[Pkg-samba-maint] DO NOT REPLY [Bug 6230] 'force group' still broken in 3.3.2

samba-bugs at samba.org samba-bugs at samba.org
Wed Aug 19 15:04:50 UTC 2009


------- Comment #33 from jht at samba.org  2009-08-19 10:04 CST -------
(In reply to comment #31)
> (In reply to comment #28)
> Hi,
> Thanks for investigating!
> > Ok, this took a while. This is very, very confusing but technically not a bug.
> > You have ldapsam:trusted=yes with an invalid LDAP database. The primary group
> > of user "guy", also "guy" does not have a sambaGroupMapping. This is the
> > invalid configuration part. This leads to the token not assigning the SID for
> > the primary group, which would be the second SID in the token. Normally, this
> > SID is being taken by the primary unix group's SID. That SID missing means 
> I'm either missing something or disagreeing with you, I don't know which. :) To
> me, the intuitive behaviour would be for Samba to join all Unix groups the
> connecting user is a member of, regardless of whether they have
> sambaGroupMappings; as I understood it so far, sambaGroupMappings are only
> there for the benefit of Windows. If a group has no mapping, then Windows can't
> see it (meaning that Samba doesn't advertise it in any way).
> Why is it necessary for all groups, even the ones only used on the Unix side,
> to have sambaGroupMappings? If a group that has no such mapping owns a file,
> that ownership needn't be reported to Windows at all (as it's not necessary
> that a file be owned by a user as well as a group in Winland). It can be
> omitted from ACLs reported to Windows too. I can't currently think of a
> scenario that would make it necessary to insist on all Unix groups to have
> sambaGroupMappings.
> In any case, I'd consider the misleading error message to be a bug; at least a
> warning to the effect of "Group 'foo' doesn't have a sambaGroupMapping,
> ignoring it" should, I think, be logged.
> Andras


UNIX groups that have no members who are both UNIX and Samba/Windows users do
not need to be mapped to Windows groups.  However, all UNIX groups of which
Windows users are members require a Windows group mapping.

Given that there are usually not many UNIX groups, why not map all of them so
that you will not get caught out at a later time.  Volker's advice is good

- John T.

Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

More information about the Pkg-samba-maint mailing list