[Samba] winbind: lookup_usergroups_alt() and lookup_usergroups() returning differnet list

Peter Kruse pk at q-leap.com
Mon Feb 14 13:40:04 GMT 2005 

using samba 3.0.10,
Windows 2000 ADS running in native mode

Hello all,

I observed on our server that for some users winbind uses the function
lookup_usergroups() and for others the function lookup_usergroups_alt().
(I found this out by running winbind with a higher debug level).
Looking at the source-code I see the comment for
lookup_usergroups_alt():

/* Lookup groups a user is a member of - alternate method, for when
    tokenGroups are not available. */

and later:

/* buggy server, no tokenGroups.  Instead lookup what groups this user
    is a member of by DN search on member*/

These are the debug lines of intereset while running
winbindd -s /etc/samba/smb.conf -FSni -d 3:

======================8<=================================================

# user QLEAP+testi5
rpc: name_to_sid name=testi5
name_to_sid [rpc] testi5 for domain QLEAP
ads: lookup_usergroups
ads sid_to_dn mapped CN=testi5,CN=Users,DC=q-leap,DC=de
ads: lookup_usergroups_alt
ads lookup_usergroups (alt) for dn=CN=testi5,CN=Users,DC=q-leap,DC=de
ads: fetch sequence_number for QLEAP
# user QLEAP+testi4
ads: lookup_usergroups
ads sid_to_dn mapped CN=testi4,CN=Users,DC=q-leap,DC=de
ads lookup_usergroups for sid=S-1-5-21-823518204-2111687655-1060284298-1169
ads: fetch sequence_number for QLEAP

======================8<=================================================

Both users are a member of the same global security
group which is a member of another global security group.
But this "meta-group" is only listed for the user testi4.
There are no differences in the users' properties, and the
same happens with other users.  It is always the same:

whenever winbind uses lookup_usergroups_alt() those "meta-groups" are
not listed, but they are listed when winbind uses lookup_usergroups().

 From the comments above I would think that there must be a difference
in ADS-Servers: one with tokenGroups and one without.  But in
this case there is only one server!

What makes winbind use the one function instead of the other?
Why is the result of the two functions different?
How can I make winbind use only lookup_usergroups()?
What are tokenGroups?

Hope you can help.

Regards,

	Peter

More information about the samba mailing list