[Samba] Problem with , in Common Name when running samba3 as ADS Member (Problem with Group-Contents)

Jochen Schmidt jochen.schmidt at millenux.com
Tue Dec 2 22:11:15 GMT 2003 

Hi,

today we found the reason for a problem with Group-Memberships when
running Samba as an ADS Domain Member.

1. Short Summary of the Environment
===================================

= "old" Systems:
- donald: Microsoft Windows 2000 as ADS Controller
  		with 2 (daisy, tick) Backup Controller
	- 800 Users mostly replicated from Microsoft Exchange
	-  65 Groups
- fix: Samba 2.2.8 on Solaris 8 as Fileserver using only local groups
- hurra: Samba 3.0.0 on Solaris 8 as NT4 Domain Member using winbindd

= "new" System:
- foxi: Samba 3.0.0 on Solaris 8 as ADS Domain Member using winbind
- lt-js: Samba 3.0.0 on Debian (unstable) as ADS Domain Member using winbind

- all Samba machines have successfully joined the Domain.

2. very curious thing
=====================

- on fix and hurra we see any group with all members.
- on foxi and lt-js we see any group but only a view member.

The behavior is completely the same when connecting to any of the three
Domain-Controllers. The Group-Memberships (using foxi or lt-js) are always
the same subset of persons (always missing the same Members).
We thougt that the Active Directory domain has a problem since there where
some other issues. So we got a 'date' with one of our Active Directory
Specialists to track down this issue. We've found some not-samba related
issues and the solution for our samba Problem:
- If there's a "," in the Common Name of the User, samba is not able to
resolve the groups-Memberships.

we found the following entries in the samba-Log when resolving
Group-Memberships using "getent group" (sure, winbindd is running).

----------------------------- debug level 99 winbindd -----------------------------
[2003/12/02 12:24:24, 10] nsswitch/winbindd.c:process_request(305)
  process_request: request fn GETGRENT
[2003/12/02 12:24:24, 3] nsswitch/winbindd_group.c:winbindd_getgrent(608)
  [13241]: getgrent
[2003/12/02 12:24:24, 10] nsswitch/winbindd_group.c:winbindd_getgrent(645)
  entry_index = 0, num_entries = 0
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(342)
  refresh_sequence_number: TOPALISWORLD time ok
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(367)
  refresh_sequence_number: TOPALISWORLD seq number is now 4263604
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:centry_expired(391)
  centry_expired: Key GL/TOPALISWORLD/domain for domain TOPALISWORLD is good.
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:wcache_fetch(470)
  wcache_fetch: returning entry GL/TOPALISWORLD/domain for domain TOPALISWORLD
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:enum_dom_groups(786)
  enum_dom_groups: [Cached] - cached list for domain TOPALISWORLD status Success
[2003/12/02 12:24:24, 10] sam/idmap_util.c:idmap_sid_to_gid(179)
  sid_to_gid: sid = [S-1-5-21-525015883-470239122-8547516-513]
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)
  db_get_id_from_sid
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)
  internal_get_id_from_sid: fetching record S-1-5-21-525015883-470239122-8547516-513 of type 0x2
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)
  internal_get_id_from_sid: record S-1-5-21-525015883-470239122-8547516-513 -> GID 10004
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262)
  internal_get_id_from_sid: ID_GROUPID fetching record S-1-5-21-525015883-470239122-8547516-513 -> GID 10004
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)
  internal_get_sid_from_id: fetching record GID 10004
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)
  internal_get_sid_from_id: fetching record GID 10004 -> S-1-5-21-525015883-470239122-8547516-513
[2003/12/02 12:24:24, 10] sam/idmap_util.c:idmap_sid_to_gid(187)
  idmap_sid_to_gid: gid = [10004]
[2003/12/02 12:24:24, 10] nsswitch/winbindd_group.c:winbindd_getgrent(695)
  got gid 10004 for group 201
[2003/12/02 12:24:24, 10] nsswitch/winbindd_group.c:fill_grent_mem(103)
  group SID S-1-5-21-525015883-470239122-8547516-513
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(342)
  refresh_sequence_number: TOPALISWORLD time ok
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(367)
  refresh_sequence_number: TOPALISWORLD seq number is now 4263604
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1236)
  lookup_groupmem: [Cached] - doing backend query for info for domain TOPALISWORLD
[2003/12/02 12:24:24, 10] nsswitch/winbindd_ads.c:lookup_groupmem(697)
  ads: lookup_groupmem TOPALISWORLD sid=S-1-5-21-525015883-470239122-8547516-513
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\4B\1B\4B\1F\92\47\07\1C\BC\6C\82\00\01\02\00\00) gave 1 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
  ads: dn_lookup
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for (distinguishedName=CN=FIBU HSt,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 1 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
  ads: dn_lookup
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for (distinguishedName=CN=Steinle Solution Factory,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 1 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
  ads: dn_lookup
[...]
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for (distinguishedName=CN=Waldherr\, Bernhard,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 0 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
  ads: dn_lookup
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for (distinguishedName=CN=Damaschke\, Klaus,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 0 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
  ads: dn_lookup
[...]
----------------------------- debug level 99 winbindd -----------------------------

As you can see at the last few lines "CN=Damaschke\, Klaus,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de"
gaves 0 replies from the ldap Server. The Syntax of this entry is LDAP v3
compliant (ftp://ftp.rfc-editor.org/in-notes/rfc2253.txt - Section 2.4).
- If you use ldapsearch from the openldap Packages you get an "ldap_search_ext: Bad search filter (87)"
- If you remove the backslash (which escapes the ,) the ldapsearch will succeed


3. Reproduce
============

0. Memory your group-memberships (using "getent group" or similar things)
1. Open your "Active Directory Users and Computer"
2. select one user.
3. left click on the selected user to got an cursor within the name
4. insert a comma into the name
5. a window "Rename User" will popup
6. the "Common Name" (not the "Display Name") have a comma
7. click "OK"
8. only to be sure: restart winbind (or flush cache or whatever)
9. get the group memberships ("getent group")
10. make a diff between the results of 0. and 9.
11. Oops


4. Future
=========

We currently think this is an openldap-Issue. We will track down this
issue and find an suiteable solution for this Problem.


5. Comments, Flamewars, ....
============================

are always welcome


Greetings

Jochen

-- 
--------------------------------------------------------------------
Jochen Schmidt                           jochen.schmidt at millenux.com
Mi||enux GmbH                                mobile: +49.175.5752483
Lilienthalstraße 2                          phone: +49.711.88770.300
70825 Stuttgart-Korntal                       fax: +49.711.88770.349
      -= linux without limits -=- http://linux.zSeries.org/ =-
PGP Fingerprint:  6F9A 85CE 78EA 7EF1 B2BA  3559 8FA1 2B13 098D 20B5

More information about the samba mailing list