[Samba] AD Primary Group Masked by Local Primary Group

Klinger, John (N-CSC) john.klinger at lmco.com
Tue Jan 20 20:08:57 GMT 2004 

Solaris 8, Samba 3.0.1, Winbind with LDAP backend and security = ads.

This may or may not be a problem, depending on what is "expected behaviour".

We came across a user that was defined both locally and in AD. Their local
primary group, call it "localgrp", was not the same as their global primary
group, call it "globalgrp". One important note is that by using an LDAP
browser, we can see that the user is not explicitly a Member Of globalgrp
(ie: there is no "member" entry for the user in globalgrp). The only way
the user is tied to the globalgrp is that it is his AD primary group.

Now, onto the solaris side. At logon, their groups are determined through
nsswitch and a call to the solaris wrapper function
nss_winbind_getgroupsbymember_solwrap. With the patch from Bug 972,
this returns all local and AD groups, including both the local primary
group, localgrp, and the AD primary group, globalgrp.

Other functions, like "id -a <username>", go through the getgrent cycle,
and only return localgrp. This is due to the user not being an explicit
group member. The getgrent cycle does not "see" a user's primary group.

Parallels exist in other systems, like NIS, when a local primary group
overloads a directory's primary group. In those cases, only the local
is shown.

So, should the getgrent cycle go through User's primary groups too? The
concern is that some applications will use a function to check group
access by using a method that does not return the overloaded primary
group.

john

------------------

The first section below is a modified debug output of an "su - user2a"
execution, where both the local primary group, "localgrp", and the global
primary group, "globalgrp" (10328), is returned.

[ 1277]: nss_winbind: Initialized nss_winbind group backend
[ 1277]: nss_winbind: _nss_winbind_getgroupsbymember
[ 1277]: initgroups user2a (10)
[ 1277]: initgroups gid=10000
[ 1277]: initgroups gid=10328

Below is a modified debug output of an "id -a user2a" execution, where only
the local primary group, "localgrp", is returned.

[  932]: nss_winbind: Initialized nss_winbind group backend
[  932]: nss_winbind: _nss_winbind_setgrent_solwrap
[  932]: setgrent
...
[  932]: getgrent
                  group.gr_name   = Domain Users
                  group.gr_passwd = x
                  group.gr_gid    = 10000
                  group.gr_mem    = 0x25afc (user1a)
                                    0x25b00 (user2a)
[  932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning group: Domain Users
...
[  932]: getgrent 
                  group.gr_name   = globalgrp
                  group.gr_passwd = x
                  group.gr_gid    = 10328
                  group.gr_mem    = 0x25af8 (user1a)
                                    0x25b00 (domadmin)
[  932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning group: TBMCS
...
[  932]: getgrent
[  932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning error: 1.

[  932]: nss_winbind: _nss_winbind_endgrent_solwrap
[  932]: endgrent
[  932]: nss_winbind: _nss_winbind_group_destr
uid=1001(user2a) gid=10(localgrp) groups=1(other)[  932]: nss_winbind: Initialized nss_winbind group backend
[  932]: nss_winbind: _nss_winbind_getgrgid_solwrap
[  932]: getgrgid 10000
,2(bin),4(adm),14(sysadmin),10000(Domain Users)

More information about the samba mailing list