winbindd GETGRENT results in trusted domains environment

Sergey Tashkinov sergeyt1 at ukr.net
Wed Jun 30 01:46:13 MDT 2010 

Good day.

1. We have configured two domain controllers on Windows 2003 R2. We 
named them TEST.LOCAL and CHILD.TEST.LOCAL respectively and made a trust 
relationships between them.
2. We have installed Samba 3.5.3 on Ubuntu 9.10, kernel 2.6.31-14 and 
configured it for using winbindd.

   We have encountered a problem with results that winbind returns upon 
a command GETGRENT. We have obtained those results with the command 
"getent group".

In a case if both domain controllers are turned on everything works well 
and we can get groups of users from both domains, for example:

root at ubuntu:/home/user# getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:user
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:user
fax:x:21:
voice:x:22:
cdrom:x:24:user
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:pulse
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:user
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
syslog:x:102:
fuse:x:103:
lpadmin:x:104:user
ssl-cert:x:105:
messagebus:x:106:
crontab:x:107:
mlocate:x:108:
ssh:x:109:
avahi-autoipd:x:110:
avahi:x:111:
netdev:x:112:
couchdb:x:113:
haldaemon:x:114:
admin:x:115:user
saned:x:116:
pulse:x:117:
pulse-access:x:118:
gdm:x:119:
user:x:1000:
sambashare:x:120:user
winbindd_priv:x:121:
TEST\helpservicesgroup:x:100003:TEST\support_388945a0
TEST\telnetclients:x:100004:
TEST\domain computers:x:100005:
TEST\domain controllers:x:100006:
TEST\schema admins:x:100007:TEST\administrator
TEST\enterprise admins:x:100008:TEST\administrator
TEST\cert publishers:x:100009:
TEST\domain admins:x:100010:TEST\administrator
TEST\domain users:x:100011:
TEST\domain guests:x:100012:
TEST\group policy creator owners:x:100013:TEST\administrator
TEST\ras and ias servers:x:100014:
TEST\dnsadmins:x:100015:
TEST\dnsupdateproxy:x:100016:
TEST\group1:x:100017:
TEST\group2:x:100018:
TEST\group3:x:100019:
TEST\group4:x:100020:
TEST\group5:x:100021:
TEST\group6:x:100022:
TEST\group7:x:100023:
TEST\group8:x:100024:
TEST\group9:x:100025:
TEST\group10:x:100026:
TEST\group11:x:100027:
CHILD\domain computers:x:100030:
CHILD\domain controllers:x:100031:
CHILD\domain admins:x:100032:CHILD\administrator
CHILD\domain users:x:100033:
CHILD\domain guests:x:100034:
CHILD\group policy creator owners:x:100035:CHILD\administrator

If we turn off the domain CHILD.TEST.LOCAL then "getent group" doesn't 
return any groups from neither domains, even from TEST.LOCAL.

root at ubuntu:/home/user# getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:user
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:user
fax:x:21:
voice:x:22:
cdrom:x:24:user
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:pulse
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:user
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
syslog:x:102:
fuse:x:103:
lpadmin:x:104:user
ssl-cert:x:105:
messagebus:x:106:
crontab:x:107:
mlocate:x:108:
ssh:x:109:
avahi-autoipd:x:110:
avahi:x:111:
netdev:x:112:
couchdb:x:113:
haldaemon:x:114:
admin:x:115:user
saned:x:116:
pulse:x:117:
pulse-access:x:118:
gdm:x:119:
user:x:1000:
sambashare:x:120:user
winbindd_priv:x:121:

But Samba 3.2.15 returned groups from TEST domain in both cases.

The configuration files we used in a test environment for Samba, 
Nsswitch and PAM are listed below.

#/etc/smb.conf
[global]
     security = ads
     encrypt passwords = yes
     password server = ws2003.test.local
     workgroup = test
     realm = TEST.LOCAL
     netbios name = ubuntu
     allow trusted domains = yes

     passwd program = /usr/bin/passwd %u
     passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .

     winbind separator = \
     winbind uid = 100000-2000000
     winbind gid = 100000-2000000
     winbind enum users = yes
     winbind enum groups = yes
     template homedir = /home/winnt/%D/%U
     template shell = /bin/bash

     server string = %h server
     log file = /var/log/samba/log.%m
     max log size = 1000
     syslog = 0

     debug level = 11

[public]
     comment = Public
     path=/home/public
     browsable=yes
     writable=yes
     admin users=user

# /etc/nsswitch.conf
passwd:         files winbind
group:          files winbind
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

# /etc/pam.d/samba
auth    sufficient    pam_winbind.so
account sufficient      pam_winbind.so
session    sufficient    pam_winbind.so

@include common-auth
@include common-account
@include common-session


It is important for us to get group list namely with the command "getent 
group", without using "wbinfo -g".

We have analized the source code of winbindd daemon and revealed that 
the problem was in a value that function 
"rpccli_wbint_QueryGroupList_recv" returns. If one of domains is turned 
off it returns NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND. We have prepared 
the patch that overcomes the problem by just ignoring that code.

Could you comment the way we fixed the problem? Will not it cause any 
problems to winbindd?

Best regards, Sergey Tashkinov.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.5.3.winbind-getgrent.patch
Type: text/x-diff
Size: 781 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100630/d2635a95/attachment.patch>

More information about the samba-technical mailing list