The problem was in the libnss_winbind.so code for Solaris 8. The wrapper function to initialize the secondary groups immediately returned without doing any work.
As Jerry mentioned previously, this is already an open bug. I've submitted a patch to that bug report that adds the required functionality. See: https://bugzilla.samba.org/show_bug.cgi?id=395 As I stated in the bug report: Preliminary tests using this patch were completely successful. However, I'm going to be performing further tests to ensure there are no side effects that I have yet to find. john > -----Original Message----- > From: Klinger, John (N-CSC) > > Thank you for your response. > > Bug 910 looks like a different issue. > > We are using Samba on Solaris 8, with "security = ads", > with AD running on a W2K server. > > We cannot access someone else's file on Solaris that > is owned by a group that we are a member of, if that > group is not our primary group. > > example: > > Given nsswitch that have 2 lines modified for winbind: > > passwd: files winbind > group: files winbind > > Given a file owned by user1:group2 such as the following: > > -rw-rw---- user1 group2 0 Jan 7 testfile.txt > > And given user2 has a primary group of group1 and a > secondary group of group2. > > The following commands were executed on our smbdev > platform, that contains the smb server. > > smbdev > su - user2 > Password: > smbdev > id > uid=1001(user2) gid=10001(group1) > smbdev > id -a > uid=1001(user2) gid=10001(group1) groups=10001(group1) > smbdev > id -a user2 > uid=1001(user2) gid=10001(group1) groups=10002(group2) > smbdev > getent group | grep user2 > group1:x:10001:user1,user2 > group2:x:10002:user1,user2 > smbdev > grep user2 /etc/group > smbdev > wbinfo -r user2 > 10002 > 10001 > smbdev > groups > group1 > smbdev > cat testfile.txt > cat: cannot open testfile.txt > smbdev > touch testfile > smbdev > chgrp group2 testfile2 > chgrp: group2: Not owner > smbdev > newgrp group2 > $ chgrp group2 testfile2 > $ ls -l testfile2 > -rw-r----- user2 group2 0 Jan 7 testfile2 > $exit > smbdev > > > At the initial su to user2, there is a lot of activity > in the winbindd log with "log level = 10", but it only > mentions the uid of 1001 and the gid of 10001. The > secondary group is not mentioned in the log. If I add > group2 to the /etc/group file, it works (as one would > expect due to the nsswitch.conf settings). > > I expect it is a problem in libnss_winbind.so. > > john > > > From: Hansjoerg Maurer > > Sent: Wednesday, January 07, 2004 12:05 AM > > > > Hi, > > > > this might be related to bug 910 > > "domain admin rights only works for user, which primary group > > is domain > > admins" > > I submitted last week. > > > > Just for your information. > > If you want me doing some testing, just give me a note. > > > > Thank you > > > > > > Hansj�rg > > > > Klinger, John (N-CSC) wrote: > > > > > > > > > > >>From: Klinger, John (N-CSC) > > >>Sent: Friday, December 19, 2003 8:14 AM > > >> > > >>| | The first issue deals with the file sharing. Even if a > > file gives > > >>| | full permission to one of a user's secondary groups, that user > > >>| | cannot access the file. The user can only access the file (or > > >>| | directory) if the file's group is the user's primary > group. I've > > >>| | fond several references on the web and in > > >>https://bugzilla.samba.org, > > >>| | which seem to indicate that the bug is fixed. However, we > > >>also tried > > >>| | this with 3.0.1rc2 and have the same problem; which > > makes us think > > >>| | it is a configuration error or something we haven't found > > >>| | related to nsswitch. > > >>| > > >>|Gerald (Jerry) Carter wrote: > > >>| > > >>| This is an open bug > > >>| > > >>| ~ https://bugzilla.samba.org/show_bug.cgi?id=395 > > >>| > > >>| cheers, jerry > > >> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
