ctdb in autobuild broken -- ctdb depends on winbind now????

Mon Jan 9 16:58:18 UTC 2017

On Mon, 9 Jan 2017 17:30:52 +0100
Michael Adam <obnox at samba.org> wrote:

> On 2017-01-09 at 14:08 +0100, Andreas Schneider wrote:
> > On Friday, 6 January 2017 11:53:16 CET Volker Lendecke wrote:
> > > Quick update: If I run
> > > 
> > > make test TESTS=samba.blackbox.wbinfo
> > > 
> > > locally, I get two unexpected successes.
> > > 
> > > Some tests are designed to fail and now succeed when running
> > > isolated. Some tests are designed to succeed and now fail when
> > > running in the full run.
> > > 
> > > If I look at selftest/knownfail, I see
> > > 
> > > # These do not work against winbindd in member mode for unknown
> > > reasons
> > 
> > Yes, that the test running against the s4member target. I don't
> > really know what a s4member is or means. However it seems to be
> > broken!
> > 
> > $ bin/wbinfo --user-groups "SAMBADOMAIN/administrator"
> > 3000000
> > 3000001
> > $ bin/wbinfo --gid-to-sid 3000000
> > S-1-5-21-2767970802-1178991037-3063653489-500
> > $ bin/wbinfo --sid-to-name
> > S-1-5-21-2767970802-1178991037-3063653489-500
> > SAMBADOMAIN/administrator 1 $ bin/wbinfo -g
> > SAMBADOMAIN/allowed rodc password replication group
> > SAMBADOMAIN/enterprise read-only domain controllers
> > SAMBADOMAIN/denied rodc password replication group
> > SAMBADOMAIN/read-only domain controllers
> > SAMBADOMAIN/group policy creator owners
> > SAMBADOMAIN/ras and ias servers
> > SAMBADOMAIN/domain controllers
> > SAMBADOMAIN/enterprise admins
> > SAMBADOMAIN/domain computers
> > SAMBADOMAIN/cert publishers
> > SAMBADOMAIN/dnsupdateproxy
> > SAMBADOMAIN/domain admins
> > SAMBADOMAIN/domain guests
> > SAMBADOMAIN/schema admins
> > SAMBADOMAIN/domain users
> > SAMBADOMAIN/dnsadmins
> > $ bin/wbinfo --name-to-sid "SAMBADOMAIN/administrator"
> > S-1-5-21-2767970802-1178991037-3063653489-500 SID_USER (1)
> > 
> > 
> > 
> > 
> > $ bin/wbinfo --user-groups "SAMBADOMAIN/administrator"
> > 
> > lists 300000, which is the uid from Administrtor, as a gid!
> 
> Yes? I don't thing this per se is a problem...

No it doesn't it shows that 'Administrator' (UID 0) is a member of
group 3000000 which is the 'Administrators' group
> 
> The same numerical value can be used both for a UID
> and a GID in a unix system. (On most Linux distros
> you get a Group of the same nam and ID value as the
> default group for a newly created user...)

Not on a Samba AD DC you don't, except for a very few users that are
mapped in idmap.ldb and they are only 'ID_TYPE_BOTH' so they can 'own'
files & dirs

> 
> Above you showed that the admin user (ID 300000) has a
> group of GID 300000 in its unix group list. But this could
> even resolve to one of the domain groups (like domain admins).
> (WHat does "wbinfo --gid-to-sid 300000" give?

You are losing a '0' which is also the UID of the admin user
'Administrator'

> 
> This could also be sambadomain/administrator, viewed as
> a group in the unix world. Wih the ID_TYPE_BOTH mapping
> this can even be achieved in Samba. And i think this
> may be quite normal in the AD/DC setup (with passdb_dsdb
> and most id mapping going though passdb..).
> 
> > This does not happen against any other enviornment.
> > I suspect culrpit is the passdb_dsdb module!
> 
> Let me ask again: Is this a problem?
> You pasted some output of wbinfo --user-groups that came
> unexpected to you, but is it really breaking anything?
> I think this is expected in the AD environment.
> 
> Cheers - Michael

But all of this could be red herring, you only get the '3000000'
numbers on a DC and as far as I am aware, you cannot use ctdb on a DC.

Rowland