[Pkg-samba-maint] Bug#535910: samba: Samba not checking /etc/group for secondary groups when determining filesystem access

Trev Peterson trev at advanced-reality.com
Sun Jul 5 23:54:27 UTC 2009 

Package: samba
Version: 2:3.2.5-4lenny6
Severity: important

When upgrading from Etch samba stopped checking secondary groups in /etc/group for filesystem 
permissions when determining filesystem access.  We use winbind and authentication is working 
correctly.  If the group onwership is changed to the primary group (from /etc/passwd), 
the file is owned by the user or everyone has rights access is granted as per the unix 
permissions.  Group and User enumeration is shown to be working (turning up debug and checking 
the logs shows it enumerated to the UID and GID for that user from /etc/passwd).  getent 
groups shows the normal (full) group listing as it should.

A few other things I should note:
SELINUX is turned off completely.
Permissions on /etc/passwd and /etc/group are both 644
This exact config was working on Etch with the standard samba packages and winbind (no 
configuration changes were made on upgrade until after problems were seen).
I tried setting the following in /etc/samba/smb.cnf (all to no effect):
unix extensions = no
auth methods = winbind
nt acl support = yes

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages samba depends on:
ii  adduser         3.110                    add and remove users and groups
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  libacl1         2.2.47-2                 Access control list shared library
ii  libattr1        1:2.4.43-2               Extended attribute shared library
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libcups2        1.3.8-1+lenny6           Common UNIX Printing System(tm) - 
ii  libgnutls26     2.4.2-6+lenny1           the GNU TLS library - runtime libr
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.11-1                 OpenLDAP libraries
ii  libpam-modules  1.0.1-5+lenny1           Pluggable Authentication Modules f
ii  libpam-runtime  1.0.1-5+lenny1           Runtime support for the PAM librar
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libpopt0        1.14-4                   lib for parsing cmdline parameters
ii  libtalloc1      1.2.0~git20080616-1      hierarchical pool based memory all
ii  libwbclient0    2:3.2.5-4lenny6          client library for interfacing wit
ii  logrotate       3.7.1-5                  Log rotation utility
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  procps          1:3.2.7-11               /proc file system utilities
ii  samba-common    2:3.2.5-4lenny6          Samba common files used by both th
ii  update-inetd    4.31                     inetd configuration file updater
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

samba recommends no packages.

Versions of packages samba suggests:
pn  ldb-tools                   <none>       (no description available)
ii  openbsd-inetd [inet-superse 0.20080125-2 The OpenBSD Internet Superserver
ii  smbldap-tools               0.9.4-1      Scripts to manage Unix and Samba a

-- debconf information:
  samba/run_mode: daemons
  samba/generate_smbpasswd: false

ii  libwbclient0                            2:3.2.5-4lenny6            client library for 
interfacing with winbind 
ii  winbind                                 2:3.2.5-4lenny6            service to resolve user 
and group informatio

cat /etc/samba/smb.conf (with comments clipped):
[global]
   unix extensions = no
   workgroup = Palantir
   server string = vash server (Samba %v)
   wins support = no
   wins server = 192.168.28.4
   dns proxy = no
   name resolve order = lmhosts host wins bcast
   netbios name = Vash
   interfaces = 192.168.28.2/24
   hosts allow = 192.168.28. 127.
   log file = /var/log/samba/log.%m
   max log size = 50
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   realm = ad.palantir.net
   password server = knives.palantir.net
   winbind use default domain = yes
   encrypt passwords = true
   username map = /etc/samba/smbusers
   domain logons = no
   logon script = %U.bat
   load printers = no
   socket options = TCP_NODELAY
   remote browse sync = 192.168.28.255
   remote announce = 192.168.28.255
   local master = no
   os level = 33
   domain master = no
   preferred master = no
   template shell = /bin/bash
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   winbind enum users = yes
   winbind enum groups = yes

[homes]
   comment = Home Directories
   browseable = no
   writable = yes


[archives]
   comment = Archived projects
   path = /vash/archives
   browseable = yes
   guest ok = no
   writable = yes
   create mask = 0660
   directory mask = 2770
   force create mode = 0660
   force directory mode = 2770

[business]
   comment = Palantir business directory
   path = /vash/business
   browseable = yes
   guest ok = no
   writable = yes
   create mask = 0660
   directory mask = 2770
   force create mode = 0660
   force directory mode = 2770

[palantir]
   comment = Palantir projects directory
   path = /vash/palantir
   browseable = yes
   guest ok = no
   writable = yes
   create mask = 0660
   directory mask = 2770
   force create mode = 0660
   force directory mode = 2770

[software]
   comment = software packages
   path = /vash/software
   browseable = yes
   guest ok = yes
   writable = yes
   create mask = 0664
   directory mask = 2775
   force create mode = 0664
   force directory mode = 2775





Any help is appreciated.  Thanks,

More information about the Pkg-samba-maint mailing list