[Samba] AD Primary Group Masked by Local Primary Group
Klinger, John (N-CSC)
john.klinger at lmco.com
Tue Jan 20 20:08:57 GMT 2004
Solaris 8, Samba 3.0.1, Winbind with LDAP backend and security = ads.
This may or may not be a problem, depending on what is "expected behaviour".
We came across a user that was defined both locally and in AD. Their local
primary group, call it "localgrp", was not the same as their global primary
group, call it "globalgrp". One important note is that by using an LDAP
browser, we can see that the user is not explicitly a Member Of globalgrp
(ie: there is no "member" entry for the user in globalgrp). The only way
the user is tied to the globalgrp is that it is his AD primary group.
Now, onto the solaris side. At logon, their groups are determined through
nsswitch and a call to the solaris wrapper function
nss_winbind_getgroupsbymember_solwrap. With the patch from Bug 972,
this returns all local and AD groups, including both the local primary
group, localgrp, and the AD primary group, globalgrp.
Other functions, like "id -a <username>", go through the getgrent cycle,
and only return localgrp. This is due to the user not being an explicit
group member. The getgrent cycle does not "see" a user's primary group.
Parallels exist in other systems, like NIS, when a local primary group
overloads a directory's primary group. In those cases, only the local
is shown.
So, should the getgrent cycle go through User's primary groups too? The
concern is that some applications will use a function to check group
access by using a method that does not return the overloaded primary
group.
john
------------------
The first section below is a modified debug output of an "su - user2a"
execution, where both the local primary group, "localgrp", and the global
primary group, "globalgrp" (10328), is returned.
[ 1277]: nss_winbind: Initialized nss_winbind group backend
[ 1277]: nss_winbind: _nss_winbind_getgroupsbymember
[ 1277]: initgroups user2a (10)
[ 1277]: initgroups gid=10000
[ 1277]: initgroups gid=10328
Below is a modified debug output of an "id -a user2a" execution, where only
the local primary group, "localgrp", is returned.
[ 932]: nss_winbind: Initialized nss_winbind group backend
[ 932]: nss_winbind: _nss_winbind_setgrent_solwrap
[ 932]: setgrent
...
[ 932]: getgrent
group.gr_name = Domain Users
group.gr_passwd = x
group.gr_gid = 10000
group.gr_mem = 0x25afc (user1a)
0x25b00 (user2a)
[ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning group: Domain Users
...
[ 932]: getgrent
group.gr_name = globalgrp
group.gr_passwd = x
group.gr_gid = 10328
group.gr_mem = 0x25af8 (user1a)
0x25b00 (domadmin)
[ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning group: TBMCS
...
[ 932]: getgrent
[ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning error: 1.
[ 932]: nss_winbind: _nss_winbind_endgrent_solwrap
[ 932]: endgrent
[ 932]: nss_winbind: _nss_winbind_group_destr
uid=1001(user2a) gid=10(localgrp) groups=1(other)[ 932]: nss_winbind: Initialized nss_winbind group backend
[ 932]: nss_winbind: _nss_winbind_getgrgid_solwrap
[ 932]: getgrgid 10000
,2(bin),4(adm),14(sysadmin),10000(Domain Users)
More information about the samba
mailing list