[Samba] Possible winbind bugs.

L.P.H. van Belle belle at bazuin.nl
Thu Jul 10 08:52:42 MDT 2014 

 

>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 10 juli 2014 16:28
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Possible winbind bugs.
>
>On 10/07/14 14:51, steve wrote:
>> On Thu, 2014-07-10 at 19:20 +0800, Chan Min Wai wrote:
>>>
>>> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
>>>          On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
>>>          > On 10/07/14 10:27, steve wrote:
>>>          > > On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
>>>          > >> Dear All,
>>>          > >>
>>>          > >> I've found a strange behavior on Winbind + 
>getent group
>>>          > >>
>>>          > >> If there are AD/winbind group didn't have any 
>unix gid...
>>>          > >> getent group will only show local group.
>>>          > >>
>>>          > >>
>>>          > >> If all the AD/winbind group have unix gid
>>>          > >> getent will reply with all the group I have 
>included the
>>>          AD/winbind group.
>>>          > >>
>>>          > >> Did we have any bugs reported on this?
>>>          > >>
>>>          > >> Thank You.
>>>          > > Hi Chan
>>>          > >
>>>          > > Lots of confusion here.
>>>          > >
>>>          > > I don't think it's a bug because it would be 
>reasonable to
>>>          expect that
>>>          > > if we wish domain groups to behave as posix 
>groups, then
>>>          we must play by
>>>          > > posix rules and include a gid. Otherwise nss 
>knows nothing
>>>          about them.
>>>          > >
>>>          > > As we understand, must haves:
>>>          > > Domain groups: gidNumber
>>>          > > Domain users: uidNumber and gidNumber
>>>          > Hi, I thought that, until it was pointed out 
>that if you use
>>>          winbind,
>>>          > the users gidNumber is ignored and windbind pulls the
>>>          gidnumber directly
>>>          > from the primary group.
>>>          >
>>>          > So yes, the users primary group must have a 
>gidNumber, but
>>>          the user does
>>>          > not need this added.
>>>          >
>>>          > Rowland
>>>          
>>>          
>>>          Hi
>>>          Yes, we agree. However, for completeness (and for 
>those who do
>>>          not use
>>>          winbind) we mimic the Unix manner of obtaining the user's
>>>          primary group:
>>>          from the gidNumber listed in his DN.
>>>          Just our translation of the evidence m'lud!
>>>          Cheers
>>>
>>>
>>> Hi,
>>>
>>>
>>> What I meant is...
>>> When using winbind
>>>
>>>
>>> If there is even one AD Group without gid.
>>> "gentent group" will return only local unix Group
>>>
>>>
>>> Which shouldn't be right.
>>>
>>>
>>> "getent group" should return all AD Group except the AD 
>group without
>>> gid.
>>> But our result here are different.
>>>
>>>
>>> I believes that when getent group happen
>>> winbind read a group without gid and it crash and return 0 to getent
>>> and thus
>>>
>>>
>>> getent group return only local unix group.
>>>
>>>
>>> You can easily try this by.
>>>
>>>
>>> You will want to turn winbind and idmap cache to as low as possible
>>> for fast result like 1 seconds
>>> like: (WARNING: Not to be use in actual production)
>>> idmap cache time = 1
>>> idmap negative cache time = 1
>>> winbind cache time = 1
>>>
>>>
>>> 1. Adding all AD group with unix gid
>>> 2. gentent group return all local unix group + AD Group (if 
>you didn't
>>> try to get back to your AD group and add all unix gid)
>>> 3. Add one AD group without unix gid
>>> 4. gentent group return only local unix group
>>>
>>>
>>> Hope this explain...
>>>
>> Hi
>> Yes, sorry. I see what you mean now. Not had time to test, but if you
>> want this to work with winbind, you have to make:
>> objectClass: posixGroup
>> visible in the group DN.
>> Cheers,
>> Steve
>>
>>
>>
>
>The fact that 'getent group' does not show AD groups is well known and 
>adding the posixGroup objectClass will not make it work!
>
>You can either, add a gidNumber to every AD group (not really a good 
>idea), run 'getent group <AD group name>' or use something 
>else instead 
>of winbind.
>
>Rowland
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Huh ? 

when i add winbind in  /etc/nsswitch.conf
and type getent group on my DC is see ALL my groups. local and AD\windows groups 
( but i dont use that on my DC ) 

on my member i need to say :
getent group "DOMAIN\Mygroup" or 
getent group "Mygroup" 

getent group "Domain Users"
domain users:x:5000:

and ONLY the group with gid will return. 

and as far is i know this is by design. 


Louis

More information about the samba mailing list