samba - Aug 2010 - samba 3.4.8 / solaris / unix secondary groups

samba-3.4.8 built under solaris_10 (--with-krb5=/usr/local/lib --with-ads
--with-ldap); on my test server it runs flawlessly; however on the
production server, there is a big exception:  users' secondary group
memberships are not honored.

relevant portions of smb.conf (the same on both servers, save for the ip
addys) are as follows:

[global]
workgroup = WORKGROUP
netbios name = BLABLA
server string = SAMBA
bind interfaces only = True
interfaces = bge0 199.99.99.99
deadtime = 20
debug level = 2
security = user
password level = 8
encrypt passwords = yes
socket options = TCP_NODELAY
follow symlinks = yes
wide links = yes
unix extensions = no
[stuff]
comment = stuff...
path = /vol1/stuff
read only = No
create mask = 0777
directory mask = 0777
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
map archive = No
map readonly = permissions

again, same samba version, built against the same libraries in the same
way with the same config file in both cases.  any one with an idea how i
might make this work?  many thanks in advance!!

-joe

Are they both using the same backend?  Is the group mapping set up correctly

#net groupmap list

Also you can use samba "net" command to verify  user's group list,
and a
group's user list.


# net rpc group members some group  -S yourserver -U Administrator
# net rpc user info someuser  -S yourserver -U Administrator


Those commands might indicate if group mapping is not working.


On 08/20/2010 12:40 PM, Joe Cammisa wrote:
> samba-3.4.8 built under solaris_10 (--with-krb5=/usr/local/lib --with-ads
> --with-ldap); on my test server it runs flawlessly; however on the
> production server, there is a big exception:  users' secondary group
> memberships are not honored.
>
> relevant portions of smb.conf (the same on both servers, save for the ip
> addys) are as follows:
>
> [global]
> workgroup = WORKGROUP
> netbios name = BLABLA
> server string = SAMBA
> bind interfaces only = True
> interfaces = bge0 199.99.99.99
> deadtime = 20
> debug level = 2
> security = user
> password level = 8
> encrypt passwords = yes
> socket options = TCP_NODELAY
> follow symlinks = yes
> wide links = yes
> unix extensions = no
> [stuff]
> comment = stuff...
> path = /vol1/stuff
> read only = No
> create mask = 0777
> directory mask = 0777
> inherit permissions = Yes
> inherit acls = Yes
> map acl inherit = Yes
> map archive = No
> map readonly = permissions
>
> again, same samba version, built against the same libraries in the same
> way with the same config file in both cases.  any one with an idea how i
> might make this work?  many thanks in advance!!
>
> -joe
>
>

hi,

some years ago I had a similar problem with Solaris 9 and Samba 3.0.x. 
The reason was some sort of incompatibility between OpenLDAP's libldap 
and Sun's libsldap, can't remember the exact details. Anyway the 
behavior of Solaris 9 in honoring secondary groups was dependent on the 
patch level, and the whole issue was resolved with a patch from Sun.
Are you sure that both servers are on the same patch level? Check 
/etc/release and the patches for LDAP on both systems, maybe you can 
find a difference that explains this behavior.

kind regards,
Reinhard

Joe Cammisa wrote:
> samba-3.4.8 built under solaris_10 (--with-krb5=/sr/local/lib --with-ads
> --with-ldap); on my test server it runs flawlessly; however on the
> production server, there is a big exception:  users' secondary group
> memberships are not honored.
>
> >
> >
>
> again, same samba version, built against the same libraries in the same
> way with the same config file in both cases.  any one with an idea how i
> might make this work?  many thanks in advance!!
>
> -joe
>
>
>