wb_group_members: non-resistance against garbage

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Aug 25 12:14:13 MDT 2011

On Fri, Aug 12, 2011 at 08:07:32PM +0400, Dmitry Butskoy wrote:
> I've discovered some (possible rare) issue with
> "source3/winbindd/wb_group_members.c:wb_group_members_done()" function.
> It seems that it can be more friendly under some broken AD configurations.
> 1) We have a complex AD forest, where remote corporate branches have
> its own slave DC.
> 2) Some of branches have its own"local" domains (I am not familiar
> whether trusted or not).
> 3) Some local admins of those branches include its own "local"
> members into the common corporate AD groups. 8)
> 4) As a result, we have a "correct" group with an uncorrect member
> (due to bad unknown sid).
> All work fine with this, except the "getent group". We certainly
> have "winbind enum groups = yes", but
> "getent group" fails, whereas "getent group GRPNAME" works fine.
> I've discover that the error is NT_STATUS_TRUSTED_DOMAIN_FAILURE
> when winbindd tryes to obtain group members. Now, this error breaks
> all the obtaining process, hence "getent groups" return nothing
> about nss_winbind groups.
> IMHO the best way is to ignore such an error, just leave the "bad"
> group "empty". This way we do not break "getent group", it "continue
> to obtain" info from AD.
> The proposed patch attached. It fixes the issue for me.

Does the attached patch also fix the issue? I think it is a
bit more fine-grained.

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-v3-5-test-Fix-getent-group-if-trusted-domains-are-no.patch
Type: text/x-diff
Size: 943 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110825/99b507c8/attachment.patch>

More information about the samba-technical mailing list