wb_group_members: non-resistance against garbage
Dmitry Butskoy
buc at odusz.so-cdu.ru
Fri Aug 12 10:07:32 MDT 2011
Hi,
I've discovered some (possible rare) issue with
"source3/winbindd/wb_group_members.c:wb_group_members_done()" function.
It seems that it can be more friendly under some broken AD configurations.
1) We have a complex AD forest, where remote corporate branches have its
own slave DC.
2) Some of branches have its own"local" domains (I am not familiar
whether trusted or not).
3) Some local admins of those branches include its own "local" members
into the common corporate AD groups. 8)
4) As a result, we have a "correct" group with an uncorrect member (due
to bad unknown sid).
All work fine with this, except the "getent group". We certainly have
"winbind enum groups = yes", but
"getent group" fails, whereas "getent group GRPNAME" works fine.
I've discover that the error is NT_STATUS_TRUSTED_DOMAIN_FAILURE when
winbindd tryes to obtain group members. Now, this error breaks all the
obtaining process, hence "getent groups" return nothing about
nss_winbind groups.
IMHO the best way is to ignore such an error, just leave the "bad" group
"empty". This way we do not break "getent group", it "continue to
obtain" info from AD.
The proposed patch attached. It fixes the issue for me.
Regards,
Dmitry Butskoy
Red Hat Certified Engineer 805007668229091
http://www.fedoraproject.org/wiki/DmitryButskoy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wb_group_members.patch
Type: text/x-diff
Size: 756 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110812/2e2fb49d/attachment.patch>
More information about the samba-technical
mailing list