Bug 10203 - nss_windbind.so can't see groups that wbinfo -g can
Summary: nss_windbind.so can't see groups that wbinfo -g can
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.9
Hardware: x86 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: http://permalink.gmane.org/gmane.netw...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-15 00:01 UTC by Trent W. Buck
Modified: 2013-10-15 00:07 UTC (History)
0 users

See Also:


Attachments
Output of samba-tool group list (921 bytes, text/plain)
2013-10-15 00:02 UTC, Trent W. Buck
no flags Details
Output of wbinfo -g (337 bytes, text/plain)
2013-10-15 00:03 UTC, Trent W. Buck
no flags Details
output of ldapsearch + munging (1.25 KB, text/plain)
2013-10-15 00:04 UTC, Trent W. Buck
no flags Details
Output of getent group (446 bytes, text/plain)
2013-10-15 00:04 UTC, Trent W. Buck
no flags Details
Example missing object (747 bytes, text/plain)
2013-10-15 00:05 UTC, Trent W. Buck
no flags Details
Example present object (719 bytes, text/plain)
2013-10-15 00:05 UTC, Trent W. Buck
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Trent W. Buck 2013-10-15 00:01:52 UTC
[I'm afraid $customer made me anonymize their rootdn, user and group
names, so the ones below are made up.  Hopefully I haven't introduced
any errors in the process.]

I'm running Debian 7 with samba 4.0.9dfsg1-1 built from
git://git.debian.org/pkg-samba/samba.  I'm using samba as an AD DC,
with accounts migrated from a samba3/slapd stack using samba-tool
domain classicupgrade.

What I find confusing is that there are groups in samba -- as
confirmed by samba-tool group list, ldapsearch and wbinfo -g -- that
are not reported by getent groups (glibc's nss query tool).  Further,
getent groups can reverse-resolve GIDs into the missing groups.

This is the worst one -- it only reverse-resolves:

    # getent group fb
    # getent group FB\\fb
    # getent group | grep fb:
    # getent group 1019
    FB\fb:*:1019:
    #

This one forward and reverse-resolves, but isn't listed by default:

    # getent group welles
    FB\welles:*:5029:
    # getent group FB\\welles
    FB\welles:*:5029:
    # getent group | grep welles:
    # getent group 5029
    FB\welles:*:5029:
    #

I can't understand why wbinfo and nss_windbind would give different
results.  The cn=fb and cn=robobobo objects, for example, look pretty
much alike -- it's not something as obvious as objectClass: posixGroup
in one and other the other.
Comment 1 Trent W. Buck 2013-10-15 00:02:52 UTC
Created attachment 9283 [details]
Output of samba-tool group list
Comment 2 Trent W. Buck 2013-10-15 00:03:59 UTC
Created attachment 9284 [details]
Output of wbinfo -g
Comment 3 Trent W. Buck 2013-10-15 00:04:30 UTC
Created attachment 9285 [details]
output of ldapsearch + munging
Comment 4 Trent W. Buck 2013-10-15 00:04:55 UTC
Created attachment 9286 [details]
Output of getent group
Comment 5 Trent W. Buck 2013-10-15 00:05:34 UTC
Created attachment 9287 [details]
Example missing object
Comment 6 Trent W. Buck 2013-10-15 00:05:55 UTC
Created attachment 9288 [details]
Example present object