Last message on the topic is long so I won't reproduce it here. You can still read it at :
http://marc.theaimsgroup.com/?l=samba&m=107099931908523&w=2.
I have more news on this front.
I made level 10 logs from win98 with samba 3.0.1rc2 and 2.2.8a.
It seems that 2.2.8a converts the usename given by win98 to lowercase, which in turn makes unix return all the groups of the unix user :
[2003/12/12 10:31:35, 10] smbd/password.c:register_vuid(288)
register_vuid: (1000,513) jerome JEROME DOMAIN guest=0
[2003/12/12 10:31:35, 10] smbd/password.c:register_vuid(298)
register_vuid: allocated vuid = 100
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:push_sec_ctx(297)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/12 10:31:35, 3] smbd/uid.c:push_conn_ctx(286)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:set_sec_ctx(329)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:get_current_groups(172)
get_current_groups: user is in 4 groups: 513, 550, 103, 102
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:pop_sec_ctx(436)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/12 10:31:35, 3] smbd/sec_ctx.c:get_current_groups(172)
get_current_groups: user is in 4 groups: 513, 550, 103, 102
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
sid_to_gid: winbind lookup for sid S-1-5-21-1150874807-1180408084-429402335-513 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
sid_to_gid: winbind lookup for sid S-1-5-21-1150874807-1180408084-429402335-550 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
sid_to_gid: winbind lookup for sid S-1-5-21-1150874807-1180408084-429402335-1207 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:sid_to_gid(900)
sid_to_gid: winbind lookup for sid S-1-5-21-1150874807-1180408084-429402335-1205 failed - trying local.
[2003/12/12 10:31:35, 10] smbd/uid.c:uid_to_sid(758)
uid_to_sid: local 1000 -> S-1-5-21-889427125-3291125262-439525394-3000
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
gid_to_sid: local 513 -> S-1-5-21-889427125-3291125262-439525394-2027
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
gid_to_sid: local 550 -> S-1-5-21-889427125-3291125262-439525394-2101
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
gid_to_sid: local 103 -> S-1-5-21-889427125-3291125262-439525394-1207
[2003/12/12 10:31:35, 10] smbd/uid.c:gid_to_sid(795)
gid_to_sid: local 102 -> S-1-5-21-889427125-3291125262-439525394-1205
As you can see, all the lookups are done with a lowercase account name. And thus find all the groups that the user belongs to.
But samba 3 keeps the user given by win98 in all uppercase :
It starts by the use of username level parameter : [2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam(288) Finding user DOMAIN\JEROME [2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is domain\jerome [2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(230) Trying _Get_Pwnam(), username as given is DOMAIN\JEROME [2003/12/12 10:17:05, 5] lib/username.c:Get_Pwnam_internals(247) Checking combinations of 8 uppercase letters in domain\jerome [2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals didn't find user [DOMAIN\JEROME]! [2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam(288) Finding user JEROME [2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is jerome [2003/12/12 10:17:15, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [JEROME]! [2003/12/12 10:17:15, 10] passdb/pdb_get_set.c:pdb_set_username(593) pdb_set_username: setting username jerome, was
So one may think that username 'jerome' (all lowercase is used).
Then comes the group membership determination :
[2003/12/12 10:17:15, 10] lib/system_smbd.c:sys_getgrouplist(113) sys_getgrouplist: user [JEROME] [2003/12/12 10:17:15, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist(): disabled winbindd for group lookup [user == JEROME] [2003/12/12 10:17:15, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/12/12 10:17:15, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/12/12 10:17:15, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/12/12 10:17:15, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/12/12 10:17:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 1000 Primary group is 513 and contains 2 supplementary groups Group[ 0]: 513 Group[ 1]: 513
As /usr/xpg4/bin/id says, JEROME is only member of its primary group (see precedent posting).
Something funnier (but normal as SIDs come from the SMB wire, and Unix's come from local PAM) : samba get the secondary group SIDs, but not the Unix ones.
[2003/12/12 10:17:15, 5] auth/auth_util.c:debug_nt_user_token(491) NT user token of user S-1-5-21-1150874807-1180408084-429402335-3000 contains 8 SIDs SID[ 0]: S-1-5-21-1150874807-1180408084-429402335-3000 SID[ 1]: S-1-5-21-1150874807-1180408084-429402335-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-1150874807-1180408084-429402335-550 SID[ 6]: S-1-5-21-1150874807-1180408084-429402335-1207 SID[ 7]: S-1-5-21-1150874807-1180408084-429402335-1205 [2003/12/12 10:17:15, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 1000 Primary group is 513 and contains 2 supplementary groups Group[ 0]: 513 Group[ 1]: 513
So, when the windows 98 client tries to mount the share authorized to the rid=1207 (gid=103) group, it ends by the refusal :
[2003/12/12 10:17:15, 10] lib/username.c:user_in_list(521)
user_in_list: checking user JEROME in list
[2003/12/12 10:17:15, 10] lib/username.c:user_in_list(525)
user_in_list: checking user |JEROME| against |+dsvi|
[2003/12/12 10:17:15, 2] smbd/service.c:make_connection_snum(391)
user 'JEROME' (from session setup) not permitted to access this share (dsvi)
One thing I have not trid is to use winbind (with an LDAP idmap reference). I think it would work, but it would be a little overkill as I already have the LDAP Posix accounts distributed to my Solaris domain member.
So, dose anybody can tell me if this behaviour change was intentional, or if :
- it is a bug in the pam libraries (bot in Solaris and in PADL used by Linux, which should be returning group membership regardless of the username case ?
- it is a bug in my LDAP directory implementation, eg. I should add both lowercase *and* uppercase usernames to memberUid attributes to my groups ?
- it is a bug in Samba 2.2.8a, which should behave as samba 3 does ?
- it is a bug in Samba 3.0.x, which finds a username in lowercase (thanks to username level=8) but does not use it in the call to sys_getgrouplist?
I'd appreciate an answer, even if it � keep samba 2.2.8a while you're ripping off your win98 clients �, but that one is an easy one ;-)
Best regards,
J�r�me
-- J�r�me Fenal - Consultant Unix/SAN/Logiciel Libre Groupe Expert & Managed Services - LogicaCMG France http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
