Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 419901 - Regression: "valid users = +groupname" broke for ldap group
Regression: "valid users = +groupname" broke for ldap group
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Samba Maint Team
Depends On:
  Show dependency treegraph
Reported: 2007-12-11 10:50 EST by David L. Parsley
Modified: 2007-12-11 11:57 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-11 11:57:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David L. Parsley 2007-12-11 10:50:20 EST
Description of problem:
After applying latest samba security update, "valid users = +groupname" doesn't
properly detect group membership for a group in LDAP.
nsswitch has:
passwd:     files ldap
shadow:     files
group:      files ldap
If I su to my username:
[root@docs log]# su - parsledl
[parsledl@docs ~]$ groups
Medicat Users ITDocs_Users network

However, a share protected with "valid users = +ITDocs_Users" won't allow user
parsledl to connect unless I comment out that line.  This was working prior to
this mornings' update.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure groups in LDAP w/ nss_ldap and in nsswitch.conf
2. Add a user to an LDAP group, e.g. ITDocs_Users
3. Protect a share with "valid users = +ITDocs_Users"
4. Try connecting to the share
Actual results:
Permission denied

Expected results:
Connection allowed based on group membership.

Additional info:
If I look up the samba process with smbstatus, /proc/$pid/status only shows
primary group membership from /etc/passwd, and no other groups.

This is a security issue, since I have to comment out the valid users line to
allow access.
Comment 1 Simo Sorce 2007-12-11 11:15:20 EST
As stated in the release notes the syntax of valid users and other options that
lists users have been made stricter (it had also security implications).
The syntax you are using was already discouraged but now it is mandatory to use
a Fully qualified user/group name.

It is required to use DOMAIN\<user/group>
DOMAIN can also be the machine NETBIOS name in case of local groups.
Comment 2 David L. Parsley 2007-12-11 11:28:22 EST
This fixes it, sure enough, thanks!  I guess this must be in the samba release
notes?  I don't see anything in the RHEL4.6 release notes.  I tried to close
this as NOTABUG (I'm the submitter), but it didn't let me...
Comment 3 Simo Sorce 2007-12-11 11:57:42 EST
search for the paragraph named "samba" under "Feature Updates"

I'll close the bug, thanks for confirming it works now.

Note You need to log in before you can comment on or make changes to this bug.