[Samba] Possible bug in nss_winbind with ad backend and rfc2307
JStalewski at VisaLighting.com
Fri Jan 21 13:57:09 MST 2011
More info on this topic:
Without giving my AD domain's Domain Users group an Unix gid, getent
passwd enumerates no AD users. With the Domain Users group having a gid
in the range of the idmap config range, I do get my users enumerated
with a getent passwd.
In winbindd.log, for each cached user with rfc2307 information, it logs
homedir = '/home/user'
shell = '/bin/bash'
gecos = '(null)' (because I'm not using gecos attrib)
gid = '60000'
but the getent passwd result is
where 12011 is the gid I gave to "Domain Users."
rfc2307 should have returned gid 60000 as per the nss_get_info_cached
If I do: getent passwd user
the result is:
as it should be.
gid 60000 is a local group, not an AD-defined group, so as not to depend
on AD for filesystem group ownership/permissions. If getent passwd
doesn't enumerate the user data with the user having the proper default
group, they will not inherit the proper permissions.
> -----Original Message-----
> From: Jim Stalewski
> Sent: Thursday, January 20, 2011 7:26 PM
> To: samba at lists.samba.org
> Subject: [Samba] Possible bug in nss_winbind with ad backend
> and rfc2307
> I ran some tests to see why getent passwd was not enumerating
> my domain users and discovered this:
> If I getent passwd <username> it returns the user information
> including the primary group defined in the Unix attributes.
> If I add a Unix GID in the idmap config range to the domain's
> Domain Users group and getent passwd, it returns all of my
> domain users with all of the Unix attributes as defined in AD
> for them, BUT it replaces the primary group GID with the GID
> I defined for the Domain Users group.
> Apparently, some genius decided that the best way to look up
> users in AD is by membership in "Domain Users" rather than
> iterating through the directory looking for users that have
> rfc2307 attributes defined, totally ignoring the rfc2307
> group attribute on the user objects.
> The suspected bug is that it is not using the rfc2307 primary
> GID attribute, but rather is defaulting the "Domain Users"
> group as the primary group for all users regardless of the
> rfc2307 attributes.
> Is there a way to force Winbind not to use the Domain Users
> group as the primary group for the winbindd_getpwent process,
> so it returns the
> rfc2307 group attribute as it used to / should? Or do I have
> to redo all of my group file ownership/permissions on all of
> my servers to match "Domain Users" for some ungodly reason?
> Currently running Samba 3.4.3 on SLES 11.1, and
> authenticating against Windows 2003R2 AD, but I suspect this
> same bug/feature was introduced with the idmap changes in
> 3.30 and above so should apply to all versions above 3.30. I
> don't know if the same logic is being used in v4 winbind
> idmap process...
More information about the samba