[Samba] Possible winbind bugs.

steve steve at steve-ss.com
Thu Jul 10 07:51:36 MDT 2014


On Thu, 2014-07-10 at 19:20 +0800, Chan Min Wai wrote:
> 
> 
> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
>         On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
>         > On 10/07/14 10:27, steve wrote:
>         > > On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
>         > >> Dear All,
>         > >>
>         > >> I've found a strange behavior on Winbind + getent group
>         > >>
>         > >> If there are AD/winbind group didn't have any unix gid...
>         > >> getent group will only show local group.
>         > >>
>         > >>
>         > >> If all the AD/winbind group have unix gid
>         > >> getent will reply with all the group I have included the
>         AD/winbind group.
>         > >>
>         > >> Did we have any bugs reported on this?
>         > >>
>         > >> Thank You.
>         > > Hi Chan
>         > >
>         > > Lots of confusion here.
>         > >
>         > > I don't think it's a bug because it would be reasonable to
>         expect that
>         > > if we wish domain groups to behave as posix groups, then
>         we must play by
>         > > posix rules and include a gid. Otherwise nss knows nothing
>         about them.
>         > >
>         > > As we understand, must haves:
>         > > Domain groups: gidNumber
>         > > Domain users: uidNumber and gidNumber
>         > Hi, I thought that, until it was pointed out that if you use
>         winbind,
>         > the users gidNumber is ignored and windbind pulls the
>         gidnumber directly
>         > from the primary group.
>         >
>         > So yes, the users primary group must have a gidNumber, but
>         the user does
>         > not need this added.
>         >
>         > Rowland
>         
>         
>         Hi
>         Yes, we agree. However, for completeness (and for those who do
>         not use
>         winbind) we mimic the Unix manner of obtaining the user's
>         primary group:
>         from the gidNumber listed in his DN.
>         Just our translation of the evidence m'lud!
>         Cheers
> 
> 
> Hi,
> 
> 
> What I meant is...
> When using winbind
> 
> 
> If there is even one AD Group without gid.
> "gentent group" will return only local unix Group
> 
> 
> Which shouldn't be right.
> 
> 
> "getent group" should return all AD Group except the AD group without
> gid.
> But our result here are different.
> 
> 
> I believes that when getent group happen 
> winbind read a group without gid and it crash and return 0 to getent
> and thus
> 
> 
> getent group return only local unix group.
> 
> 
> You can easily try this by.
> 
> 
> You will want to turn winbind and idmap cache to as low as possible
> for fast result like 1 seconds 
> like: (WARNING: Not to be use in actual production)
> idmap cache time = 1 
> idmap negative cache time = 1 
> winbind cache time = 1
> 
> 
> 1. Adding all AD group with unix gid
> 2. gentent group return all local unix group + AD Group (if you didn't
> try to get back to your AD group and add all unix gid)
> 3. Add one AD group without unix gid
> 4. gentent group return only local unix group
> 
> 
> Hope this explain...
> 
Hi
Yes, sorry. I see what you mean now. Not had time to test, but if you
want this to work with winbind, you have to make:
objectClass: posixGroup
visible in the group DN.
Cheers,
Steve





More information about the samba mailing list