winbindd GETGRENT results in trusted domains environment
Sergey Tashkinov
sergeyt1 at ukr.net
Wed Jun 30 01:46:13 MDT 2010
Good day.
1. We have configured two domain controllers on Windows 2003 R2. We
named them TEST.LOCAL and CHILD.TEST.LOCAL respectively and made a trust
relationships between them.
2. We have installed Samba 3.5.3 on Ubuntu 9.10, kernel 2.6.31-14 and
configured it for using winbindd.
We have encountered a problem with results that winbind returns upon
a command GETGRENT. We have obtained those results with the command
"getent group".
In a case if both domain controllers are turned on everything works well
and we can get groups of users from both domains, for example:
root at ubuntu:/home/user# getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:user
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:user
fax:x:21:
voice:x:22:
cdrom:x:24:user
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:pulse
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:user
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
syslog:x:102:
fuse:x:103:
lpadmin:x:104:user
ssl-cert:x:105:
messagebus:x:106:
crontab:x:107:
mlocate:x:108:
ssh:x:109:
avahi-autoipd:x:110:
avahi:x:111:
netdev:x:112:
couchdb:x:113:
haldaemon:x:114:
admin:x:115:user
saned:x:116:
pulse:x:117:
pulse-access:x:118:
gdm:x:119:
user:x:1000:
sambashare:x:120:user
winbindd_priv:x:121:
TEST\helpservicesgroup:x:100003:TEST\support_388945a0
TEST\telnetclients:x:100004:
TEST\domain computers:x:100005:
TEST\domain controllers:x:100006:
TEST\schema admins:x:100007:TEST\administrator
TEST\enterprise admins:x:100008:TEST\administrator
TEST\cert publishers:x:100009:
TEST\domain admins:x:100010:TEST\administrator
TEST\domain users:x:100011:
TEST\domain guests:x:100012:
TEST\group policy creator owners:x:100013:TEST\administrator
TEST\ras and ias servers:x:100014:
TEST\dnsadmins:x:100015:
TEST\dnsupdateproxy:x:100016:
TEST\group1:x:100017:
TEST\group2:x:100018:
TEST\group3:x:100019:
TEST\group4:x:100020:
TEST\group5:x:100021:
TEST\group6:x:100022:
TEST\group7:x:100023:
TEST\group8:x:100024:
TEST\group9:x:100025:
TEST\group10:x:100026:
TEST\group11:x:100027:
CHILD\domain computers:x:100030:
CHILD\domain controllers:x:100031:
CHILD\domain admins:x:100032:CHILD\administrator
CHILD\domain users:x:100033:
CHILD\domain guests:x:100034:
CHILD\group policy creator owners:x:100035:CHILD\administrator
If we turn off the domain CHILD.TEST.LOCAL then "getent group" doesn't
return any groups from neither domains, even from TEST.LOCAL.
root at ubuntu:/home/user# getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:user
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:user
fax:x:21:
voice:x:22:
cdrom:x:24:user
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:pulse
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:user
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
syslog:x:102:
fuse:x:103:
lpadmin:x:104:user
ssl-cert:x:105:
messagebus:x:106:
crontab:x:107:
mlocate:x:108:
ssh:x:109:
avahi-autoipd:x:110:
avahi:x:111:
netdev:x:112:
couchdb:x:113:
haldaemon:x:114:
admin:x:115:user
saned:x:116:
pulse:x:117:
pulse-access:x:118:
gdm:x:119:
user:x:1000:
sambashare:x:120:user
winbindd_priv:x:121:
But Samba 3.2.15 returned groups from TEST domain in both cases.
The configuration files we used in a test environment for Samba,
Nsswitch and PAM are listed below.
#/etc/smb.conf
[global]
security = ads
encrypt passwords = yes
password server = ws2003.test.local
workgroup = test
realm = TEST.LOCAL
netbios name = ubuntu
allow trusted domains = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
winbind separator = \
winbind uid = 100000-2000000
winbind gid = 100000-2000000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
server string = %h server
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
debug level = 11
[public]
comment = Public
path=/home/public
browsable=yes
writable=yes
admin users=user
# /etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
# /etc/pam.d/samba
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
session sufficient pam_winbind.so
@include common-auth
@include common-account
@include common-session
It is important for us to get group list namely with the command "getent
group", without using "wbinfo -g".
We have analized the source code of winbindd daemon and revealed that
the problem was in a value that function
"rpccli_wbint_QueryGroupList_recv" returns. If one of domains is turned
off it returns NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND. We have prepared
the patch that overcomes the problem by just ignoring that code.
Could you comment the way we fixed the problem? Will not it cause any
problems to winbindd?
Best regards, Sergey Tashkinov.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.5.3.winbind-getgrent.patch
Type: text/x-diff
Size: 781 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100630/d2635a95/attachment.patch>
More information about the samba-technical
mailing list