[Samba] Possible winbind bugs.
Chan Min Wai
dcmwai at gmail.com
Thu Jul 10 05:20:50 MDT 2014
On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
> On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
> > On 10/07/14 10:27, steve wrote:
> > > On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
> > >> Dear All,
> > >>
> > >> I've found a strange behavior on Winbind + getent group
> > >>
> > >> If there are AD/winbind group didn't have any unix gid...
> > >> getent group will only show local group.
> > >>
> > >>
> > >> If all the AD/winbind group have unix gid
> > >> getent will reply with all the group I have included the AD/winbind
> group.
> > >>
> > >> Did we have any bugs reported on this?
> > >>
> > >> Thank You.
> > > Hi Chan
> > >
> > > Lots of confusion here.
> > >
> > > I don't think it's a bug because it would be reasonable to expect that
> > > if we wish domain groups to behave as posix groups, then we must play
> by
> > > posix rules and include a gid. Otherwise nss knows nothing about them.
> > >
> > > As we understand, must haves:
> > > Domain groups: gidNumber
> > > Domain users: uidNumber and gidNumber
> > Hi, I thought that, until it was pointed out that if you use winbind,
> > the users gidNumber is ignored and windbind pulls the gidnumber directly
> > from the primary group.
> >
> > So yes, the users primary group must have a gidNumber, but the user does
> > not need this added.
> >
> > Rowland
>
> Hi
> Yes, we agree. However, for completeness (and for those who do not use
> winbind) we mimic the Unix manner of obtaining the user's primary group:
> from the gidNumber listed in his DN.
> Just our translation of the evidence m'lud!
> Cheers
Hi,
What I meant is...
When using winbind
If there is even one AD Group *without gid.*
"gentent group" will return only local unix Group
Which shouldn't be right.
"getent group" should return all AD Group except the AD group without gid.
But our result here are different.
I believes that when getent group happen
winbind read a group without gid and it crash and return 0 to getent and
thus
getent group return only local unix group.
You can easily try this by.
You will want to turn winbind and idmap cache to as low as possible for
fast result like 1 seconds
like: (WARNING: Not to be use in actual production)
idmap cache time = 1
idmap negative cache time = 1
winbind cache time = 1
1. Adding all AD group with unix gid
2. gentent group return all local unix group + AD Group (if you didn't try
to get back to your AD group and add all unix gid)
3. Add one AD group without unix gid
4. gentent group return only local unix group
Hope this explain...
More information about the samba
mailing list