getpwnam/uid for group with ID_TYPE_BOTH

Wed Sep 25 17:51:10 UTC 2019

On Mon, Sep 23, 2019 at 04:45:56PM -0700, Christof Schmitt wrote:
> On Mon, Sep 23, 2019 at 11:43:35PM +0200, Stefan Metzmacher wrote:
> > Hi Christof,
> > 
> > > The behavior of winbindd changed in regards to whether a group with
> > > ID_TYPE_BOTH returns a fake user structure. This surfaced during a test
> > > of creating files from a SMB client and then checking the ownership
> > > directly on the file system.
> > > 
> > > make testenv SELFTEST_TESTENV=ad_member_idmap_rid
> > > is an environment that provides ID_TYPE_BOTH for testing.
> > > 
> > > 4-5-test returns fake passwd information for the group:
> > > 
> > > $ getent passwd "$DOMAIN/Domain Users"
> > > ADDOMAIN/domain users:*:2000513:2000513::/home/ADDOMAIN/domain
> > > users:/bin/false
> > > $ echo $?
> > > 0
> > > 
> > > $ getent passwd 2000513
> > > ADDOMAIN/domain users:*:2000513:2000513::/home/ADDOMAIN/domain
> > > users:/bin/false
> > > $ echo $?
> > > 0
> > > 
> > > $ ls -l testfile
> > > -rw-rw-r--. 1 ADDOMAIN/domain users ADDOMAIN/domain admins 0 Sep 23
> > > 12:24 testfile
> > > 
> > > 
> > > 4-6-test no longer does this:
> > > 
> > > $ getent passwd "$DOMAIN/Domain Users"
> > > $ echo $?
> > > 2
> > > 
> > > $ getent passwd 2000513
> > > $ echo $?
> > > 2
> > > 
> > > $ ls -l testfile
> > > -rw-r--r--. 1 2000513 ADDOMAIN/domain admins 0 Sep 23 12:30 testfile
> > > 
> > > It looks like the behavior was introduced for Samba 4.5 through commit
> > > 394622ef8c916cf361f8596dba4664dc8d6bfc9e
> > >     s3:winbindd: change getpwsid() to return a passwd struct for a group
> > > sid id-mapped with ID_TYPE_BOTH
> > > 
> > > and then changed for Samba 4.6 through the patches around
> > > bce19a6efe11980933531f0349c8f5212419366a
> > >     winbind: Restructure wb_getpwsid
> > > 
> > > What is the intended behavior here? Returning a fake passwd for the
> > > group makes the "ls -l" output nicer as no manual lookup of the uid to
> > > the group is required. On the other hand, creating fake user information
> > > might cause problems elsewhere.
> > > 
> > > What are other's opinions around this? I am planning to add a testcase
> > > to ensure that this does not change again, but i would like to
> > > understand first whether winbindd should behave as in Samba 4.5 or in
> > > the newer releases.
> > 
> > The 4.5 behavior is what we want,
> > see also https://gitlab.com/samba-team/samba/merge_requests/621
> > 
> > We should fix merge that, could you come up with a simple testcase
> > to that we don't regress on this again?
> > 
> > Then we need a bug report for backports.
> 
> Thank you. I will take a look at the merge request and write a testcase.

I updated https://gitlab.com/samba-team/samba/merge_requests/621/ with
my signed-off on the patch, a reference to
https://bugzilla.samba.org/show_bug.cgi?id=14141 for the backport and a
testcase.

Christof