Groupmapping problems in 3.0.20

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Groupmapping problems in 3.0.20

Carsten Sander
Hi all,

after updating my pdc from 3.0.14a to 3.0.20 the
groupmap function does not work properly.

net groupmap list:
returns the same groupmapping on both samba versions.

Domain Computers (S-1-5-21-xxx-yyy-zzz-515) -> nt
Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nobody
Domain Admins (S-1-5-21-xxx-yyy-zzz-512) -> root
Print Operators (S-1-5-32-550) -> oper
cvs (S-1-5-21-xxx-yyy-zzz-1219) -> cvs
cad (S-1-5-21-xxx-yyy-zzz-1211) -> cad
www (S-1-5-21-xxx-yyy-zzz-1213) -> www
Domain Users (S-1-5-21-xxx-yyy-zzz-513) -> users
testgr (S-1-5-21-xxx-yyy-zzz-2011) -> testgr
...

On 3.0.20

net rpc group list:
returns the unix groupnames instead of the mapped groupnames

nt
nobody
root
oper
cvs
cad
www
users
testgr
...

net group /domain (cmd.exe on xp and w2k):
returns the unix groupnames instead of the mapped groupnames

usrmgr.exe:
returns the unix groupnames instead of the mapped groupnames
with following effect:
- Editing of groups root and users (Domain Admins and Domain
   Users) is not possible (Error: the groupname can not be found)
- Reassigning the primary group Domain Users in the group
   membership dialog is not possible, because the group is not
   shown

acl file dialog on windows (xp and w2k):
returns the unix groupnames instead of the mapped groupnames
with the following effect:
- Assigning rights to the groups root and users has no effect
- Maunally typing in "Domain Users" and "Domain Admins" assigns
   the rights properly.

My environment:
- Ldap master on RH8.0 (openldap 2.1.29)
- Ldap slave on FC3 (openldap 2.2.13)
- PDC on RH8.0 (kernel 2.4.29, samba 3.0.20 (rpmbuild from fedora
   src rpm from samba.org), nss_ldap-207)

I got the same results on a second system:
- PDC on FC4 (kernel 2.6.12-1.1398_FC4smp, samba 3.0.20 (build from
   source from samba.org), openldap-client 2.2.23, nss_ldap-234)

After downgrading to 3.0.14a, the groupmapping is ok.

Any ideas?

Regards
   Carsten

--
.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Groupmapping problems in 3.0.20

Gerald Carter-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Carsten Sander wrote:
| Hi all,
|
| after updating my pdc from 3.0.14a to 3.0.20 the
| groupmap function does not work properly.
|
| net groupmap list:
| returns the same groupmapping on both samba versions.
|
| Domain Computers (S-1-5-21-xxx-yyy-zzz-515) -> nt
| Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nobody
...
|
| On 3.0.20
|
| net rpc group list:
| returns the unix groupnames instead of the mapped groupnames
|
| nt
| nobody
| root
...

grr....sorry.  Our bug.  The one line fix is at
http://www.samba.org/~jerry/patches/post-3.0.20/groupname_enumeration.patch




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDLk4IR7qMdg1EfYRAqw5AKCYxO6+y7R3p29b9vobsdctf1nmRACg4j8A
OT8QX9C+T2a1AMwo8gVnzVM=
=nnh4
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Groupmapping problems in 3.0.20

Carsten Sander
Gerald (Jerry) Carter schrieb:

>
> Carsten Sander wrote:
> | Hi all,
> |
> | after updating my pdc from 3.0.14a to 3.0.20 the
> | groupmap function does not work properly.
> |
> | net groupmap list:
> | returns the same groupmapping on both samba versions.
> |
> | Domain Computers (S-1-5-21-xxx-yyy-zzz-515) -> nt
> | Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nobody
> ...
> |
> | On 3.0.20
> |
> | net rpc group list:
> | returns the unix groupnames instead of the mapped groupnames
> |
> | nt
> | nobody
> | root
> ...
>
> grr....sorry.  Our bug.  The one line fix is at
> http://www.samba.org/~jerry/patches/post-3.0.20/groupname_enumeration.patch
>

Applied the patch. Groupnames are listed correctly now.

Thanks
   Carsten

--
.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Groupmapping problems in 3.0.20

Thomas Bork-2
In reply to this post by Carsten Sander
Carsten Sander schrieb:

> On 3.0.20
> net rpc group list:
> returns the unix groupnames instead of the mapped groupnames

Cannot reproduce this with 3.0.20 (unpatched):

vmeis # net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-xxx-yyy-zzz-512) -> root
Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nogroup
Domain Users (S-1-5-21-xxx-yyy-zzz-513) -> users
Domain Power Users (S-1-5-21-xxx-yyy-zzz-1007) -> sys
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
vmeis # net rpc group list
Password:
Domain Admins
Domain Guests
Domain Users
Domain Power Users
vmeis #


3.0.20 patched with
http://www.samba.org/~jerry/patches/post-3.0.20/groupname_enumeration.patch 
:

vmeis # net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-xxx-yyy-zzz-512) -> root
Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nogroup
Domain Users (S-1-5-21-xxx-yyy-zzz-513) -> users
Domain Power Users (S-1-5-21-xxx-yyy-zzz-1007) -> sys
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
vmeis # net rpc group list
Password:
                 <=== no output
                 <=== no output
                 <=== no output
                 <=== no output
vmeis #


der tom
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Groupmapping problems in 3.0.20

Gerald Carter-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Bork wrote:
> Carsten Sander schrieb:
>
>> On 3.0.20
>> net rpc group list:
>> returns the unix groupnames instead of the mapped groupnames
>
> Cannot reproduce this with 3.0.20 (unpatched):

It was pretty easy to reproduce for me.  Are you using ldapsam?

