[Samba] Possible winbind bugs.

Rowland Penny rowlandpenny at googlemail.com
Thu Jul 10 09:28:45 MDT 2014 

On 10/07/14 15:52, L.P.H. van Belle wrote:
>   
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: donderdag 10 juli 2014 16:28
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Possible winbind bugs.
>>
>> On 10/07/14 14:51, steve wrote:
>>> On Thu, 2014-07-10 at 19:20 +0800, Chan Min Wai wrote:
>>>> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
>>>>           On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
>>>>           > On 10/07/14 10:27, steve wrote:
>>>>           > > On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
>>>>           > >> Dear All,
>>>>           > >>
>>>>           > >> I've found a strange behavior on Winbind +
>> getent group
>>>>           > >>
>>>>           > >> If there are AD/winbind group didn't have any
>> unix gid...
>>>>           > >> getent group will only show local group.
>>>>           > >>
>>>>           > >>
>>>>           > >> If all the AD/winbind group have unix gid
>>>>           > >> getent will reply with all the group I have
>> included the
>>>>           AD/winbind group.
>>>>           > >>
>>>>           > >> Did we have any bugs reported on this?
>>>>           > >>
>>>>           > >> Thank You.
>>>>           > > Hi Chan
>>>>           > >
>>>>           > > Lots of confusion here.
>>>>           > >
>>>>           > > I don't think it's a bug because it would be
>> reasonable to
>>>>           expect that
>>>>           > > if we wish domain groups to behave as posix
>> groups, then
>>>>           we must play by
>>>>           > > posix rules and include a gid. Otherwise nss
>> knows nothing
>>>>           about them.
>>>>           > >
>>>>           > > As we understand, must haves:
>>>>           > > Domain groups: gidNumber
>>>>           > > Domain users: uidNumber and gidNumber
>>>>           > Hi, I thought that, until it was pointed out
>> that if you use
>>>>           winbind,
>>>>           > the users gidNumber is ignored and windbind pulls the
>>>>           gidnumber directly
>>>>           > from the primary group.
>>>>           >
>>>>           > So yes, the users primary group must have a
>> gidNumber, but
>>>>           the user does
>>>>           > not need this added.
>>>>           >
>>>>           > Rowland
>>>>           
>>>>           
>>>>           Hi
>>>>           Yes, we agree. However, for completeness (and for
>> those who do
>>>>           not use
>>>>           winbind) we mimic the Unix manner of obtaining the user's
>>>>           primary group:
>>>>           from the gidNumber listed in his DN.
>>>>           Just our translation of the evidence m'lud!
>>>>           Cheers
>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>> What I meant is...
>>>> When using winbind
>>>>
>>>>
>>>> If there is even one AD Group without gid.
>>>> "gentent group" will return only local unix Group
>>>>
>>>>
>>>> Which shouldn't be right.
>>>>
>>>>
>>>> "getent group" should return all AD Group except the AD
>> group without
>>>> gid.
>>>> But our result here are different.
>>>>
>>>>
>>>> I believes that when getent group happen
>>>> winbind read a group without gid and it crash and return 0 to getent
>>>> and thus
>>>>
>>>>
>>>> getent group return only local unix group.
>>>>
>>>>
>>>> You can easily try this by.
>>>>
>>>>
>>>> You will want to turn winbind and idmap cache to as low as possible
>>>> for fast result like 1 seconds
>>>> like: (WARNING: Not to be use in actual production)
>>>> idmap cache time = 1
>>>> idmap negative cache time = 1
>>>> winbind cache time = 1
>>>>
>>>>
>>>> 1. Adding all AD group with unix gid
>>>> 2. gentent group return all local unix group + AD Group (if
>> you didn't
>>>> try to get back to your AD group and add all unix gid)
>>>> 3. Add one AD group without unix gid
>>>> 4. gentent group return only local unix group
>>>>
>>>>
>>>> Hope this explain...
>>>>
>>> Hi
>>> Yes, sorry. I see what you mean now. Not had time to test, but if you
>>> want this to work with winbind, you have to make:
>>> objectClass: posixGroup
>>> visible in the group DN.
>>> Cheers,
>>> Steve
>>>
>>>
>>>
>> The fact that 'getent group' does not show AD groups is well known and
>> adding the posixGroup objectClass will not make it work!
>>
>> You can either, add a gidNumber to every AD group (not really a good
>> idea), run 'getent group <AD group name>' or use something
>> else instead
>> of winbind.
>>
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> Huh ?
>
> when i add winbind in  /etc/nsswitch.conf
> and type getent group on my DC is see ALL my groups. local and AD\windows groups
> ( but i dont use that on my DC )
>
> on my member i need to say :
> getent group "DOMAIN\Mygroup" or
> getent group "Mygroup"
>
> getent group "Domain Users"
> domain users:x:5000:
>
> and ONLY the group with gid will return.
>
> and as far is i know this is by design.
>
>
> Louis
>
>
Hi Louis, The only problem I have with what you posted is the word 
'design', I think that it is a long standing bug and hopefully when 4.2 
comes out, it will have been squashed.

Rowland

More information about the samba mailing list