[Pkg-samba-maint] Bug#520309: 'force group' still broken in 3.3.2

Josip Rodin joy at debbugs.entuzijast.net
Fri Jun 12 10:55:21 UTC 2009 

On Wed, Mar 18, 2009 at 07:40:47PM +0100, Andras Korn wrote:
> I have a samba pdc that uses an ldapsam backend. Everything seems to work,
> with the expection of the following share:
> 
> [store]
>         path = /store
>         hide unreadable = yes
>         csc policy = disable
>         force group = +Power Users
>         inherit acls = true
>         volume = STORE
>         create mask = 0666
>         directory mask = 0777

I'm using the force group option on my ldapsam-based Samba domain servers,
without the plus option (we want to force it on all), and it has been
working fine, but when I tried setting the plus option on a test share,
I got NT_STATUS_NO_SUCH_GROUP as the response. Without debugging much more,
I read up on the the upstream bug 6230, and one thing struck me while
reading what Volker Lendecke wrote:

> Ok, this took a while. This is very, very confusing but technically not a
> bug. You have ldapsam:trusted=yes with an invalid LDAP database. The
> primary group of user "guy", also "guy" does not have a sambaGroupMapping.
> This is the invalid configuration part.

In my directory we have users bound to gidNumber 100, which is 'users', and
I have that in LDAP, but it's also not a sambaGroupMapping - yet everything
seems to work, likely because users have sambaPrimaryGroupSID pointing to
the group "Domain Users" which we exists in LDAP and it *is* a
sambaGroupMapping.

I've had a run-in before with that warning message, "ldapsam_getgroup: Did
not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=xyz))"
but this is still a mere level 4 log message. If we know that it can be so
relevant to authorization, it would really be a good idea to emphasize it
by making it e.g. a level 2 or level 3 log message.

For example, smbd/dosmode.c:unix_mode() logs all inheritance matters
as level 2; conversely, libsmb/nmblib.c:debug_nmb_packet() logs packet
dumps as level 4. Looking at those, the "Did not find group" message
definitely deserves to go up a notch so that people notice it with less
overhead.

-- 
     2. That which causes joy or happiness.

More information about the Pkg-samba-maint mailing list