> vmeis # net groupmap list
> System Operators (S-1-5-32-549) -> -1
...

> vmeis # net rpc group list
> Password:
> Domain Admins
> Domain Guests
> Domain Users
> Domain Power Users
> vmeis #
>
>
> 3.0.20 patched with
> http://www.samba.org/~jerry/patches/post-3.0.20/groupname_enumeration.patch:
>
> vmeis # net groupmap list
> System Operators (S-1-5-32-549) -> -1
....
> vmeis # net rpc group list
> Password:
>                 <=== no output
>                 <=== no output
>                 <=== no output
>                 <=== no output
> vmeis #

There were actually 2 bugs.  One that I found after the first
revision of that patch.  I started a "recent releases patch
page" yesterday.  Take a look at http://www.samba.org/samba/patches/
v2 of the group enumeration patch is available from there.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDy1FIR7qMdg1EfYRApz2AKCunJphiopFI+T1jLCiXAx5VRKzqwCg2suh
JLYOkWwDy3zioO9hyv/TJoI=
=Mp/c
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Groupmapping problems in 3.0.20

Thomas Bork-2
Gerald (Jerry) Carter wrote:

>>Cannot reproduce this with 3.0.20 (unpatched):
> It was pretty easy to reproduce for me.  Are you using ldapsam?

No - smbpasswd. I double checked this, cannot reproduce the error
(output from 'net rpc group list') with the unpatched sources.

> There were actually 2 bugs.  One that I found after the first
> revision of that patch.  I started a "recent releases patch
> page" yesterday.  Take a look at http://www.samba.org/samba/patches/
> v2 of the group enumeration patch is available from there.

Also with v2:

vmeis # net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-xxx-yyy-zzz-512) -> root
Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nogroup
Domain Users (S-1-5-21-xxx-yyy-zzz-513) -> users
Domain Power Users (S-1-5-21-xxx-yyy-zzz-1007) -> sys
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
vmeis # net rpc group list
Password:
                  <=== no output
                  <=== no output
                  <=== no output
                  <=== no output
vmeis #

The output from unpatched sources is okay...


der tom
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Groupmapping problems in 3.0.20

Gerald Carter-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Bork wrote:
> Gerald (Jerry) Carter wrote:
>
>>> Cannot reproduce this with 3.0.20 (unpatched):
>> It was pretty easy to reproduce for me.  Are you using ldapsam?
>
> No - smbpasswd. I double checked this, cannot reproduce the error
> (output from 'net rpc group list') with the unpatched sources.

ok.  I'll double check with the mapping are stored in a local
tdb then and see what happens.  I think I have a good idea though.
Probably will be later on today or over the weekend though.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDzowIR7qMdg1EfYRAlOIAJ9wTmIuXKdHTgJaV8zvFFPIs/ybOgCgtjFE
vAQDsE1HxPKVEMkb83IHiCk=
=D29N
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Groupmapping problems in 3.0.20

Gerald Carter-4
In reply to this post by Thomas Bork-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Bork wrote:
> Gerald (Jerry) Carter wrote:
>
>>> Cannot reproduce this with 3.0.20 (unpatched):
>> It was pretty easy to reproduce for me.  Are you using ldapsam?
>
> No - smbpasswd. I double checked this, cannot reproduce the error
> (output from 'net rpc group list') with the unpatched sources.

Yup.  Reproduced it.  grrr.... ok.  Now for a fix.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDD14vIR7qMdg1EfYRAn7qAJ94OcURXzG1Z8jyKtVszcx93C1yNgCcCx46
eRRvBk9U2wNHcPBXsL3JPDs=
=94vR
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: Groupmapping problems in 3.0.20

Gerald Carter-4
In reply to this post by Thomas Bork-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Bork wrote:
> Gerald (Jerry) Carter wrote:
>
>>> Cannot reproduce this with 3.0.20 (unpatched):
>> It was pretty easy to reproduce for me.  Are you using ldapsam?
>
> No - smbpasswd. I double checked this, cannot reproduce the error
> (output from 'net rpc group list') with the unpatched sources.

new patch posted.  The bug only existed in the ldapsam code.
So there is no change when not using ldap.

Thanks.  I would have missed this without your help.






cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDD2ayIR7qMdg1EfYRAr+kAJ9sm0Gg0oYc7bKitSrEixj/Wv5cQQCeNGd4
llpTmfwipUCcD4HRAv52rjI=
=eJhU
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba