[Samba] Possible winbind bugs.

Rowland Penny rowlandpenny at googlemail.com
Thu Jul 10 08:27:42 MDT 2014


On 10/07/14 14:51, steve wrote:
> On Thu, 2014-07-10 at 19:20 +0800, Chan Min Wai wrote:
>>
>> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
>>          On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
>>          > On 10/07/14 10:27, steve wrote:
>>          > > On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
>>          > >> Dear All,
>>          > >>
>>          > >> I've found a strange behavior on Winbind + getent group
>>          > >>
>>          > >> If there are AD/winbind group didn't have any unix gid...
>>          > >> getent group will only show local group.
>>          > >>
>>          > >>
>>          > >> If all the AD/winbind group have unix gid
>>          > >> getent will reply with all the group I have included the
>>          AD/winbind group.
>>          > >>
>>          > >> Did we have any bugs reported on this?
>>          > >>
>>          > >> Thank You.
>>          > > Hi Chan
>>          > >
>>          > > Lots of confusion here.
>>          > >
>>          > > I don't think it's a bug because it would be reasonable to
>>          expect that
>>          > > if we wish domain groups to behave as posix groups, then
>>          we must play by
>>          > > posix rules and include a gid. Otherwise nss knows nothing
>>          about them.
>>          > >
>>          > > As we understand, must haves:
>>          > > Domain groups: gidNumber
>>          > > Domain users: uidNumber and gidNumber
>>          > Hi, I thought that, until it was pointed out that if you use
>>          winbind,
>>          > the users gidNumber is ignored and windbind pulls the
>>          gidnumber directly
>>          > from the primary group.
>>          >
>>          > So yes, the users primary group must have a gidNumber, but
>>          the user does
>>          > not need this added.
>>          >
>>          > Rowland
>>          
>>          
>>          Hi
>>          Yes, we agree. However, for completeness (and for those who do
>>          not use
>>          winbind) we mimic the Unix manner of obtaining the user's
>>          primary group:
>>          from the gidNumber listed in his DN.
>>          Just our translation of the evidence m'lud!
>>          Cheers
>>
>>
>> Hi,
>>
>>
>> What I meant is...
>> When using winbind
>>
>>
>> If there is even one AD Group without gid.
>> "gentent group" will return only local unix Group
>>
>>
>> Which shouldn't be right.
>>
>>
>> "getent group" should return all AD Group except the AD group without
>> gid.
>> But our result here are different.
>>
>>
>> I believes that when getent group happen
>> winbind read a group without gid and it crash and return 0 to getent
>> and thus
>>
>>
>> getent group return only local unix group.
>>
>>
>> You can easily try this by.
>>
>>
>> You will want to turn winbind and idmap cache to as low as possible
>> for fast result like 1 seconds
>> like: (WARNING: Not to be use in actual production)
>> idmap cache time = 1
>> idmap negative cache time = 1
>> winbind cache time = 1
>>
>>
>> 1. Adding all AD group with unix gid
>> 2. gentent group return all local unix group + AD Group (if you didn't
>> try to get back to your AD group and add all unix gid)
>> 3. Add one AD group without unix gid
>> 4. gentent group return only local unix group
>>
>>
>> Hope this explain...
>>
> Hi
> Yes, sorry. I see what you mean now. Not had time to test, but if you
> want this to work with winbind, you have to make:
> objectClass: posixGroup
> visible in the group DN.
> Cheers,
> Steve
>
>
>

The fact that 'getent group' does not show AD groups is well known and 
adding the posixGroup objectClass will not make it work!

You can either, add a gidNumber to every AD group (not really a good 
idea), run 'getent group <AD group name>' or use something else instead 
of winbind.

Rowland


More information about the samba mailing list