Bug 419901 - Regression: "valid users = +groupname" broke for ldap group
Summary: Regression: "valid users = +groupname" broke for ldap group
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba
Version: 4.6
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Samba Maint Team
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-12-11 15:50 UTC by David L. Parsley
Modified: 2007-12-11 16:57 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2007-12-11 16:57:42 UTC

Attachments (Terms of Use)

Description David L. Parsley 2007-12-11 15:50:20 UTC
Description of problem:
After applying latest samba security update, "valid users = +groupname" doesn't
properly detect group membership for a group in LDAP.
nsswitch has:
passwd:     files ldap
shadow:     files
group:      files ldap
If I su to my username:
[root@docs log]# su - parsledl
[parsledl@docs ~]$ groups
Medicat Users ITDocs_Users network

However, a share protected with "valid users = +ITDocs_Users" won't allow user
parsledl to connect unless I comment out that line.  This was working prior to
this mornings' update.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure groups in LDAP w/ nss_ldap and in nsswitch.conf
2. Add a user to an LDAP group, e.g. ITDocs_Users
3. Protect a share with "valid users = +ITDocs_Users"
4. Try connecting to the share
Actual results:
Permission denied

Expected results:
Connection allowed based on group membership.

Additional info:
If I look up the samba process with smbstatus, /proc/$pid/status only shows
primary group membership from /etc/passwd, and no other groups.

This is a security issue, since I have to comment out the valid users line to
allow access.

Comment 1 Simo Sorce 2007-12-11 16:15:20 UTC
As stated in the release notes the syntax of valid users and other options that
lists users have been made stricter (it had also security implications).
The syntax you are using was already discouraged but now it is mandatory to use
a Fully qualified user/group name.

It is required to use DOMAIN\<user/group>
DOMAIN can also be the machine NETBIOS name in case of local groups.

Comment 2 David L. Parsley 2007-12-11 16:28:22 UTC
This fixes it, sure enough, thanks!  I guess this must be in the samba release
notes?  I don't see anything in the RHEL4.6 release notes.  I tried to close
this as NOTABUG (I'm the submitter), but it didn't let me...

Comment 3 Simo Sorce 2007-12-11 16:57:42 UTC
search for the paragraph named "samba" under "Feature Updates"

I'll close the bug, thanks for confirming it works now.

Note You need to log in before you can comment on or make changes to this bug.