[Samba] wbinfo -r reports strange gids on AD member

Christian chanlists at googlemail.com
Fri Jan 24 13:01:14 UTC 2020 

On 23.01.2020 10:26, L.P.H. van Belle via samba wrote:
> Hai Christian, 
>
>>>> Thism, this is just strange, Christian, did you already 
>> run and if not, can you run it and post the ouputs.  : 
>>>> net cache flush
>>>> systemctl stop samba winbind
>>>> systemctl start samba winbind
>>>>
>>>> id some_user
>>>> getent passwd some_user
>>>>
>>>> [..]
>>> afs1:~# net cache flush
>>> afs1:~# systemctl stop smbd winbind
>>> afs1:~# net cache flush
>>> afs1:~# systemctl start smbd winbind
>>> afs1:~# id some_user
>>> uid=10586(some_user) gid=10206(group1) 
>> groups=10206(group2),10513(domain
>> users),10020(group3),10018(group4),10517(group5),10220(group6)
>> ,3001(BUILTIN\users)
>>> afs1:~# getent passwd some_user
>>> some_user:*:10586:10206:some_user name:/home/some_user:/bin/bash
>> Follow-up:
>>
>> getent group some_group reports some_user as a member.... Thanks for
>> looking into this,
>>
>> Christian
>>
> Hm, that makes it even stranger. 
> So.. Resume. 
>
> id some_user 
> uid=10586(some_user) gid=10206(group1) groups=10206(group2),10513(domain users),10020(group3),10018(group4),10517(group5),10220(group6),3001(BUILTIN\users)
>
> getent passwd some_user
> some_user:*:10586:10206:some_user name:/home/some_user:/bin/bash 
>
> getent group some_group  
> Reports some_user as a member.
>
> So im wondering. 
> Can you check : getent group some_group  on a domain member and on a AD-DC. 

The output of getent group some_group  on the AD DC looks good.

I am starting to see a pattern though. I wrote this script:

#!/bin/bash
IFS=$'\n'
for group in $(wbinfo -g) ; do
  if getent group "$group" >/dev/null 2>&1 ; then
    unset IFS
    for user in $(members "$group") ; do
      if ! groups "$user" 2>/dev/null | cut -f 2 -d : | grep " $group"
>/dev/null 2>&1 ; then
        if getent passwd "$user" >/dev/null 2>&1 ; then
          echo "Issue with $group:$user"
        fi
      fi
    done
  fi
done

The script should report users whose group membership according to
getent group is not affected in the groups <user> command.

It does not report any issue on those domain members that run the
standard debian buster distribution packages (4.9.5+dfsg-5+deb10u1). For
those systems that run Louis' 4.10.11+dfsg-0.1buster1 packages, the
above script reports problems with some group memberships of users. The
affected ones vary from system to system, and on each system, the issue
survives net cache flush with the same group memberships being affected
before and after. Our two dcs also run 4.10.11+dfsg-0.1buster1...

Does that help? Should I try to downgrade one of the members where this
issue appears to the standard debian packages and see if it goes away? Best,

Christian

More information about the samba mailing list