[Pkg-samba-maint] DO NOT REPLY [Bug 6230] 'force group' still broken in 3.3.2

samba-bugs at samba.org samba-bugs at samba.org
Mon Jun 8 15:05:29 UTC 2009


vl at samba.org changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

------- Comment #28 from vl at samba.org  2009-06-08 10:05 CST -------
Ok, this took a while. This is very, very confusing but technically not a bug.
You have ldapsam:trusted=yes with an invalid LDAP database. The primary group
of user "guy", also "guy" does not have a sambaGroupMapping. This is the
invalid configuration part. This leads to the token not assigning the SID for
the primary group, which would be the second SID in the token. Normally, this
SID is being taken by the primary unix group's SID. That SID missing means that
the next SID that is normally assigned, World (S-1-1-0), takes its place. The
thing the "force group" parameter does is overwrite this SID in the token. So
S-1-1-0 is not part of the token. In the access checks for a share we check
against the security descriptor, the default if none is there is "All rights to
S-1-1-0". But as S-1-1-0 has just been overwritten by "force group", this

To fix this, you could either not use "ldapsam:editposix" anymore or assign
sambaGroupMapping entries to all your groups. I think without the live data I
would never have found this....



Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

More information about the Pkg-samba-maint mailing list