On Sun, Jul 14, 2013 at 09:50:29AM -0400, Ira Cooper wrote: > On Sun, Jul 14, 2013 at 8:23 AM, Andrew Bartlett <[email protected]> wrote: > > > On Wed, 2013-04-24 at 10:31 +1000, Andrew Bartlett wrote: > > > Just a heads-up, because this bug took me absolutely ages to chase down, > > > and I want to save others the same pain. > > > > > > Samba is perhaps the most prominent reason why you might find a user in > > > more than 16 groups on a Unix system, and so this bug may at first > > > appear to be a 'Samba issue' (that certainly is why it found it's way to > > > my attention :-) > > > > > > https://www.illumos.org/issues/3691 > > > > > > In short, unless the group list we supply to setgroups() is sorted, if > > > there are more than 16 groups, the Illumos kernel fails to honour some > > > of the groups. Presumably there is a bisection search being done. > > > > > > The symptom for Samba users is that as a user is added to more groups, > > > they loose access to folders they previously had access too. > > > > > > Attached is a total hack that appears to resolve the issue, but the real > > > fix needs to be in glibc or the kernel. > > > > Just as a follow-up, if you experience this please also see > > https://www.illumos.org/issues/3577 and > > https://bugzilla.samba.org/show_bug.cgi?id=7588 for WORKAROUNDS if you > > cannot fix/change your host OS. There is a patch for nss_winbind and > > smbd attached to that bug, both of which are required to ensure both > > Samba and other unix applications see all the windows groups. > > > > As we have now had success getting this fixed upstream I've not had time > > to get back to applying these to Samba when we run on Solaris, but the > > view was that for the small cost of a qsort we probably should. If a > > DENY ACL is involved, this may also be a SECURITY issue, which is how we > > finally got the route cause addressed upstream. > > > > > > Andrew, > > As the upstream developer who fixed the issue: The fix had nothing to do > with security. It had to do with Bjorn posting the root cause, and that > frankly I found sorting the list in samba beyond fugly.
May be beyong fugly, but I think Andrew was perfectly correct in doing so :-). > I look at the fact you sorted the list in samba and just shake my head... > The same qsort put in the illumos kernel fixes the issue for good. Not everyone has the same familiarity with kernel programming as you :-). > Given our past history with such bugs, I'd expect we'll tell people to > upgrade their OS. Yeah, but not everyone can do that easily. Having a fix for Samba only is A GOOD THING (tm) even if you think it's horrible :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
