[Samba] Possible winbind bugs.

steve steve at steve-ss.com
Fri Jul 11 03:29:22 MDT 2014 

On Thu, 2014-07-10 at 21:10 +0200, Davor Vusir wrote:
> 
> Den 10 jul 2014 18:05 skrev "Chan Min Wai" <dcmwai at gmail.com>:
> >
> > Dear Steven,
> >
> > It should if all you AD group are with GID.
> > Try to add GID to all your AD group including the build-in.
> >
> > You should see that.
> >
> > If not you might found a new relevant bugs that we are not sure.
> >
> >
> > Thank.
Hi
OK. Didn't know that, but no time to test, unless the OP needs evidence
for a bugzilla. We were just trying to help as it seems a pain to have
to do that. We never got consistent group behaviour with winbind which
is why we switched to an alternative.
Cheers

> >
> >
> >
> > Regards,
> > Chan Min Wai
> >
> > > steve <steve at steve-ss.com> 於 10/07/2014 11:49 PTG 寫道:
> > >
> > >> On Thu, 2014-07-10 at 16:28 +0100, Rowland Penny wrote:
> > >>> On 10/07/14 15:52, L.P.H. van Belle wrote:
> > >>>
> > >>>
> > >>>> -----Oorspronkelijk bericht-----
> > >>>> Van: rowlandpenny at googlemail.com
> > >>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> > >>>> Verzonden: donderdag 10 juli 2014 16:28
> > >>>> Aan: samba at lists.samba.org
> > >>>> Onderwerp: Re: [Samba] Possible winbind bugs.
> > >>>>
> > >>>>> On 10/07/14 14:51, steve wrote:
> > >>>>>> On Thu, 2014-07-10 at 19:20 +0800, Chan Min Wai wrote:
> > >>>>>> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com>
> wrote:
> > >>>>>>>          On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny
> wrote:
> > >>>>>>>> On 10/07/14 10:27, steve wrote:
> > >>>>>>>>> On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
> > >>>>>>>>> Dear All,
> > >>>>>>>>>
> > >>>>>>>>> I've found a strange behavior on Winbind +
> > >>>> getent group
> > >>>>>>>>>
> > >>>>>>>>> If there are AD/winbind group didn't have any
> > >>>> unix gid...
> > >>>>>>>>> getent group will only show local group.
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> If all the AD/winbind group have unix gid
> > >>>>>>>>> getent will reply with all the group I have
> > >>>> included the
> > >>>>>>          AD/winbind group.
> > >>>>>>>>>
> > >>>>>>>>> Did we have any bugs reported on this?
> > >>>>>>>>>
> > >>>>>>>>> Thank You.
> > >>>>>>>> Hi Chan
> > >>>>>>>>
> > >>>>>>>> Lots of confusion here.
> > >>>>>>>>
> > >>>>>>>> I don't think it's a bug because it would be
> > >>>> reasonable to
> > >>>>>>          expect that
> > >>>>>>>> if we wish domain groups to behave as posix
> > >>>> groups, then
> > >>>>>>          we must play by
> > >>>>>>>> posix rules and include a gid. Otherwise nss
> > >>>> knows nothing
> > >>>>>>          about them.
> > >>>>>>>>
> > >>>>>>>> As we understand, must haves:
> > >>>>>>>> Domain groups: gidNumber
> > >>>>>>>> Domain users: uidNumber and gidNumber
> > >>>>>>> Hi, I thought that, until it was pointed out
> > >>>> that if you use
> > >>>>>>          winbind,
> > >>>>>>> the users gidNumber is ignored and windbind pulls the
> > >>>>>>          gidnumber directly
> > >>>>>>> from the primary group.
> > >>>>>>>
> > >>>>>>> So yes, the users primary group must have a
> > >>>> gidNumber, but
> > >>>>>>          the user does
> > >>>>>>> not need this added.
> > >>>>>>>
> > >>>>>>> Rowland
> > >>>>>>
> > >>>>>>
> > >>>>>>          Hi
> > >>>>>>          Yes, we agree. However, for completeness (and for
> > >>>> those who do
> > >>>>>>          not use
> > >>>>>>          winbind) we mimic the Unix manner of obtaining the
> user's
> > >>>>>>          primary group:
> > >>>>>>          from the gidNumber listed in his DN.
