After kudos, time comes again with problems.
This time, still on the same setup as before :
- Linux PDC with ldapsam, ran by RH9, OpenLDAP 2.0.27 (stock RH9 RPM+Solaris RootDSE patch), Samba 3.0.1rc1 recompiled from SRPM ;
- Linux BDC is the same ;
The PDC and BDC are working Ok, so I won't include the smb.conf from these.
- Solaris 9 domain member (jersey) gets Posix accounts from the OpenLDAP directory, Samba 3.0.1rc1 (home recompiled with nearly the same conf options as for Linux) is joined to the domain.
On the Solaris server, there is a share defined as follow :
[global]
unix charset = CP850
workgroup = DOMAIN
server string = Jersey
security = DOMAIN
username level = 5
log level = 10
log file = /var/log/samba/%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
domain master = No
wins server = 172.17.0.1
admin users = root
mangle case = Yes
hide dot files = No
fake oplocks = Yes
[dsvi]
comment = Dossier commun DSVI
path = /d2/dsvi
valid users = +dsvi
force group = dsvi
read only = No
create mask = 0774
directory mask = 0775
force directory mode = 0774User defined in Unix as follow (Linux id command, from LDAP info) :
# id jerome
uid=1000(jerome) gid=513(domusers) groups=513(domusers),550(prtadmin),103(dsvi),102(susers)
In LDAP :
$ ldapsearch -h localhost -D 'cn=Manager,dc=domain,dc=com' -x '(uid=jerome)' -W -LLL
Enter LDAP Password: ********
dn: uid=jerome, ou=INFORMATIQUE, ou=Paris, ou=People, dc=domain,dc=com
sambaLMPassword: xxxxxxx
displayName:: SsOpcsO0bWUgRmVuYWw=
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
shadowLastChange: 12391
sambaHomeDrive: H:
uid: jerome
uidNumber: 1000
cn: jerome
sambaLogoffTime: 2147483647
sambaPwdLastSet: 1069436848
loginShell: /bin/bash
sambaAcctFlags: [UX]
sambaNTPassword: xxxxxxxx
sambaPwdCanChange: 1066406719
sambaSID: S-1-5-21-1150874807-1180408084-429402335-3000
gecos: Jerome Fenal
description:: SsOpcsO0bWUgRmVuYWw=
homeDirectory: /home/jerome
sambaKickoffTime: 2147483647
sn: jerome
sambaHomePath: \\theviec\homes
sambaPwdMustChange: 2147483647
sambaLogonScript: login\jerome.bat
gidNumber: 513
sambaPrimaryGroupSID: S-1-5-21-1150874807-1180408084-429402335-513
userPassword:: xxxxxxxxx
sambaLogonTime: 0
Secondary groups are mapped : dsvi (S-1-5-21-1150874807-1180408084-429402335-1207) -> dsvi susers (S-1-5-21-1150874807-1180408084-429402335-1205) -> susers Domain Users (S-1-5-21-1150874807-1180408084-429402335-513) -> domusers Printer Operators (S-1-5-21-1150874807-1180408084-429402335-550) -> prtadmin
Note that the group asked to connect to the \\jersey\dsvi share is a secondary group for the user.
Now, to the problem :
- if connecting from a WinXP client, no problem, netlogin goes ok, and the share \\jersey\dsvi is mounted from the login script (net use g: \\jersey\dsvi)
Connecting from a Win98 client lead to weird behaviour :
- I can logon, but the dsvi share won't mount, and it will ask me for a password
- if I use samba-2.2.8a (home recompiled with exactly samba options as Samba 3), I can login _and_ the \\jersey\dsvi share is mounted
- Back to Samba3, if I make the dsvi group jerome's *primary* group (either completely or only by the mean of sambaPrimaryGroupSID LDAP attr.), I can mount the share
- Still in Samba3 back with dsvi as secondary group, if I rename the user to uppercase (jerome->JEROME), and all memberUid: LDAP attr for the groups, it works, the share is mounted. I had the idea of doing that by seeing the account name uppercased in samba logs.
Wait, I can also see the following : On Solaris (/usr/xpg4/bin/id) : [EMAIL PROTECTED]:/root# id jerome uid=1000(JEROME) gid=513(domusers) [EMAIL PROTECTED]:/root# id JEROME uid=1000(JEROME) gid=513(domusers) groups=103(dsvi),102(susers)
On Linux PDC :
# id jerome
uid=1000(JEROME) gid=513(domusers) groups=513(domusers),550(prtadmin)
# id JEROME
uid=1000(JEROME) gid=513(domusers) groups=513(domusers),103(dsvi),102(susers)
Seems the problem come from there...
I rename the account to lowercase, and id gives (on Linux) :
# id jerome
uid=1000(jerome) gid=513(domusers) groups=513(domusers),550(prtadmin),103(dsvi),102(susers)
# id JEROME
uid=1000(jerome) gid=513(domusers) groups=513(domusers)
Same 'id' result on Solaris 9.
This problem appears whatever value is given to the 'username level=' clause in smb.conf.
So I suspect that either 'username level=' is not honored for the search of secondary groups membership, or that the username is not lower-cased anymore as it could have been in Samba 2.2.8a.
Or a change of behaviour between 2.2.8 and 3.0 'valid users=' clause.
I can keep Samba 2.2.8a for a while on the member server, but I'd like to see this behaviour fixed. I'd like to provide a patch, but it's been years I didn't program in C...
I can submit level 10 logs on thursday upon request on private mail (too much security info in them).
Regards,
Jerome
-- J�r�me Fenal - Consultant Unix/SAN/Logiciel Libre Groupe Expert & Managed Services - LogicaCMG France http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
