[Samba] Possible winbind bugs.
Harry Jede
walk2sun at arcor.de
Thu Jul 10 06:39:14 MDT 2014
On 14:25:56 wrote Chan Min Wai:
> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
> > On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
> > > On 10/07/14 10:27, steve wrote:
> > > > On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
> > > >> Dear All,
> > > >>
> > > >> I've found a strange behavior on Winbind + getent group
> > > >>
> > > >> If there are AD/winbind group didn't have any unix gid...
> > > >> getent group will only show local group.
> > > >>
> > > >>
> > > >> If all the AD/winbind group have unix gid
> > > >> getent will reply with all the group I have included the
> > > >> AD/winbind
> >
> > group.
> >
> > > >> Did we have any bugs reported on this?
> > > >>
> > > >> Thank You.
> > > >
> > > > Hi Chan
> > > >
> > > > Lots of confusion here.
> > > >
> > > > I don't think it's a bug because it would be reasonable to
> > > > expect that if we wish domain groups to behave as posix
> > > > groups, then we must play
> >
> > by
> >
> > > > posix rules and include a gid. Otherwise nss knows nothing
> > > > about them.
> > > >
> > > > As we understand, must haves:
> > > > Domain groups: gidNumber
> > > > Domain users: uidNumber and gidNumber
> > >
> > > Hi, I thought that, until it was pointed out that if you use
> > > winbind, the users gidNumber is ignored and windbind pulls the
> > > gidnumber directly from the primary group.
> > >
> > > So yes, the users primary group must have a gidNumber, but the
> > > user does not need this added.
> > >
> > > Rowland
> >
> > Hi
> > Yes, we agree. However, for completeness (and for those who do not
> > use winbind) we mimic the Unix manner of obtaining the user's
> > primary group: from the gidNumber listed in his DN.
> > Just our translation of the evidence m'lud!
> > Cheers
>
> Hi,
>
> What I meant is...
> When using winbind
>
> If there is even one AD Group *without gid.*
> "gentent group" will return only local unix Group
Yes, you are right.
> Which shouldn't be right.
The developers has an other view on this.
> "getent group" should return all AD Group except the AD group without
> gid. But our result here are different.
Most samba users and unix admins would agree.
> I believes that when getent group happen
> winbind read a group without gid and it crash and return 0 to getent
> and thus
>
> getent group return only local unix group.
Understand this behavior as a feature, not as a bug.
Winbind does not crash, it simply stops enumeration of groups.
"getent group somegroup" still works.
The feature is, if you as admin, forgot to assign a gid to a smba group-
mapping entry, you may easily find this error with "getent group".
If you dont like it, just use an other nss library for groups. ie, use
nslcd instead of winbind.
> You can easily try this by.
>
> You will want to turn winbind and idmap cache to as low as possible
> for fast result like 1 seconds
> like: (WARNING: Not to be use in actual production)
> idmap cache time = 1
> idmap negative cache time = 1
> winbind cache time = 1
>
> 1. Adding all AD group with unix gid
> 2. gentent group return all local unix group + AD Group (if you
> didn't try to get back to your AD group and add all unix gid)
> 3. Add one AD group without unix gid
> 4. gentent group return only local unix group
>
> Hope this explain...
Perfect.
--
Regards
Harry Jede
More information about the samba
mailing list