[Samba] Possible winbind bugs.
steve
steve at steve-ss.com
Thu Jul 10 09:49:22 MDT 2014
On Thu, 2014-07-10 at 16:28 +0100, Rowland Penny wrote:
> On 10/07/14 15:52, L.P.H. van Belle wrote:
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: rowlandpenny at googlemail.com
> >> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> >> Verzonden: donderdag 10 juli 2014 16:28
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Possible winbind bugs.
> >>
> >> On 10/07/14 14:51, steve wrote:
> >>> On Thu, 2014-07-10 at 19:20 +0800, Chan Min Wai wrote:
> >>>> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
> >>>> On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
> >>>> > On 10/07/14 10:27, steve wrote:
> >>>> > > On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
> >>>> > >> Dear All,
> >>>> > >>
> >>>> > >> I've found a strange behavior on Winbind +
> >> getent group
> >>>> > >>
> >>>> > >> If there are AD/winbind group didn't have any
> >> unix gid...
> >>>> > >> getent group will only show local group.
> >>>> > >>
> >>>> > >>
> >>>> > >> If all the AD/winbind group have unix gid
> >>>> > >> getent will reply with all the group I have
> >> included the
> >>>> AD/winbind group.
> >>>> > >>
> >>>> > >> Did we have any bugs reported on this?
> >>>> > >>
> >>>> > >> Thank You.
> >>>> > > Hi Chan
> >>>> > >
> >>>> > > Lots of confusion here.
> >>>> > >
> >>>> > > I don't think it's a bug because it would be
> >> reasonable to
> >>>> expect that
> >>>> > > if we wish domain groups to behave as posix
> >> groups, then
> >>>> we must play by
> >>>> > > posix rules and include a gid. Otherwise nss
> >> knows nothing
> >>>> about them.
> >>>> > >
> >>>> > > As we understand, must haves:
> >>>> > > Domain groups: gidNumber
> >>>> > > Domain users: uidNumber and gidNumber
> >>>> > Hi, I thought that, until it was pointed out
> >> that if you use
> >>>> winbind,
> >>>> > the users gidNumber is ignored and windbind pulls the
> >>>> gidnumber directly
> >>>> > from the primary group.
> >>>> >
> >>>> > So yes, the users primary group must have a
> >> gidNumber, but
> >>>> the user does
> >>>> > not need this added.
> >>>> >
> >>>> > Rowland
> >>>>
> >>>>
> >>>> Hi
> >>>> Yes, we agree. However, for completeness (and for
> >> those who do
> >>>> not use
> >>>> winbind) we mimic the Unix manner of obtaining the user's
> >>>> primary group:
> >>>> from the gidNumber listed in his DN.
> >>>> Just our translation of the evidence m'lud!
> >>>> Cheers
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>>
> >>>> What I meant is...
> >>>> When using winbind
> >>>>
> >>>>
> >>>> If there is even one AD Group without gid.
> >>>> "gentent group" will return only local unix Group
> >>>>
> >>>>
> >>>> Which shouldn't be right.
> >>>>
> >>>>
> >>>> "getent group" should return all AD Group except the AD
> >> group without
> >>>> gid.
> >>>> But our result here are different.
> >>>>
> >>>>
> >>>> I believes that when getent group happen
> >>>> winbind read a group without gid and it crash and return 0 to getent
> >>>> and thus
> >>>>
> >>>>
> >>>> getent group return only local unix group.
> >>>>
> >>>>
> >>>> You can easily try this by.
> >>>>
> >>>>
> >>>> You will want to turn winbind and idmap cache to as low as possible
> >>>> for fast result like 1 seconds
> >>>> like: (WARNING: Not to be use in actual production)
> >>>> idmap cache time = 1
> >>>> idmap negative cache time = 1
> >>>> winbind cache time = 1
> >>>>
> >>>>
> >>>> 1. Adding all AD group with unix gid
> >>>> 2. gentent group return all local unix group + AD Group (if
> >> you didn't
> >>>> try to get back to your AD group and add all unix gid)
> >>>> 3. Add one AD group without unix gid
> >>>> 4. gentent group return only local unix group
> >>>>
> >>>>
> >>>> Hope this explain...
> >>>>
> >>> Hi
> >>> Yes, sorry. I see what you mean now. Not had time to test, but if you
> >>> want this to work with winbind, you have to make:
> >>> objectClass: posixGroup
> >>> visible in the group DN.
> >>> Cheers,
> >>> Steve
> >>>
> >>>
> >>>
> >> The fact that 'getent group' does not show AD groups is well known and
> >> adding the posixGroup objectClass will not make it work!
> >>
> >> You can either, add a gidNumber to every AD group (not really a good
> >> idea), run 'getent group <AD group name>' or use something
> >> else instead
> >> of winbind.
> >>
> >> Rowland
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> > Huh ?
> >
> > when i add winbind in /etc/nsswitch.conf
> > and type getent group on my DC is see ALL my groups. local and AD\windows groups
> > ( but i dont use that on my DC )
> >
> > on my member i need to say :
> > getent group "DOMAIN\Mygroup" or
> > getent group "Mygroup"
> >
> > getent group "Domain Users"
> > domain users:x:5000:
> >
> > and ONLY the group with gid will return.
> >
> > and as far is i know this is by design.
> >
> >
> > Louis
> >
> >
> Hi Louis, The only problem I have with what you posted is the word
> 'design', I think that it is a long standing bug and hopefully when 4.2
> comes out, it will have been squashed.
>
> Rowland
Hi
Just to add that real winbind has _never_ returned domain groups from:
getent group
It only returns with:
getent group <group>
enum or no enum.
HTH,
Steve
More information about the samba
mailing list