[Samba] Possible winbind bugs.

Davor Vusir davortvusir at gmail.com
Thu Jul 10 13:10:31 MDT 2014 

Den 10 jul 2014 18:05 skrev "Chan Min Wai" <dcmwai at gmail.com>:
>
> Dear Steven,
>
> It should if all you AD group are with GID.
> Try to add GID to all your AD group including the build-in.
>
> You should see that.
>
> If not you might found a new relevant bugs that we are not sure.
>
>
> Thank.
>
>
>
> Regards,
> Chan Min Wai
>
> > steve <steve at steve-ss.com> 於 10/07/2014 11:49 PTG 寫道:
> >
> >> On Thu, 2014-07-10 at 16:28 +0100, Rowland Penny wrote:
> >>> On 10/07/14 15:52, L.P.H. van Belle wrote:
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: rowlandpenny at googlemail.com
> >>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> >>>> Verzonden: donderdag 10 juli 2014 16:28
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] Possible winbind bugs.
> >>>>
> >>>>> On 10/07/14 14:51, steve wrote:
> >>>>>> On Thu, 2014-07-10 at 19:20 +0800, Chan Min Wai wrote:
> >>>>>> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
> >>>>>>>          On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
> >>>>>>>> On 10/07/14 10:27, steve wrote:
> >>>>>>>>> On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
> >>>>>>>>> Dear All,
> >>>>>>>>>
> >>>>>>>>> I've found a strange behavior on Winbind +
> >>>> getent group
> >>>>>>>>>
> >>>>>>>>> If there are AD/winbind group didn't have any
> >>>> unix gid...
> >>>>>>>>> getent group will only show local group.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> If all the AD/winbind group have unix gid
> >>>>>>>>> getent will reply with all the group I have
> >>>> included the
> >>>>>>          AD/winbind group.
> >>>>>>>>>
> >>>>>>>>> Did we have any bugs reported on this?
> >>>>>>>>>
> >>>>>>>>> Thank You.
> >>>>>>>> Hi Chan
> >>>>>>>>
> >>>>>>>> Lots of confusion here.
> >>>>>>>>
> >>>>>>>> I don't think it's a bug because it would be
> >>>> reasonable to
> >>>>>>          expect that
> >>>>>>>> if we wish domain groups to behave as posix
> >>>> groups, then
> >>>>>>          we must play by
> >>>>>>>> posix rules and include a gid. Otherwise nss
> >>>> knows nothing
> >>>>>>          about them.
> >>>>>>>>
> >>>>>>>> As we understand, must haves:
> >>>>>>>> Domain groups: gidNumber
> >>>>>>>> Domain users: uidNumber and gidNumber
> >>>>>>> Hi, I thought that, until it was pointed out
> >>>> that if you use
> >>>>>>          winbind,
> >>>>>>> the users gidNumber is ignored and windbind pulls the
> >>>>>>          gidnumber directly
> >>>>>>> from the primary group.
> >>>>>>>
> >>>>>>> So yes, the users primary group must have a
> >>>> gidNumber, but
> >>>>>>          the user does
> >>>>>>> not need this added.
> >>>>>>>
> >>>>>>> Rowland
> >>>>>>
> >>>>>>
> >>>>>>          Hi
> >>>>>>          Yes, we agree. However, for completeness (and for
> >>>> those who do
> >>>>>>          not use
> >>>>>>          winbind) we mimic the Unix manner of obtaining the user's
> >>>>>>          primary group:
> >>>>>>          from the gidNumber listed in his DN.
> >>>>>>          Just our translation of the evidence m'lud!
> >>>>>>          Cheers
> >>>>>>
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>>
> >>>>>> What I meant is...
> >>>>>> When using winbind
> >>>>>>
> >>>>>>
> >>>>>> If there is even one AD Group without gid.
> >>>>>> "gentent group" will return only local unix Group
> >>>>>>
> >>>>>>
> >>>>>> Which shouldn't be right.
> >>>>>>
> >>>>>>
> >>>>>> "getent group" should return all AD Group except the AD
> >>>> group without
> >>>>>> gid.
> >>>>>> But our result here are different.
> >>>>>>
> >>>>>>
> >>>>>> I believes that when getent group happen
> >>>>>> winbind read a group without gid and it crash and return 0 to
getent
> >>>>>> and thus
> >>>>>>
> >>>>>>
> >>>>>> getent group return only local unix group.
> >>>>>>
> >>>>>>
> >>>>>> You can easily try this by.
> >>>>>>
> >>>>>>
> >>>>>> You will want to turn winbind and idmap cache to as low as possible
> >>>>>> for fast result like 1 seconds
> >>>>>> like: (WARNING: Not to be use in actual production)
> >>>>>> idmap cache time = 1
> >>>>>> idmap negative cache time = 1
> >>>>>> winbind cache time = 1
> >>>>>>
> >>>>>>
> >>>>>> 1. Adding all AD group with unix gid
> >>>>>> 2. gentent group return all local unix group + AD Group (if
> >>>> you didn't
> >>>>>> try to get back to your AD group and add all unix gid)
> >>>>>> 3. Add one AD group without unix gid
> >>>>>> 4. gentent group return only local unix group
> >>>>>>
> >>>>>>
> >>>>>> Hope this explain...
> >>>>> Hi
> >>>>> Yes, sorry. I see what you mean now. Not had time to test, but if
you
> >>>>> want this to work with winbind, you have to make:
> >>>>> objectClass: posixGroup
> >>>>> visible in the group DN.
> >>>>> Cheers,
> >>>>> Steve
> >>>> The fact that 'getent group' does not show AD groups is well known
and
> >>>> adding the posixGroup objectClass will not make it work!
> >>>>
> >>>> You can either, add a gidNumber to every AD group (not really a good
> >>>> idea), run 'getent group <AD group name>' or use something
> >>>> else instead
> >>>> of winbind.
> >>>>
> >>>> Rowland
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>> Huh ?
> >>>
> >>> when i add winbind in  /etc/nsswitch.conf
> >>> and type getent group on my DC is see ALL my groups. local and
AD\windows groups
> >>> ( but i dont use that on my DC )
> >>>
> >>> on my member i need to say :
> >>> getent group "DOMAIN\Mygroup" or
> >>> getent group "Mygroup"
> >>>
> >>> getent group "Domain Users"
> >>> domain users:x:5000:
> >>>
> >>> and ONLY the group with gid will return.
> >>>
> >>> and as far is i know this is by design.
> >>>
> >>>
> >>> Louis
> >> Hi Louis, The only problem I have with what you posted is the word
> >> 'design', I think that it is a long standing bug and hopefully when 4.2
> >> comes out, it will have been squashed.
> >>
> >> Rowland
> >
> > Hi
> > Just to add that real winbind has _never_ returned domain groups from:
> > getent group
> > It only returns with:
> > getent group <group>
> > enum or no enum.
> > HTH,
> > Steve
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Probably not related but hopefully of interest:
https://lists.samba.org/archive/samba/2014-March/180173.html

Regards
Davor

More information about the samba mailing list