if have done furthes testing on this issue.
Unix name resoltion seems to work (all groups are in ldap)
[EMAIL PROTECTED] sporer]$ getent group | grep management
managementgroup:x:1001:management,root,haehnle,sporer,sporers
[EMAIL PROTECTED] sporer]$ getent group | grep sensodrivgroup
[EMAIL PROTECTED] sporer]$ getent group | grep sensodrive
sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root
[EMAIL PROTECTED] sporer]$ id -a management
uid=1008(management) gid=1001(managementgroup) Gruppen=1001(managementgroup)
[EMAIL PROTECTED] sporer]$ id -a sporer
uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup),1002(test1)
If I add
valid users = +managementgroup,+sensodrivegroup
to a share
user management and user sporer can connect (primary groups are management and sporer)
if I remove +sensodrivegroup
user sporer can't connect and vice versa.
A level 10 debug shows in the case sporer connects (fails)
sys_getgrouplist: user [sporer]
[2004/01/09 12:05:18, 10] lib/system_smbd.c:sys_getgrouplist(122)
sys_getgrouplist(): disabled winbindd for group lookup [user == sporer]
[2004/01/09 12:05:18, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 1000
Primary group is 1000 and contains 1 supplementary groups
Group[ 0]: 1000
[2004/01/09 12:05:18, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/01/09 12:05:18, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/01/09 12:05:18, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/01/09 12:05:18, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/01/09 12:05:18, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/01/09 12:05:18, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1636)
ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=1000))]
[2004/01/09 12:05:18, 2] passdb/pdb_ldap.c:init_group_from_ldap(1680)
init_group_from_ldap: Entry found for group: 1000
[2004/01/09 12:05:18, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/01/09 12:05:18, 10] passdb/passdb.c:local_gid_to_sid(1228)
local_gid_to_sid: gid (1000) -> SID S-1-5-21-3723159834-3326906825-3408399175-3001.
[2004/01/09 12:05:18, 10] passdb/lookup_sid.c:gid_to_sid(374)
gid_to_sid: local 1000 -> S-1-5-21-3723159834-3326906825-3408399175-3001
[2004/01/09 12:05:18, 10] auth/auth_util.c:debug_nt_user_token(491)
NT user token of user S-1-5-21-3723159834-3326906825-3408399175-3000
contains 5 SIDs
SID[ 0]: S-1-5-21-3723159834-3326906825-3408399175-3000
SID[ 1]: S-1-5-21-3723159834-3326906825-3408399175-3001
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
...
In the case management connects (successfully)
2004/01/09 12:08:36, 10] lib/system_smbd.c:sys_getgrouplist(113)
sys_getgrouplist: user [management]
[2004/01/09 12:08:36, 10] lib/system_smbd.c:sys_getgrouplist(122)
sys_getgrouplist(): disabled winbindd for group lookup [user == management]
[2004/01/09 12:08:36, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 1008
Primary group is 1001 and contains 1 supplementary groups
Group[ 0]: 1001
[2004/01/09 12:08:36, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/01/09 12:08:36, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/01/09 12:08:36, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/01/09 12:08:36, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/01/09 12:08:36, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/01/09 12:08:36, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1636)
ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=1001))]
[2004/01/09 12:08:36, 2] passdb/pdb_ldap.c:init_group_from_ldap(1680)
init_group_from_ldap: Entry found for group: 1001
[2004/01/09 12:08:36, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/01/09 12:08:36, 10] passdb/passdb.c:local_gid_to_sid(1228)
local_gid_to_sid: gid (1001) -> SID S-1-5-21-3723159834-3326906825-3408399175-3003.
[2004/01/09 12:08:36, 10] passdb/lookup_sid.c:gid_to_sid(374)
gid_to_sid: local 1001 -> S-1-5-21-3723159834-3326906825-3408399175-3003
[2004/01/09 12:08:36, 10] auth/auth_util.c:debug_nt_user_token(491)
NT user token of user S-1-5-21-3723159834-3326906825-3408399175-3016
contains 5 SIDs
SID[ 0]: S-1-5-21-3723159834-3326906825-3408399175-3016
SID[ 1]: S-1-5-21-3723159834-3326906825-3408399175-3003
SID[ 2]: S-1-1-0
...
user_in_list: checking user management in list [2004/01/09 12:08:36, 10] lib/username.c:user_in_list(525) user_in_list: checking user |management| against |+managementgroup| [2004/01/09 12:08:36, 5] lib/username.c:Get_Pwnam(288) Finding user management [2004/01/09 12:08:36, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is management [2004/01/09 12:08:36, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [management]! [2004/01/09 12:08:36, 10] lib/username.c:user_in_list(521) user_in_list: checking user management in list [2004/01/09 12:08:36, 10] lib/username.c:user_in_list(525) user_in_list: checking user |management| against |+Domain Admins| [2004/01/09 12:08:36, 3] smbd/service.c:make_connection_snum(543)
-the parsing of +managementgroup works -both groups are valid groups -the secondary groupmembership seems not to be recognized by samba...
I am using RH 9 with glibc-2.3.2-27.9.7 nss_ldap-207-3 openldap-2.1.22
The problem is the same with RH7.3 and openldap 2.0
I read something about a broken getgrouplist with this glibc Because RH fixed that bug, I tried to compile with #ifdef HAVE_GETGROUPLIST 1 but with the same result..
Does anybody have some additional ideas?
Greetings
Hansj�rg
[EMAIL PROTECTED] root]# net groupmap list
Domain Admins (S-1-5-21-3723159834-3326906825-3408399175-512) -> Domain Admins
Domain Users (S-1-5-21-3723159834-3326906825-3408399175-513) -> Domain Users
Domain Guests (S-1-5-21-3723159834-3326906825-3408399175-514) -> Domain Guests
Administrators (S-1-5-21-3723159834-3326906825-3408399175-544) -> Administrators
Users (S-1-5-21-3723159834-3326906825-3408399175-545) -> Users
Guests (S-1-5-21-3723159834-3326906825-3408399175-546) -> Guests
Power Users (S-1-5-21-3723159834-3326906825-3408399175-547) -> Power Users
Account Operators (S-1-5-21-3723159834-3326906825-3408399175-548) -> Account Operators
Server Operators (S-1-5-21-3723159834-3326906825-3408399175-549) -> Server Operators
Print Operators (S-1-5-21-3723159834-3326906825-3408399175-550) -> Print Operators
Backup Operators (S-1-5-21-3723159834-3326906825-3408399175-551) -> Backup Operators
Replicators (S-1-5-21-3723159834-3326906825-3408399175-552) -> Replicators
Domain Computers (S-1-5-21-3723159834-3326906825-3408399175-553) -> Domain Computers
sensodrivegroup (S-1-5-21-3723159834-3326906825-3408399175-3001) -> sensodrivegroup
Managementgroup (S-1-5-21-3723159834-3326906825-3408399175-3003) -> managementgroup
test1 (S-1-5-21-3723159834-3326906825-3408399175-3005) -> test1
[EMAIL PROTECTED] root]# net getlocalsid
SID for domain LINA is: S-1-5-21-3723159834-3326906825-3408399175
John H Terpstra wrote:
Hansjoerg,
Instead of: valid users = @Groupe
Please try: valid users = +Groupe
Thanks.
- John T.
On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
