Winbind nested groups behavior
Gerald (Jerry) Carter
jerry at samba.org
Tue Feb 14 03:47:12 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald (Jerry) Carter wrote:
> Gerald (Jerry) Carter wrote:
>>> It seems that users from the machines local list of accounts
>>> (e.g. RHEL4\jerry) are not reported back via the NSS calls.
>>> Is the intentional? And if so, why ?
>
> OK. I think I see why now. The SID for the local user accounts
> is failing to resolve to a name.
>
> Converting SID S-1-5-21-621598136-2167367217-3215645308-2000
> sid_to_name failed for sid S-1-5-21-621598136-2167367217-3215645308-2000
>
> I'm assuming that this is just a bug. I'll fix things up.
ok. That was pretty easy to fix (i know I haven't actually
checked the fix in yet).
The next thing is that 'su - jerry' does not pickup the
local group membership. Only those from /etc/group appear
to be recognized. Granted this is an expensive operation,
but the problem seems to be
process_request: request fn GETGROUPS
[ 0]: getgroups jerry
Retrieving response for pid 10530
lookup_name returned an error
Winbindd's nature is to ignore users outside of its domain
in order to prevent recursive loops with smbd. But we do
include the local/builtin groups for domain users.
# su - 'COLOR\Administrator'
-bash-3.00$ id
uid=10000(COLOR\administrator) gid=10000(COLOR\domain users)
groups=10000(COLOR\domain users),10001(COLOR\schema admins),
10002(COLOR\enterprise admins),10003(COLOR\group policy creator
owners),10004(COLOR\domain admins),
10011(BUILTIN\users),10024(BUILTIN\administrators)
So it seems we should be at least performing the name to SID
using the passdb backend and check local groups for that SID.
Comments?
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD8VLAIR7qMdg1EfYRAhimAKCAq/3WwYHlaevTzcekSNOi1lU4WQCg49I9
bFLuJaH8rnOnD6be78MfE3k=
=RZqC
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list