[Samba] winbindd GETGRENT results in trusted domains environment

Sergey Tashkinov sergeyt1 at ukr.net
Tue Jun 29 02:47:21 MDT 2010 

 Good day.
   1. We have configured two domain controllers on Windows 2003 R2. We
   named them TEST.LOCAL and CHILD.TEST.LOCAL respectively and made a
   trust relationships between them. 2. We have installed Samba 3.5.3 on
   Ubuntu 9.10, kernel 2.6.31-14 and configured it for using winbindd.
     We have encountered a problem with results that winbind returns
     upon a command GETGRENT. We have obtained those results with the
     command "getent group".
   In a case if both domain controllers are turned on everything works
   well and we can get groups of users from both domains, for example:
   root at ubuntu:/home/user# getent group root:x:0: daemon:x:1: bin:x:2:
   sys:x:3: adm:x:4:user tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9:
   uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:user
   fax:x:21: voice:x:22: cdrom:x:24:user floppy:x:25: tape:x:26:
   sudo:x:27: audio:x:29:pulse dip:x:30: www-data:x:33: backup:x:34:
   operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42:
   utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:user staff:x:50:
   games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: syslog:x:102:
   fuse:x:103: lpadmin:x:104:user ssl-cert:x:105: messagebus:x:106:
   crontab:x:107: mlocate:x:108: ssh:x:109: avahi-autoipd:x:110:
   avahi:x:111: netdev:x:112: couchdb:x:113: haldaemon:x:114:
   admin:x:115:user saned:x:116: pulse:x:117: pulse-access:x:118:
   gdm:x:119: user:x:1000: sambashare:x:120:user winbindd_priv:x:121:
   TEST\helpservicesgroup:x:100003:TEST\support_388945a0
   TEST\telnetclients:x:100004: TEST\domain computers:x:100005:
   TEST\domain controllers:x:100006: TEST\schema
   admins:x:100007:TEST\administrator TEST\enterprise
   admins:x:100008:TEST\administrator TEST\cert publishers:x:100009:
   TEST\domain admins:x:100010:TEST\administrator TEST\domain
   users:x:100011: TEST\domain guests:x:100012: TEST\group policy creator
   owners:x:100013:TEST\administrator TEST\ras and ias servers:x:100014:
   TEST\dnsadmins:x:100015: TEST\dnsupdateproxy:x:100016:
   TEST\group1:x:100017: TEST\group2:x:100018: TEST\group3:x:100019:
   TEST\group4:x:100020: TEST\group5:x:100021: TEST\group6:x:100022:
   TEST\group7:x:100023: TEST\group8:x:100024: TEST\group9:x:100025:
   TEST\group10:x:100026: TEST\group11:x:100027: CHILD\domain
   computers:x:100030: CHILD\domain controllers:x:100031: CHILD\domain
   admins:x:100032:CHILD\administrator CHILD\domain users:x:100033:
   CHILD\domain guests:x:100034: CHILD\group policy creator
   owners:x:100035:CHILD\administrator
   If we turn off the domain CHILD.TEST.LOCAL then "getent group" doesn't
   return any groups from neither domains, even from TEST.LOCAL.
   root at ubuntu:/home/user# getent group root:x:0: daemon:x:1: bin:x:2:
   sys:x:3: adm:x:4:user tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9:
   uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:user
   fax:x:21: voice:x:22: cdrom:x:24:user floppy:x:25: tape:x:26:
   sudo:x:27: audio:x:29:pulse dip:x:30: www-data:x:33: backup:x:34:
   operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42:
   utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:user staff:x:50:
   games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: syslog:x:102:
   fuse:x:103: lpadmin:x:104:user ssl-cert:x:105: messagebus:x:106:
   crontab:x:107: mlocate:x:108: ssh:x:109: avahi-autoipd:x:110:
   avahi:x:111: netdev:x:112: couchdb:x:113: haldaemon:x:114:
   admin:x:115:user saned:x:116: pulse:x:117: pulse-access:x:118:
   gdm:x:119: user:x:1000: sambashare:x:120:user winbindd_priv:x:121:
   But Samba 3.2.15 returned groups from TEST domain in both cases.
   The configuration files we used in a test environment for Samba,
   Nsswitch and PAM are listed below.
   #/etc/smb.conf [global] security = ads encrypt passwords = yes
   password server = ws2003.test.local workgroup = test realm =
   CHILD.LOCAL netbios name = ubuntu allow trusted domains = yes
   passwd program = /usr/bin/passwd %u passwd chat =
   *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n
   .
   winbind separator = + winbind uid = 100000-2000000 winbind gid =
   100000-2000000 winbind enum users = yes winbind enum groups = yes
   template homedir = /home/winnt/%D/%U template shell = /bin/bash
   server string = %h server log file = /var/log/samba/log.%m max log
   size = 1000 syslog = 0
   debug level = 11
   [public] comment = Public path=/home/public browsable=yes writable=yes
   admin users=user
   # /etc/nsswitch.conf passwd: files winbind group:  files winbind
   shadow: compat
   hosts:  files mdns4_minimal [NOTFOUND=return] dns mdns4 networks:
   files
   protocols:  db files services: db files ethers: db files rpc:  db
   files
   netgroup: nis
   # /etc/pam.d/samba auth sufficient pam_winbind.so account sufficient
    pam_winbind.so session sufficient pam_winbind.so
   @include common-auth @include common-account @include common-session

   It is important for us to get group list namely with the command
   "getent group", without using "wbinfo -g".
   We have analized the source code of winbindd daemon and revealed that
   the problem was in a value that function
   "rpccli_wbint_QueryGroupList_recv" returns. If one of domains is
   turned off it returns NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND. We have
   prepared the patch that overcomes the problem by just ignoring that
   code.
   Could you comment the way we fixed the problem? Will not it cause any
   problems to winbindd?
   Best regards, Sergey Tashkinov.

More information about the samba mailing list