[Samba] Possible bug in nss_winbind with ad backend and rfc2307

Jim Stalewski JStalewski at VisaLighting.com
Fri Jan 21 13:57:09 MST 2011

More info on this topic:

Without giving my AD domain's Domain Users group an Unix gid, getent
passwd enumerates no AD users.  With the Domain Users group having a gid
in the range of the idmap config range, I do get my users enumerated
with a getent passwd.

In winbindd.log, for each cached user with rfc2307 information, it logs
for nss_get_info_cached: 
      homedir = '/home/user'
      shell = '/bin/bash'
      gecos = '(null)'     (because I'm not using gecos attrib)
      gid = '60000'

but the getent passwd result is
user:*:10043:12011:User Name:/home/user:/bin/bash

where 12011 is the gid I gave to "Domain Users."

rfc2307 should have returned gid 60000 as per the nss_get_info_cached

If I do: getent passwd user 
the result is:
user:*:10043:60000:User Name:/home/user:/bin/bash

as it should be. 

gid 60000 is a local group, not an AD-defined group, so as not to depend
on AD for filesystem group ownership/permissions.  If getent passwd
doesn't enumerate the user data with the user having the proper default
group, they will not inherit the proper permissions.

> -----Original Message-----
> From: Jim Stalewski 
> Sent: Thursday, January 20, 2011 7:26 PM
> To: samba at lists.samba.org
> Subject: [Samba] Possible bug in nss_winbind with ad backend 
> and rfc2307
> I ran some tests to see why getent passwd was not enumerating 
> my domain users and discovered this:
> If I getent passwd <username> it returns the user information 
> including the primary group defined in the Unix attributes.
> If I add a Unix GID in the idmap config range to the domain's 
> Domain Users group and getent passwd, it returns all of my 
> domain users with all of the Unix attributes as defined in AD 
> for them, BUT it replaces the primary group GID with the GID 
> I defined for the Domain Users group.
> Apparently, some genius decided that the best way to look up 
> users in AD is by membership in "Domain Users" rather than 
> iterating through the directory looking for users that have 
> rfc2307 attributes defined, totally ignoring the rfc2307 
> group attribute on the user objects.
> The suspected bug is that it is not using the rfc2307 primary 
> GID attribute, but rather is defaulting the "Domain Users" 
> group as the primary group for all users regardless of the 
> rfc2307 attributes.
> Is there a way to force Winbind not to use the Domain Users 
> group as the primary group for the winbindd_getpwent process, 
> so it returns the
> rfc2307 group attribute as it used to / should?  Or do I have 
> to redo all of my group file ownership/permissions on all of 
> my servers to match "Domain Users" for some ungodly reason?
> Currently running Samba 3.4.3 on SLES 11.1, and 
> authenticating against Windows 2003R2 AD, but I suspect this 
> same bug/feature was introduced with the idmap changes in 
> 3.30 and above so should apply to all versions above 3.30.  I 
> don't know if the same logic is being used in v4 winbind 
> idmap process...

More information about the samba mailing list