Bug 1190 - samlogon_cache.tdb must be removed when 'security = ads'
Summary: samlogon_cache.tdb must be removed when 'security = ads'
Status: RESOLVED DUPLICATE of bug 2360
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.2a
Hardware: All Solaris
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-16 01:56 UTC by Leon
Modified: 2005-02-18 06:02 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Leon 2004-03-16 01:56:13 UTC
when I do "id -a kptest" as user root I get a correct set of primary+secondary 
groups back for user kptest.
However when I perform "id -a" after "su - kptest" (so become the user first) 
I get every group in the system returned (119 groups, which on Solaris get 
truncated after 16 groups NGROUPS_MAX limit..!).

This only happened for user kptest, not for other domain users...

I noticed a difference processing in the function netsamlogon_cache_get, where 
for user kptest tons of rpc_ calls where execute every time I performed the id 
command and this did not happen for the other domain user...

Later on I cleared all tdb files in /var/lock, touched /etc/nsswitch.conf (to 
tell Solaris to clear its user and group caches) and restarted winbind.

It seems the problem went away after that.
(the strange thing is that I repeated that procedure already several times 
without result but yesterday it suddenly cleared all problems...).

Maybe this is caused because I switched back-and-forth between the 
setting "use default domain=yes / no"

The other observation I made is that the group "GA KTP share" got the id 10522 
in all previous tests but since yesterday (after the full clear of the tdb 
databases ) it got gid 10001...

(if you do net user kptest /domain on a dos prompt you see the user is only 
member of Domain Users and GA KTP share, definitely not of all the other 
groups!).

Below the transcript with proof of the problem. Also a proof of how this 
affects user kptest not being able to access a directory open for "GA KTP 
share" users of which it is a member...

This issue makes me wonder if we should start using winbind, although the 
concept is beautiful it does not seem stable yet.

# id kptest
uid=10000(kptest) gid=10001(Domain Users)
# id -a kptest
uid=10000(kptest) gid=10001(Domain Users) groups=10522(GA KTP share)
# su - kptest
Sun Microsystems Inc.   SunOS 5.8   Generic Patch     October 2001
kplus2:/export/home/ads/kptest> id
uid=10000(kptest) gid=10001(Domain Users)
kplus2:/export/home/ads/kptest> id -a
uid=10000(kptest) gid=10001(Domain Users) groups=10001(Domain Users),10260(DR 
Microsoft VisioStandaard 2002 EN),10117(DR Niche WorkPace 2.5 EN),10114(DR 
Novell ConsoleOne 1.3.4 EN),10258(DR Citrix ICAClient 6.31.1051 EN),10129(DR 
CBS StandaardOnderwijsindeling1998 Editie2002-2003 NL),10267(DR Axim2000),10382
(DR Kluwer ToolkitMedezeggenschapPraktijkmodellenOR April2003NL),10461(DR 
ISProjectsITFQualityDocs1.0EN),10451(DR SWIFT BicDatabasePlus Dec_2003 
EN),10405(DR CrystalReportsRuntime 9 EN),10235(DR 
InterflexSystem6020V150445NL),10328(DR NICELOG 6.55 EN),10421(DR Fundation 
Fundation 4 NL),10154(DR MorseWatchmanInc. KeyPro V1.65 EN),10376(DR IBM 
PersonalCommunications 5.0 NL)
kplus2:/export/home/ads/kptest> groups kptest
Domain Users DR Microsoft VisioStandaard 2002 EN DR Niche WorkPace 2.5 EN DR 
Novell ConsoleOne 1.3.4 EN DR Citrix ICAClient 6.31.1051 EN DR CBS 
StandaardOnderwijsindeling1998 Editie2002-2003 NL DR Axim2000 DR Kluwer 
ToolkitMedezeggenschapPraktijkmodellenOR April2003NL DR 
ISProjectsITFQualityDocs1.0EN DR SWIFT BicDatabasePlus Dec_2003 EN DR 
CrystalReportsRuntime 9 EN DR InterflexSystem6020V150445NL DR NICELOG 6.55 EN 
DR Fundation Fundation 4 NL DR MorseWatchmanInc. KeyPro V1.65 EN DR IBM 
PersonalCommunications 5.0 NL
kplus2:/export/home/ads/kptest> groups
Domain Users DR Microsoft VisioStandaard 2002 EN DR Niche WorkPace 2.5 EN DR 
Novell ConsoleOne 1.3.4 EN DR Citrix ICAClient 6.31.1051 EN DR CBS 
StandaardOnderwijsindeling1998 Editie2002-2003 NL DR Axim2000 DR Kluwer 
ToolkitMedezeggenschapPraktijkmodellenOR April2003NL DR 
ISProjectsITFQualityDocs1.0EN DR SWIFT BicDatabasePlus Dec_2003 EN DR 
CrystalReportsRuntime 9 EN DR InterflexSystem6020V150445NL DR NICELOG 6.55 EN 
DR Fundation Fundation 4 NL DR MorseWatchmanInc. KeyPro V1.65 EN DR IBM 
PersonalCommunications 5.0 NL
kplus2:/export/home/ads/kptest>



# cd /tmp
# mkdir test
# chown kplus:"GA KTP share"
usage: chown [-fhR] owner[:group] file...
# chown kplus:"GA KTP share" test
# chmod 770 test
# su - kptest
Sun Microsystems Inc.   SunOS 5.8   Generic Patch     October 2001
kplus2:/export/home/ads/kptest> cd /tmp/test
ksh: /tmp/test: permission denied
kplus2:/export/home/ads/kptest> ls -al /tmp/test
/tmp/test: Permission denied
total 16
kplus2:/export/home/ads/kptest> exit
# ls -al /tmp/test
total 32
drwxrwx---   2 kplus    GA KTP share     117 Mar 15 14:22 .
drwxrwxrwt  11 root     sys         3751 Mar 15 14:22 ..
#







# net -V
Version 3.0.2a
#
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kptest@AD.KASBANK.COM


Valid starting     Expires            Service principal
03/11/04 19:36:12  03/12/04 03:36:14  krbtgt/AD.KASBANK.COM@AD.KASBANK.COM
      renew until 03/11/04 20:36:12



Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-03-16 11:16:47 UTC
'winbind use default domain' is evil.  Just my opinion.
That being said you should probably get the patch from 
bug 1165.

Finally, the net_samlogon.tdb cache stores user 
information when in security = domain (particularly 
for universal group membership).  If you switch back 
and forth between security = domain and security = ads
you can run into problems such as these.

I'll make a change so that we blow away net_samlogon_cache.tdb 
when securityu = ads.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-02-18 06:02:40 UTC
not a duplicate per say but a related issues

*** This bug has been marked as a duplicate of 2360 ***