/nsswitch.conf file contains those lines, among others:

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Does anyone have an idea about the cause of this problem?

Regards,

Francois.

Hi,


> The first command shows a total of 30 GIDs, some of which are 
> correct and some are not.  The second command shows 14 
> groups, all of which seem to be correct (except that using 
> version 3.0.23c from the backports, I get a spurious GID 
> which does not have a group name, but this might be a side issue).
> 
> Another test I ran was the command id (without arguments) 
> after "su - 'DOMAIN\test_user'".  This also shows 30
groups,
> as with the first command.
> 
> It seems to me that my problem might not be really similar to the
> problem(s) described in those 2 messages:
> http://lists.samba.org/archive/samba/2006-September/125643.html
> http://lists.samba.org/archive/samba/2006-October/126101.html
> 
> Indeed, in those messages, there is only one group listed by 
> the second command.  I also have this kind of result with a 
> certain smb.conf configuration (I think it is the case when I 
> comment out the variable "winbind enum groups").
I have just tried enabling "winbind enum groups" (WEG) and got exactly
the
same behaviour as you have described.
Namely:
1. wbinfo -r  shows  spurious GID (both with WEG=yes and WEG=no)
2. id shows all groups with WEG=yes and only "Domain Users" with
WEG=no
3. If WEG=yes, the user can access a directory of his group, but with WEG=no
this is not possible. 
I did not see incorrect group membership, but this is probably because there
are not so many groups in my setup.


I have 2 domain controllers in my network, one Win2K and one W2003. 
netstat shows that ldap and microsoft-ds sessions are established with W2003
server.


With best regards,
P. Trifonov