Bug 113015 - Access denied to accounts with secondary UNIX groups membership > 31
Access denied to accounts with secondary UNIX groups membership > 31
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: samba (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Simo Sorce
Depends On:
  Show dependency treegraph
Reported: 2004-01-07 09:07 EST by Didier
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-19 15:31:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
log level = 10, with 31 secondary groups (72.95 KB, text/plain)
2004-01-07 09:21 EST, Didier
no flags Details
log level = 10, with 32 secondary groups ; result = NT_STATUS_NETWORK_ACCESS_DENIED (67.33 KB, text/plain)
2004-01-07 09:23 EST, Didier
no flags Details

  None (edit)
Description Didier 2004-01-07 09:07:02 EST
Description of problem:
When a UNIX account is a member of more than 31 secondary groups,
samba refuses to honour secondary groups membership, and denies access
to all files and directories which are not owned by primary uid or gid.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create UNIX account with 31 secondary group memberships
2. Add user to additional group
3. Use e.g. smbclient to access a file or directory which is owned by
one of the 32 groups, but different from the account's primary group.
Actual results:

Access is denied.

Expected results:

Access should be allowed, due to UNIX group membership.

Additional info:

This is a very unpleasant regression, compared to samba 2.x.

As an interim 'solution', we now need to exclude accounts from groups
(rendering their maximum group membership to 31 or lower), effectively
denying them access to group-owned resources.

As users are now unable to retrieve data which they previously could
access under samba 2.x, I'm setting severity = high.
Comment 1 Didier 2004-01-07 09:21:27 EST
Created attachment 96802 [details]
log level = 10, with 31 secondary groups

$ smbclient \\\\host.bla.bla\\frans -U frans
smb: \> ls
smb: \> q
Comment 2 Didier 2004-01-07 09:23:21 EST
Created attachment 96803 [details]
log level = 10, with 32 secondary groups ; result = NT_STATUS_NETWORK_ACCESS_DENIED

$ smbclient \\\\host.bla.bla\\frans -U frans
smb: \> ls

smb: \> q
Comment 3 Didier 2004-01-07 09:28:29 EST
Please note I mention 31/32 secondary groups, while the logs reveal
32/33 supplementary groups :
this is because each user belongs to primary gid 100 ('users'), but is
again explicitly stated as a member of group 'users:x:100:' in /etc/group.

(the rationale for this is to allow our Postfix mail server to use
/etc/group to determine group membership when sending e-mails to
departmental groups).

As such, the summary of this bug report should perhaps be modified (31
-> 32).
Comment 4 Didier 2004-01-07 09:42:21 EST
Bug report also filed with Samba Bugzilla
Comment 5 Didier 2004-01-07 10:39:12 EST
Additional information :

test config 1:
 - Red Hat Linux 7.1, kernel2.4.9-31, samba-2.2.2-20011013
test config 2:
 - RHEL3, kernel-2.4.21-4.0.1.EL, samba-3.0.0-14.3E

Both configs :
 - account 'xyz' is a member of approx. 35 groups ;
 - linux/limits.h : NGROUPS_MAX = 32

config 1 : 'groups xyz' reports first 32 groups ;
config 2 : 'groups xyz' reports all 35 groups ;

Test 1 : home uid = nobody, gid set to e.g. 35th group ;
1a:ssh to config1: access denied
1b:smbclient to config1: access denied
1c:ssh to config2: access denied
1d:smbclient to config2: access denied

Test 2 : home uid = nobody, gid set to e.g. 10th group ;
2a:ssh to config1: access allowed
2b:smbclient to config1: access allowed
2c:ssh to config2: access allowed
2d:smbclient to config2: access denied (this concerns this bug report)

Test 2d is IMO clearly a bug.

Comment 6 Jackie Meese 2004-10-08 18:38:08 EDT
This is a 2.4 kernel limitation, with pervasice userland issues.  I've
been dealing with this for years now, and it effects numerous
components, not just samba.




FC2 does not appear to have this problem IIRC, (though I haven't
tested with our NIS setup), so it would be a shame to wait until RH
3.1 or 4.0 to see this fixed.
Comment 7 RHEL Product and Program Management 2007-10-19 15:31:43 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.