13186 – winbind fails to translate uids to BUILTIN groups

Bug 13186 - winbind fails to translate uids to BUILTIN groups

Summary: winbind fails to translate uids to BUILTIN groups

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.7.3
Hardware:	All Linux

Importance:	P5 regression (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-12-12 15:37 UTC by Fabian Lesniak
Modified:	2019-11-01 08:59 UTC (History)
CC List:	3 users (show)

See Also:	11757

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fabian Lesniak 2017-12-12 15:37:48 UTC

I was running samba 4.5.12 as AD DC. I have no special settings for idmap or winbind in my smb.conf, thus everything should be set to the default for freshly provisioned domains. Files created using an admin account and therefore belonging to "BUILTIN\Administrators" (uid/gid 3000000) were resolved correctly:

# wbinfo --uid-info 3000000
BUILTIN\administrators:*:3000000:3000000::/srv/samba/home/administrators:/bin/bash
# wbinfo --gid-info=3000000
BUILTIN\administrators:x:3000000:
# l file-created-with-admin-account.txt
-rwxrwxr-x+ 1 BUILTIN\administrators users 0 12. Dez 16:11 file-created-with-admin-account.txt

After upgrading to 4.7.3, resolving uids of BUILTIN groups fails:

# wbinfo --uid-info=3000000
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000000
# wbinfo --gid-info=3000000
BUILTIN\administrators:x:3000000:
# l file-created-with-admin-account.txt 
-rwxrwxr-x 1 3000000 users 0 12. Dez 15:11 file-created-with-admin-account.txt

However, in both cases, resolving as a gid works:
# wbinfo --gid-info=3000000
BUILTIN\administrators:x:3000000:

I bisected the bug the following commit between 4.5 and 4.6.0:
bce19a6efe1 winbind: Restructure wb_getpwsid

Before this commit, resolving 3000000 as uid works as expected.
After this commit and with any newer stable version (I tested 4.6.3, 4.6.11, 4.7.3), these uid can't be resolved.

bug 11757 is similar, but as far as I can see not a duplicated because it is older than the mentioned commit. Maybe it has the same root cause.

I tried to dig through the winbind query functions and noticed that resolving uid 3000000 to the corresponding SID works, but afterwards translating this SID to the name fails. I have not been able to find the root cause for that, but I'm curious to try if someone can point me in the right direction.

Comment 1 Alfred Schlütter 2018-02-15 22:27:09 UTC

I have a the same Problem with all BUILTIN\ACCOUNTS after update my samba DCs and MEMBERSERVERs from Version 4.5.11 to 4.7.0 and 4.7.5
The user (uid) translation for BUILTIN\ACCOUNTS works not correct. The B flag (accounttyp both) is not reading right by winbind, so my opinion. On my "old" Memberserver all works fine.


On my samba DC (linux opensuse 42.3) with samba 4.7.5:
Linux dc1 4.4.104-39-default #1 SMP Thu Jan 4 08:11:03 UTC 2018 (7db1912) x86_64 x86_64 x86_64 GNU/Linux

Translate gid works fine.
dc1:/ # /usr/local/samba/bin/wbinfo --gid-info=100545
BUILTIN\users:x:100545:
net cache list: Key: IDMAP/SID2XID/S-1-5-32-545  Timeout: Thu Feb 22 19:14:55 2018  Value: 100545:G (group is wrong)

Translate uid doesn't work.
dc1:/ # /usr/local/samba/bin/wbinfo --uid-info=100545
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 100545
net cache list: Key: IDMAP/SID2XID/S-1-5-32-545  Timeout: Thu Feb 22 19:15:07 2018  Value: 100545:B (change to both!)


On my samba DC (unix freebsd 11.1) with samba 4.7.0:
FreeBSD fn1.schluettergmbh.site 11.1-STABLE FreeBSD 11.1-STABLE #0 r321665+4bd3ee42941(freenas/11.1-stable): Thu Jan 18 15:45:01 UTC 2018
root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

Translate gid works fine.
root@fn1:~ # wbinfo --gid-info=100545
BUILTIN\users:x:100545:
net cache list: Key: IDMAP/SID2XID/S-1-5-32-545  Timeout: Thu Feb 22 18:58:47 2018  Value: 100545:G (group is wrong)

Translate uid doesn't work.
root@fn1:~ # wbinfo --uid-info=100545
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 100545
net cache list: Key: IDMAP/SID2XID/S-1-5-32-545  Timeout: Thu Feb 22 18:58:47 2018  Value: 100545:B (change to both!)


On my "old" samba MEMBERSERVER (unix freebsd 10.3) with samba 4.5.11:
FreeBSD fn2.schluettergmbh.site 10.3-STABLE FreeBSD 10.3-STABLE #0 r295946+21897e6695f(HEAD): Tue Jul 25 00:03:12 UTC 2017     root@gauntlet:/freenas-9.10-releng/_BE/objs/freenas-9.10-releng/_BE/os/sys/FreeNAS.amd64  amd64

Translate gid and uid works fine!

[root@fn2] ~# wbinfo --gid-info=100545
net cache list: Key: IDMAP/SID2XID/S-1-5-32-545  Timeout: Thu Feb 22 18:53:29 2018  Value: 100545:B (both is correct)
BUILTIN\users:x:100545:

[root@fn2] ~# wbinfo --uid-info=100545
BUILTIN\users:*:100545:100545::/home/BUILTIN/users:/bin/false
net cache list: Key: IDMAP/SID2XID/S-1-5-32-545  Timeout: Thu Feb 22 18:53:29 2018  Value: 100545:B (both is correct)


Best regards and very thanks for SAMBA!
Alfred Schlütter

Comment 2 Alfred Schlütter 2019-11-01 07:57:52 UTC

Now, new test with samba 4.11.2. It works fine:

dc1:~ # /usr/local/samba/bin/wbinfo --gid-info=100545
BUILTIN\users:x:100545:
dc1:~ #
dc1:~ #
dc1:~ # /usr/local/samba/bin/wbinfo --uid-info=100545
BUILTIN\users:*:100545:100545::/home/BUILTIN/users:/bin/bash

Bug can closed.

Best regards and very thanks for SAMBA!
Alfred Schlütter