ctdb in autobuild broken -- ctdb depends on winbind now????

Rowland Penny repenny241155 at gmail.com
Tue Jan 10 12:18:11 UTC 2017


On Tue, 10 Jan 2017 12:22:15 +0100
Andreas Schneider <asn at samba.org> wrote:

> On Monday, 9 January 2017 17:03:37 CET Rowland Penny wrote:
> > On Mon, 09 Jan 2017 17:52:18 +0100
> > 
> > Andreas Schneider <asn at samba.org> wrote:
> > > On Monday, 9 January 2017 17:30:52 CET Michael Adam wrote:
> > > > On 2017-01-09 at 14:08 +0100, Andreas Schneider wrote:
> > > > > On Friday, 6 January 2017 11:53:16 CET Volker Lendecke wrote:
> > > > > > Quick update: If I run
> > > > > > 
> > > > > > make test TESTS=samba.blackbox.wbinfo
> > > > > > 
> > > > > > locally, I get two unexpected successes.
> > > > > > 
> > > > > > Some tests are designed to fail and now succeed when running
> > > > > > isolated. Some tests are designed to succeed and now fail
> > > > > > when running in the full run.
> > > > > > 
> > > > > > If I look at selftest/knownfail, I see
> > > > > > 
> > > > > > # These do not work against winbindd in member mode for
> > > > > > unknown reasons
> > > > > 
> > > > > Yes, that the test running against the s4member target. I
> > > > > don't really know
> > > > > what a s4member is or means. However it seems to be broken!
> > > > > 
> > > > > $ bin/wbinfo --user-groups "SAMBADOMAIN/administrator"
> > > > > 3000000
> > > > > 3000001
> > > > > $ bin/wbinfo --gid-to-sid 3000000
> > > > > S-1-5-21-2767970802-1178991037-3063653489-500
> > > > > $ bin/wbinfo --sid-to-name
> > > > > S-1-5-21-2767970802-1178991037-3063653489-500
> > > > > SAMBADOMAIN/administrator 1 $ bin/wbinfo -g
> > > > > SAMBADOMAIN/allowed rodc password replication group
> > > > > SAMBADOMAIN/enterprise read-only domain controllers
> > > > > SAMBADOMAIN/denied rodc password replication group
> > > > > SAMBADOMAIN/read-only domain controllers
> > > > > SAMBADOMAIN/group policy creator owners
> > > > > SAMBADOMAIN/ras and ias servers
> > > > > SAMBADOMAIN/domain controllers
> > > > > SAMBADOMAIN/enterprise admins
> > > > > SAMBADOMAIN/domain computers
> > > > > SAMBADOMAIN/cert publishers
> > > > > SAMBADOMAIN/dnsupdateproxy
> > > > > SAMBADOMAIN/domain admins
> > > > > SAMBADOMAIN/domain guests
> > > > > SAMBADOMAIN/schema admins
> > > > > SAMBADOMAIN/domain users
> > > > > SAMBADOMAIN/dnsadmins
> > > > > $ bin/wbinfo --name-to-sid "SAMBADOMAIN/administrator"
> > > > > S-1-5-21-2767970802-1178991037-3063653489-500 SID_USER (1)
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > $ bin/wbinfo --user-groups "SAMBADOMAIN/administrator"
> > > > > 
> > > > > lists 300000, which is the uid from Administrtor, as a gid!
> > > > 
> > > > Yes? I don't thing this per se is a problem...
> > > > 
> > > > The same numerical value can be used both for a UID
> > > > and a GID in a unix system. (On most Linux distros
> > > > you get a Group of the same nam and ID value as the
> > > > default group for a newly created user...)
> > > > 
> > > > Above you showed that the admin user (ID 300000) has a
> > > > group of GID 300000 in its unix group list. But this could
> > > > even resolve to one of the domain groups (like domain admins).
> > > > (WHat does "wbinfo --gid-to-sid 300000" give?
> > > > 
> > > > This could also be sambadomain/administrator, viewed as
> > > > a group in the unix world. Wih the ID_TYPE_BOTH mapping
> > > > this can even be achieved in Samba. And i think this
> > > > may be quite normal in the AD/DC setup (with passdb_dsdb
> > > > and most id mapping going though passdb..).
> > > > 
> > > > > This does not happen against any other enviornment.
> > > > > I suspect culrpit is the passdb_dsdb module!
> > > > 
> > > > Let me ask again: Is this a problem?
> > > > You pasted some output of wbinfo --user-groups that came
> > > > unexpected to you, but is it really breaking anything?
> > > > I think this is expected in the AD environment.
> > > 
> > > See yourself:
> > > 
> > > make testenv SELFTEST_TESTENV="s4member:local" SCREEN=1
> > 
> > Can I ask, is 's4member' the thing you get if you provision with
> > '--server-role=member' ???
> > If so, why are we testing with something that doesn't actually
> > work ???
> > 
> 
> I'm also waiting for a explanation what a s4member actually is ...
> 
> 

It seems to be a provisioned member server, something the Samba wiki
forcefully tells you not to do, see here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Joining_the_Domain

So, I will ask again, why are we testing against something we tell
users not to use and is actually broken ???

Rowland



More information about the samba-technical mailing list