Bug 2212 - Winbind to ADS : PrimaryGroups not shown with getent group
Summary: Winbind to ADS : PrimaryGroups not shown with getent group
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.10
Hardware: All Linux
: P3 critical
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-05 14:56 UTC by Holger Schmieder
Modified: 2012-03-12 12:52 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Holger Schmieder 2005-01-05 14:56:48 UTC 
I have samba 3.0.10 connected with winbind an kerberos to an W2K Domain. With 
getent passwd i can see all the users, with getent group all groups but there 
are not all the members in every group. 
I findout that for every user the primary group is not solved in the getent 
passwd.

example:
This is the WRONG output from getent:
[root@komm1-neu root]# getent group|grep Benutzer
Domänen-Benutzer:x:10006:eichel,will

The following output is TRUE:
[root@komm1-neu root]# id eichel;id will;id kohl;id schroeder;id schaefer
uid=10003(eichel) gid=10012(Buha) groups=10012(Buha),10006(Domänen-Benutzer)
uid=10005(will) gid=10011(GL) groups=10011(GL),10006(Domänen-Benutzer)
uid=10006(kohl) gid=10006(Domänen-Benutzer) groups=10006(Domänen-Benutzer)
uid=10007(schroeder) gid=10006(Domänen-Benutzer) groups=10006(Domänen-Benutzer)
uid=10000(schaefer) gid=10006(Domänen-Benutzer) groups=10006(Domänen-
Benutzer),10011(GL)

...as you see here: eichel and will uses other prim-groups then the other 
users. But thoese both users where not shown in there own prim-groups:

[root@komm1-neu root]# getent group|grep GL;getent group|grep Buha
GL:x:10011:schaefer
Buha:x:10012:

If i use cat /prog/<PID>/status or wbinfo --user-groups=XXXX i get the normal 
output also.

BUT: the wrong groupmapping in getent means that i cannot assign the right in 
the filesystem !
Comment 1 Marc Kaplan 2005-01-05 15:26:53 UTC 
I could be remembering this incorrectly, but I thought that primary group was
left out of getent group as an optimization. If you do getent passwd, you will
see that each user has the proper entry for the primary group. If you don't see
the primary group in the proper place of getent passwd than this is a bug, but
if you see all of the groups in id and they work for purposes of access, it's
probably as intended.
Comment 2 Holger Schmieder 2005-01-05 16:53:04 UTC 
(In reply to comment #1)
> If you do getent passwd, you will see that each user has the proper entry for 
>the primary group. 
Yes, thats true, i see the proper primaryGroupId with getent passwd.
But, if i cannot see all the users belongs to one group (for ex. Domain Users), 
i believe, i cannot set the rights to that group in my smb.conf !?
I will try it out an will give an feedback here.

>primary group was left out of getent group as an optimization ...
I can't believe that, this is only one more entry per user - but if this is 
true: is there another way to findout wich users belongs to an specific group 
on the samba-server ?
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-02-09 17:19:21 UTC 
Is this still an issue in 3.0.11 ?  Pleas retest and let me know.
Ther optimization Marc was talking about was to prevent haveing 
to do a query_user for every intry return the ldap search of AD.
But I looked the other day and couldn't find that code.
So it might be fixed now.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-02-17 10:21:12 UTC 
closing awaiting feedback on whwther the bug in fixed in 3.0.11 or not.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:23:25 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 6 Seb H 2012-03-12 12:52:38 UTC 
I'm still experiencing the same in version 3.6.3