The Samba-Bugzilla – Bug 3540
Winbind does not give proper user/group information
Last modified: 2007-04-14 17:34:05 UTC
I'm running a SUSE 10 box with samba-3.0.20b-3.1, winbind and kerberos. When running getent I get different result to another box running samba-3.0.14a-r2 on Gentoo. There are less result for getent group and the groups and some users are capitalised so Administrator appears instead of administrator.
This causes sudo to fail with the domain administrator account when the following line is in /etc/sudoers:
%domain\ admins ALL=(ALL) ALL
All other users are lowercased, but Administrator has a leading capital as do some of the group which did't on the Gentoo machine's slightly older version.
which causes sudo to administrator but still accepts someuser and testuser. The following is the error from sudo:
administrator is not in the sudoers file. This incident will be reported.
Either this is a samba/winbind bug or it is a sudo bug. It's likely to be something in samba/winbind since the results of getent passwd and getend group are different across the two machines with different samba versions and I've noticed that only the account which has a different case returned from getent is being problematic, the other domain admins member can sudo perfectly fine.
I've logged on as Administrator@hostname and administrator@hostname. Administrator turns in to administrator as soon as the login is complete and sudo fails regardless...
here is the output from getent group on SUSE samba-3.0.20b-3.1:
unix local groups...
Group Policy Creator Owners:x:15006:Administrator
but with samba-3.0.14a-r2 on Gentoo I get :
group policy creator owners:x:15032:administrator
Obviously the earlier version is giving more groups and also they are lower case , they also work without a hitch so far... even with sudo...
Can you please try to reproduce this with the latest samba version?
Also the older version was presenting you the builtin groups from the AD server which was wrong and got fixed in the newer release. Apart from the builtin groups, the amount of groups showing up is correct in both cases.
This was supposedly fixed in 3.0.20a and if working
corrcetly for me now. Can you test with 'winbind use
default domain = no' and see if that makes any difference
on the off chance? Thanks.
Ok, you were correct regarding builtin groups and the number of groups although the capitalisation is strange. I've set winbind use default domain = no in smb.conf and restarted nmb smb and winbind - the groups are all now in lower case and appear as follows:
DOMAIN\group policy creator owners:x:15006:DOMAIN\administrator
However, this is a bit awkward since you have to type DOMAIN\administrator@hostname log on now and sudo is even more broken - it doesn't work for any user - all now get the following error:
DOMAIN\administrator@test2:~> sudo su
Permissions on the password database may be too restrictive.
DOMAIN\administrator is not in the sudoers file. This incident will be reported.
ok, I've upgraded samba to 3.0.21b on gentoo and now it has the same problem as the suse box. I'm convinced this must be a samba bug. Administrator now shows up with a capital leading "A" when it had a small "a" before, just as it did on the suse box.
I can work around this by putting the line:
administrator ALL=(ALL) ALL
in /etc/sudoers, and then "sudo su" as administrator works.
What appears to be happening is that Administrator is a member of the domain admins group but administrator is not. When logging in as Administrator@hostname the prompt shows administrator so when I "sudo su" obviously administrator is being put forward regardless and is failing the group membership test for domain admins.
I've tried deleting the home directory of administrator and then logging in as Administrator@hostname (the home dir is recreated via pam line:"session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077") to try to get it to stay as Administrator but it still reverts to the lowercase name and sudo still fails.
I don't know what else this weird samba/winbind thing breaks but it may break other things I'm not yet aware of.
Fixed fine for me in the latest code (3.0.25rc1)