1560 – winbind_ads must recurse when getting groups

Bug 1560 - winbind_ads must recurse when getting groups

Summary: winbind_ads must recurse when getting groups

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.2a
Hardware:	All FreeBSD

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-07-26 06:39 UTC by Andrew Bartlett
Modified:	2006-04-08 11:40 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2004-07-26 06:39:22 UTC

When (for some reason) a user's tokenGroups attribute is not available, winbindd
falls back from lookup_usergroups() to lookup_usergroups_alt()

lookup_usergroups_alt() is buggy - as it does not manually recurse over all the
groups.  (It only does a single level lookup, and therefore misses groups in
groups).  This may not be possible, given what groups are on what servers.

Andrew Bartlett

Comment 1 Andrew Bartlett 2004-07-26 07:00:25 UTC

Clarification:

Both these functions are ADS LDAP functions.  The fallback is between two
different questions we can ask ADS.  

The fallback is less efficient, particularly now that we find the need to
manually recurse.

Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-04-08 11:40:15 UTC

closing old bugs.  relying on the PAC or Samlogon() reply is really the only valid solution.