Bug 3476 - Error when doing getfacl on a file with a trusted domain group
Error when doing getfacl on a file with a trusted domain group
Status: RESOLVED DUPLICATE of bug 10062
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.21b
Sparc Solaris
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-02 07:45 UTC by Hans Randgaard (550 5.1.1 User unknown)
Modified: 2014-07-24 06:50 UTC (History)
1 user (show)

See Also:


Attachments
log level 10 of winbind (565.10 KB, text/plain)
2006-02-03 03:42 UTC, Hans Randgaard (550 5.1.1 User unknown)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hans Randgaard (550 5.1.1 User unknown) 2006-02-02 07:45:34 UTC
When I try to list the ACLs in a file(directory) that contains a
windows domain group from a trusted domain, winbindd looses track
of the domain groups.

getfacl starts listing the ACLs, the locals and the winbind group from the
domain to which the Samba server belongs are listed OK, but when it should
list the trusted group it fails:

root@tstpcdisk01 # getfacl .

# file: .
# owner: root
# group: other
user::rwx
group::rwx              #effective:rwx
group:dri:rwx           #effective:rwx
group:cph_users:r-x             #effective:r-x
group:CPHOIL+domain users:r-x           #effective:r-x
group:10330:r-x         #effective:r-x
mask:rwx
other:---
default:user::rwx
default:group::rwx
default:group:dri:rwx
default:group:cph_users:r-x
default:group:10000:r-x
default:group:10330:r-x
default:mask:rwx
default:other:---

10000 is "CPHOIL+domain users" and is translated in the beginning og the
ACLs, but later it fails.
10330 is a trusted group "MAERSKOIL+ebj acl_dimstelex"

Before doing the getfacl I get the following:

root@tstpcdisk01 # wbinfo -t
checking the trust secret via RPC calls succeeded

root@tstpcdisk01 # wbinfo -m
CPH                  (trusted)
MAERSKOIL            (trusted)
FINANCE              (trusted)
CPHOIL               (domain which Samba server is a member of)

and both "wbinfo -u" and "wbinfo -g" returned all users and groups
from both local windows domain and from the trusted domains.

After doing the getfacl I get the following:

root@tstpcdisk01 # wbinfo -t
checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

root@tstpcdisk01 # wbinfo -m
Could not list trusted domains

and both "wbinfo -u" and "wbinfo -g" return this error:

Error looking up domain groups

Not all trusted windows groups show this behaviour, since if I do "ls -l"
I get the following, where it lists both a local domain group and a trusted:

root@tstpcdisk01 # ls -l
total 4
drwxrws---+  2 root             CPHOIL+dri   512 Nov 30 13:07 telex/
drwxrwx---+  2 MAERSKOIL+adtest other        512 Dec  1 10:54 xx/

winbindd does NOT crash and it seems as if it recovers after a while(some 5
minutes), but if I try to list the ACLs again I back to square 1.

Kind regards, Hans.

PS. I noticed that when I try to list all groups(wbinfo -g) the following
error appears in log.winbindd:

[2006/02/02 13:49:29, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2240)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL
Comment 1 Gerald (Jerry) Carter 2006-02-02 07:48:43 UTC
NT_STATUS_BUFFER_TOO_SMALL is a normal error message.
Comment 2 Hans Randgaard (550 5.1.1 User unknown) 2006-02-02 07:55:48 UTC
Forgot to mention that I can use Windows Explorer to list the ACLs, by doing
right click->properties->Security
Here I get the trusted windows group translated !?
Comment 3 Volker Lendecke 2006-02-02 08:05:34 UTC
this is _NOT_ a buffer overflow. We need a full debug level 10 log of all winbindd's to diagnose this fully.

And BTW, wbinfo -u is broken by definition. Likewise with -g.

Volker
Comment 4 Hans Randgaard (550 5.1.1 User unknown) 2006-02-03 03:42:40 UTC
Created attachment 1720 [details]
log level 10 of winbind

During this level 10 trace of winbind I made an "ls -l" command and a "getfacl ."
command.
Comment 5 Gerald (Jerry) Carter 2006-04-20 08:03:38 UTC
severity should be determined by the developers and not the reporter.
Comment 6 Björn Jacke 2014-07-24 06:50:40 UTC

*** This bug has been marked as a duplicate of bug 10062 ***