getgroups() gives wrong result with nss_winbind

Andreas andreas at conectiva.com.br
Fri Sep 17 12:56:53 GMT 2004 

On Fri, Sep 17, 2004 at 11:58:05AM +1000, tridge at samba.org wrote:
> I just had a quick look at the glibc 2.3.2 to 2.3.3 diff, and there
> are certainly quite a few changes around getgroups/setgroups and
> related code. Perhaps there is a bug in those changes?

Could be, but all those tests worked when I used local user and groups. They
only failed with users coming from winbind, but of course it could still be
a bug in glibc.

> I'd now suggest you use the tool nsstest to see exactly what the
> winbind nss module is giving. nsstest bypasses glibc, so it avoids any
> glibc bugs. You can get the latest nsstest from:
> 
>     http://samba.org/ftp/unpacked/junkcode/nsstest.c
> 
> build it like this:
> 
>     gcc -o nsstest nsstest.c -ldl
> 
> and use it on winbind like this:
> 
>      nsstest /lib/libnss_winbind.so.2
> 
> you can also run it on any other nss module in a similar
> fashion. 

Done.

> The lines to look for are the initgroups results. The initgroups call
> is the way that glibc gets the group information for a user from
> winbindd.

Well, it gets all 200+ groups from this user (marcia). So, not a winbind problem
after all?

Testing user DOMAIN\marcia
getpwent:   DOMAIN\marcia:x:16777216:16777216:marcia:/home/DOMAIN/marcia:/bin/bash
getpwuid:   DOMAIN\marcia:x:16777216:16777216:marcia:/home/DOMAIN/marcia:/bin/bash
getpwnam:   DOMAIN\marcia:x:16777216:16777216:marcia:/home/DOMAIN/marcia:/bin/bash
initgroups: 16777216, 16777217, 16777218, 16777219, 16777220, 16777221, 16777222, 16777223, 16777224, 16777225,
16777226, 16777227, 16777228, 16777229, 16777230, 16777231, 16777232, 16777233, 16777234, 16777235, 16777236, 16
777237, 16777238, 16777239, 16777240, 16777241, 16777242, 16777243, 16777244, 16777245, 16777246, 16777247, 1677
7248, 16777249, 16777250, 16777251, 16777252, 16777253, 16777254, 16777255, 16777256, 16777257, 16777258, 167772
59, 16777260, 16777261, 16777262, 16777263, 16777264, 16777265, 16777266, 16777267, 16777268, 16777269, 16777270
, 16777271, 16777272, 16777273, 16777274, 16777275, 16777276, 16777277, 16777278, 16777279, 16777280, 16777281,
16777282, 16777283, 16777284, 16777285, 16777286, 16777287, 16777288, 16777289, 16777290, 16777291, 16777292, 16
777293, 16777294, 16777295, 16777296, 16777297, 16777298, 16777299, 16777300, 16777301, 16777302, 16777303, 1677
7304, 16777305, 16777306, 16777307, 16777308, 16777309, 16777310, 16777311, 16777312, 16777313, 16777314, 167773
15, 16777316, 16777317, 16777318, 16777319, 16777320, 16777321, 16777322, 16777323, 16777324, 16777325, 16777326
, 16777327, 16777328, 16777329, 16777330, 16777331, 16777332, 16777333, 16777334, 16777335, 16777336, 16777337,
16777338, 16777339, 16777340, 16777341, 16777342, 16777343, 16777344, 16777345, 16777346, 16777347, 16777348, 16
777349, 16777350, 16777351, 16777352, 16777353, 16777354, 16777355, 16777356, 16777357, 16777358, 16777359, 1677
7360, 16777361, 16777362, 16777363, 16777364, 16777365, 16777366, 16777367, 16777368, 16777369, 16777370, 167773
71, 16777372, 16777373, 16777374, 16777375, 16777376, 16777377, 16777378, 16777379, 16777380, 16777381, 16777382
, 16777383, 16777384, 16777385, 16777386, 16777387, 16777388, 16777389, 16777390, 16777391, 16777392, 16777393,
16777394, 16777395, 16777396, 16777397, 16777398, 16777399, 16777400, 16777401, 16777402, 16777403, 16777404, 16
777405, 16777406, 16777407, 16777408, 16777409, 16777410, 16777411, 16777412, 16777413, 16777414, 16777415, 1677
7416, 16777417, 16777418, 16777419, 16777420, 16777421, 16777422, 16777423, 16777424, 16777425, 16777426, 167774
27, 16777428, 16777429, 16777430, 16777431, 16777432, 16777433, 16777434, 16777435, 16777436, 16777437, 16777438
, 16777439

It only failed with the users from the BUILTIN domain:
Testing group BUILTIN\System Operators
getgrent: BUILTIN\System Operators:x:16778329:
ERROR: can't getgrnam
Testing group BUILTIN\Replicators
getgrent: BUILTIN\Replicators:x:16778330:
ERROR: can't getgrnam
Testing group BUILTIN\Guests
getgrent: BUILTIN\Guests:x:16778331:
ERROR: can't getgrnam
Testing group BUILTIN\Power Users
getgrent: BUILTIN\Power Users:x:16778332:
ERROR: can't getgrnam
Testing group BUILTIN\Print Operators
getgrent: BUILTIN\Print Operators:x:16778333:
ERROR: can't getgrnam
Testing group BUILTIN\Administrators
getgrent: BUILTIN\Administrators:x:16778334:
ERROR: can't getgrnam
Testing group BUILTIN\Account Operators
getgrent: BUILTIN\Account Operators:x:16778335:
ERROR: can't getgrnam
Testing group BUILTIN\Backup Operators
getgrent: BUILTIN\Backup Operators:x:16778336:
ERROR: can't getgrnam
Testing group BUILTIN\Users
getgrent: BUILTIN\Users:x:16777217:
ERROR: can't getgrnam

More information about the samba-technical mailing list