[Samba] Very strange permissions issue with Samba 3.0.20(a/b)

Hi Guys,=20

=46irst, thanks for all the hard work! You all rock.

I am running Samba 3.0.20a on RHEL 3 u5 x86, my configuration is working
perfectly except for cvs commits for 3 users. We are using ADS, pam_winbind=
,=
and pam_require to authenticate CVS users against AD.=20

Our CVS directories are mod 2775, and the group ownership of all dirs is
the AD group "DEN-CVS-Users". Every valid user is a member of this group. =
But=20
a few users, while they are able to authenticate, and checkout, cannot =
commit files to the depot. Their group membership is hosed up somehow. =
Everything is working perfectly except for these few troublemakers.=20

The users can log into CVS, so their group membership is seen by winbind an=
d=
passed to pam_require, but when it comes writing to a file with AD group=20
ownership they are denied. It works for the rest of us though, so we're =
baffled. The files are all mod 664.=20

This isn't a CVS issue, as I can login to our CVS server as an affected AD =
user and replicate the problem. For me, I can write to the depot just fine.

My questions:
1. Is there a limit to the number of groups a user may be a member of ( The=
=
most so far is 48 groups ) that would cause winbind problems=3F

2. Are the any special characters within an AD group name that would break =
winbind=3F

3. Besides a user's SID, and group membership, what could be different =
between users =3F


This is our setup:

smb.conf:
[global]

# workgroup =3D NT-Domain-Name or Workgroup-Name
netbios name =3D CVS-DR
workgroup =3D DEN
realm =3D DEN.FOO.COM
security =3D ADS
password server =3D den-dc1.den.foo.com
winbind use default domain =3D no
winbind nested groups =3D yes
winbind enum users =3D yes
winbind enum groups =3D yes
allow trusted domains =3D yes
log level =3D 3
idmap uid =3D 16777216-33554431
idmap gid =3D 16777216-33554431
template shell =3D /bin/bash
template homedir =3D /cvsroot
winbind cache time =3D 3600
winbind separator =3D -

----------
RHEL 3 u5 pam config
-----------

/etc/pam.d/cvs:=20
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_require.so @DEN-CVS-Admins @DEN-CVS-Users =
@NY-CVS-Users @NY-CVS-Admins cvs

account required pam_unix.so broken_shadow
account [default=3Dbad success=3Dok user_unknown=3Dignore] =
pam_winbind.so
account required pam_permit.so

password sufficient pam_winbind.so use_authtok
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so

session required pam_unix.so


As always, any suggestions would be much appreciated.

Thanks,=20
Andrew Scrivner








---------------------------------------------------------------------------=
---
This e-mail transmission may contain information that is proprietary, =
privileged and/or confidential and is intended exclusively for the person(s=
)=
to whom it is addressed. Any use, copying, retention or disclosure by any =
person other than the intended recipient or the intended recipient's =
designees is strictly prohibited. If you are not the intended recipient or =
their designee, please notify the sender immediately by return e-mail and =
delete all copies. OppenheimerFunds may, at its sole discretion, monitor, =
review, retain and/or disclose the content of all email communications.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba