[Samba] nested group support still broken in 3.2.2?

Wed Aug 27 21:30:26 GMT 2008

Gerald (Jerry) Carter wrote:
>
>
> What is "winbind expand groups" set to ?
>
>
Oh sorry - "3". 

I've just tried something. I upped "log level = 10", deleted 
"/var/lib/samba/winbind*" (to trash cached values), cleaned out 
/var/log/samba/* and restarted winbind. Then I tried "id 
localDomain\user" and "getent group localDomain\group" and they worked 
successfully.

Then I tried the "getent group domain3\group2" mentioned in my example:  
remote domain containing groups containing users from many (trusted) 
other domains. It *immediately* returned with no content (which is odd - 
yesterday it returned 5 domain3 users). Strangely, I didn't see a 
log.wb-domain3 created.

Then I ran "wbinfo -u", and immediately all the log.wb-XXXX files 
appeared - one per trusted domain. It hung for many minutes while it 
went all over the world (I had tcpdump running) via LDAP downloading 
"stuff". Eventually I got "Error looking up domain users" - probably hit 
a timeout. I'm not surprised :-) However, winbindd was still downloading 
"stuff" - in fact there are now 167 copies of winbind running on my FC8 
box and it's still working at the problem ;-) "wbinfo -m|wc" reports 14 
BTW - so I don't know how 167 showed up.

Then I ran "getent group domain3\group2" again, this time it hung for 5 
secs - before returning nothing again :-( Grep'ping /var/log/sambe/* for 
the groupname shows only 'getgrnam domain3\group2' - no real error as such

PS: there are now 155 winbindd processes running - so it did come down a 
bit. But I don't think that's normal? Under 3.0.30 it never seemed to go 
above 10-ish?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1