> > >>>>>>          Just our translation of the evidence m'lud!
> > >>>>>>          Cheers
> > >>>>>>
> > >>>>>>
> > >>>>>> Hi,
> > >>>>>>
> > >>>>>>
> > >>>>>> What I meant is...
> > >>>>>> When using winbind
> > >>>>>>
> > >>>>>>
> > >>>>>> If there is even one AD Group without gid.
> > >>>>>> "gentent group" will return only local unix Group
> > >>>>>>
> > >>>>>>
> > >>>>>> Which shouldn't be right.
> > >>>>>>
> > >>>>>>
> > >>>>>> "getent group" should return all AD Group except the AD
> > >>>> group without
> > >>>>>> gid.
> > >>>>>> But our result here are different.
> > >>>>>>
> > >>>>>>
> > >>>>>> I believes that when getent group happen
> > >>>>>> winbind read a group without gid and it crash and return 0 to
> getent
> > >>>>>> and thus
> > >>>>>>
> > >>>>>>
> > >>>>>> getent group return only local unix group.
> > >>>>>>
> > >>>>>>
> > >>>>>> You can easily try this by.
> > >>>>>>
> > >>>>>>
> > >>>>>> You will want to turn winbind and idmap cache to as low as
> possible
> > >>>>>> for fast result like 1 seconds
> > >>>>>> like: (WARNING: Not to be use in actual production)
> > >>>>>> idmap cache time = 1
> > >>>>>> idmap negative cache time = 1
> > >>>>>> winbind cache time = 1
> > >>>>>>
> > >>>>>>
> > >>>>>> 1. Adding all AD group with unix gid
> > >>>>>> 2. gentent group return all local unix group + AD Group (if
> > >>>> you didn't
> > >>>>>> try to get back to your AD group and add all unix gid)
> > >>>>>> 3. Add one AD group without unix gid
> > >>>>>> 4. gentent group return only local unix group
> > >>>>>>
> > >>>>>>
> > >>>>>> Hope this explain...
> > >>>>> Hi
> > >>>>> Yes, sorry. I see what you mean now. Not had time to test, but
> if you
> > >>>>> want this to work with winbind, you have to make:
> > >>>>> objectClass: posixGroup
> > >>>>> visible in the group DN.
> > >>>>> Cheers,
> > >>>>> Steve
> > >>>> The fact that 'getent group' does not show AD groups is well
> known and
> > >>>> adding the posixGroup objectClass will not make it work!
> > >>>>
> > >>>> You can either, add a gidNumber to every AD group (not really a
> good
> > >>>> idea), run 'getent group <AD group name>' or use something
> > >>>> else instead
> > >>>> of winbind.
> > >>>>
> > >>>> Rowland
> > >>>> --
> > >>>> To unsubscribe from this list go to the following URL and read
> the
> > >>>> instructions:  https://lists.samba.org/mailman/options/samba
> > >>> Huh ?
> > >>>
> > >>> when i add winbind in  /etc/nsswitch.conf
> > >>> and type getent group on my DC is see ALL my groups. local and
> AD\windows groups
> > >>> ( but i dont use that on my DC )
> > >>>
> > >>> on my member i need to say :
> > >>> getent group "DOMAIN\Mygroup" or
> > >>> getent group "Mygroup"
> > >>>
> > >>> getent group "Domain Users"
> > >>> domain users:x:5000:
> > >>>
> > >>> and ONLY the group with gid will return.
> > >>>
> > >>> and as far is i know this is by design.
> > >>>
> > >>>
> > >>> Louis
> > >> Hi Louis, The only problem I have with what you posted is the
> word
> > >> 'design', I think that it is a long standing bug and hopefully
> when 4.2
> > >> comes out, it will have been squashed.
> > >>
> > >> Rowland
> > >
> > > Hi
> > > Just to add that real winbind has _never_ returned domain groups
> from:
> > > getent group
> > > It only returns with:
> > > getent group <group>
> > > enum or no enum.
> > > HTH,
> > > Steve
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> Probably not related but hopefully of interest:
> https://lists.samba.org/archive/samba/2014-March/180173.html
> 
> Regards
> Davor
> 
>

More information about the samba mailing list