samba - Sep 2013 - create_local_nt_token_from_info3 not pulling supplementary UNIX groups

I'm trying to solve this issue I'm having where using 'valid users =
+unixgroup' just plain doesn't work. I can't find any /documented/ 
reason why this is so, but nevertheless, it seems to be the case. This 
is with samba 3.6.18, but seems to exist in all of 3.6.x and most or all 
of 3.5.x and perhaps earlier as well (see bug #6681).

 From what I can tell, the underlying reason it doesn't work is because 
create_local_nt_token_from_info3 doesn't seem to populate the user's 
token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm not 
sure exactly why this is the case; the code is a bit complicated.

Ironically, if the user is explicitly mapped (username map in smb.conf) 
then it *does* work. This seems to be because an explicitly-mapped user 
will follow a different code path and end up using 
create_token_from_username which /does/ pull local UNIX groups.

I don't understand why there is a difference in behavior between 
explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name 
maps to local user 'name' via idmap_nss, or some other facility). I 
would think that either case should ultimately end with the same result.

This seems like a very major and long-standing problem to just be a bug. 
As such I feel like I'm missing something. Can a dev or somebody with a 
better understanding of the code fill me in?

Here are some reference links that sound related:
https://bugzilla.samba.org/show_bug.cgi?id=6681
http://marc.info/?l=samba&m=135879161014066&w=2
http://marc.info/?l=samba&m=120886782118153&w=2

Thanks,
Brian

-- 
----------------------------------------
Brian H. Nelson
Data Security Analyst I
IT Infrastructure Engineering
Youngstown State University
bhnelson[at]ysu[dot]edu
----------------------------------------

According to the smb.conf man page, using @group is equavelnt to &+group 
where '&' means check it as an NIS netgroup and '+' means
check it as a
local UNIX group. Just +group should be what I want (I'm not using NIS) 
but I admit I haven't tested much with @group.

Another interesting facet is that the RHEL-provided samba builds *do 
not* exhibit the problem I'm seeing. They bundle in a number of patches. 
Apparently one (or more) of them is changing this specific behavior.

Brian



On 9/11/2013 3:18 PM, Brian Cuttler wrote:
> I thought it was "@group" rather than "+group" in the
> samba.conf share definition...
-- 
----------------------------------------
Brian H. Nelson
Data Security Analyst I
IT Infrastructure Engineering
Youngstown State University
bhnelson[at]ysu[dot]edu
----------------------------------------

Can anyone with knowledge about this issue offer any comment? Somebody 
has to have an idea about it, good or bad.

Thanks,
Brian


On 9/11/2013 2:20 PM, Brian H. Nelson wrote:
> I'm trying to solve this issue I'm having where using 'valid
users =
> +unixgroup' just plain doesn't work. I can't find any
/documented/
> reason why this is so, but nevertheless, it seems to be the case. This 
> is with samba 3.6.18, but seems to exist in all of 3.6.x and most or 
> all of 3.5.x and perhaps earlier as well (see bug #6681).
>
> From what I can tell, the underlying reason it doesn't work is because 
> create_local_nt_token_from_info3 doesn't seem to populate the
user's
> token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm 
> not sure exactly why this is the case; the code is a bit complicated.
>
> Ironically, if the user is explicitly mapped (username map in 
> smb.conf) then it *does* work. This seems to be because an 
> explicitly-mapped user will follow a different code path and end up 
> using create_token_from_username which /does/ pull local UNIX groups.
>
> I don't understand why there is a difference in behavior between 
> explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name 
> maps to local user 'name' via idmap_nss, or some other facility). I
> would think that either case should ultimately end with the same result.
>
> This seems like a very major and long-standing problem to just be a 
> bug. As such I feel like I'm missing something. Can a dev or somebody 
> with a better understanding of the code fill me in?
>
> Here are some reference links that sound related:
> https://bugzilla.samba.org/show_bug.cgi?id=6681
> http://marc.info/?l=samba&m=135879161014066&w=2
> http://marc.info/?l=samba&m=120886782118153&w=2
>
> Thanks,
> Brian
>
-- 
----------------------------------------
Brian H. Nelson
Data Security Analyst I
IT Infrastructure Engineering
Youngstown State University
bhnelson[at]ysu[dot]edu
----------------------------------------