[Samba] winbindd GETGRENT results in trusted domains environment
Sergey Tashkinov
sergeyt1 at ukr.net
Tue Jun 29 02:47:21 MDT 2010
Good day.
1. We have configured two domain controllers on Windows 2003 R2. We
named them TEST.LOCAL and CHILD.TEST.LOCAL respectively and made a
trust relationships between them. 2. We have installed Samba 3.5.3 on
Ubuntu 9.10, kernel 2.6.31-14 and configured it for using winbindd.
We have encountered a problem with results that winbind returns
upon a command GETGRENT. We have obtained those results with the
command "getent group".
In a case if both domain controllers are turned on everything works
well and we can get groups of users from both domains, for example:
root at ubuntu:/home/user# getent group root:x:0: daemon:x:1: bin:x:2:
sys:x:3: adm:x:4:user tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9:
uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:user
fax:x:21: voice:x:22: cdrom:x:24:user floppy:x:25: tape:x:26:
sudo:x:27: audio:x:29:pulse dip:x:30: www-data:x:33: backup:x:34:
operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42:
utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:user staff:x:50:
games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: syslog:x:102:
fuse:x:103: lpadmin:x:104:user ssl-cert:x:105: messagebus:x:106:
crontab:x:107: mlocate:x:108: ssh:x:109: avahi-autoipd:x:110:
avahi:x:111: netdev:x:112: couchdb:x:113: haldaemon:x:114:
admin:x:115:user saned:x:116: pulse:x:117: pulse-access:x:118:
gdm:x:119: user:x:1000: sambashare:x:120:user winbindd_priv:x:121:
TEST\helpservicesgroup:x:100003:TEST\support_388945a0
TEST\telnetclients:x:100004: TEST\domain computers:x:100005:
TEST\domain controllers:x:100006: TEST\schema
admins:x:100007:TEST\administrator TEST\enterprise
admins:x:100008:TEST\administrator TEST\cert publishers:x:100009:
TEST\domain admins:x:100010:TEST\administrator TEST\domain
users:x:100011: TEST\domain guests:x:100012: TEST\group policy creator
owners:x:100013:TEST\administrator TEST\ras and ias servers:x:100014:
TEST\dnsadmins:x:100015: TEST\dnsupdateproxy:x:100016:
TEST\group1:x:100017: TEST\group2:x:100018: TEST\group3:x:100019:
TEST\group4:x:100020: TEST\group5:x:100021: TEST\group6:x:100022:
TEST\group7:x:100023: TEST\group8:x:100024: TEST\group9:x:100025:
TEST\group10:x:100026: TEST\group11:x:100027: CHILD\domain
computers:x:100030: CHILD\domain controllers:x:100031: CHILD\domain
admins:x:100032:CHILD\administrator CHILD\domain users:x:100033:
CHILD\domain guests:x:100034: CHILD\group policy creator
owners:x:100035:CHILD\administrator
If we turn off the domain CHILD.TEST.LOCAL then "getent group" doesn't
return any groups from neither domains, even from TEST.LOCAL.
root at ubuntu:/home/user# getent group root:x:0: daemon:x:1: bin:x:2:
sys:x:3: adm:x:4:user tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9:
uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:user
fax:x:21: voice:x:22: cdrom:x:24:user floppy:x:25: tape:x:26:
sudo:x:27: audio:x:29:pulse dip:x:30: www-data:x:33: backup:x:34:
operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42:
utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:user staff:x:50:
games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: syslog:x:102:
fuse:x:103: lpadmin:x:104:user ssl-cert:x:105: messagebus:x:106:
crontab:x:107: mlocate:x:108: ssh:x:109: avahi-autoipd:x:110:
avahi:x:111: netdev:x:112: couchdb:x:113: haldaemon:x:114:
admin:x:115:user saned:x:116: pulse:x:117: pulse-access:x:118:
gdm:x:119: user:x:1000: sambashare:x:120:user winbindd_priv:x:121:
But Samba 3.2.15 returned groups from TEST domain in both cases.
The configuration files we used in a test environment for Samba,
Nsswitch and PAM are listed below.
#/etc/smb.conf [global] security = ads encrypt passwords = yes
password server = ws2003.test.local workgroup = test realm =
CHILD.LOCAL netbios name = ubuntu allow trusted domains = yes
passwd program = /usr/bin/passwd %u passwd chat =
*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n
.
winbind separator = + winbind uid = 100000-2000000 winbind gid =
100000-2000000 winbind enum users = yes winbind enum groups = yes
template homedir = /home/winnt/%D/%U template shell = /bin/bash
server string = %h server log file = /var/log/samba/log.%m max log
size = 1000 syslog = 0
debug level = 11
[public] comment = Public path=/home/public browsable=yes writable=yes
admin users=user
# /etc/nsswitch.conf passwd: files winbind group: files winbind
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks:
files
protocols: db files services: db files ethers: db files rpc: db
files
netgroup: nis
# /etc/pam.d/samba auth sufficient pam_winbind.so account sufficient
pam_winbind.so session sufficient pam_winbind.so
@include common-auth @include common-account @include common-session
It is important for us to get group list namely with the command
"getent group", without using "wbinfo -g".
We have analized the source code of winbindd daemon and revealed that
the problem was in a value that function
"rpccli_wbint_QueryGroupList_recv" returns. If one of domains is
turned off it returns NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND. We have
prepared the patch that overcomes the problem by just ignoring that
code.
Could you comment the way we fixed the problem? Will not it cause any
problems to winbindd?
Best regards, Sergey Tashkinov.
More information about the samba
mailing list