Bug 3540 - Winbind does not give proper user/group information
Summary: Winbind does not give proper user/group information
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.21b
Hardware: x64 Windows 2000
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-02-22 09:54 UTC by Hari Sekhon
Modified: 2007-04-14 17:34 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Hari Sekhon 2006-02-22 09:54:03 UTC
I'm running a SUSE 10 box with samba-3.0.20b-3.1, winbind and kerberos. When running getent I get different result to another box running samba-3.0.14a-r2 on Gentoo. There are less result for getent group and the groups and some users are capitalised so Administrator appears instead of administrator.

This causes sudo to fail with the domain administrator account when the following line is in /etc/sudoers:

%domain\ admins ALL=(ALL) ALL

All other users are lowercased, but Administrator has a leading capital as do some of the group which did't on the Gentoo machine's slightly older version.

getent group
Domain Admins:x:15005:someuser,testuser,Administrator

which causes sudo to administrator but still accepts someuser and testuser. The following is the error from sudo:

administrator is not in the sudoers file.  This incident will be reported.

Either this is a samba/winbind bug or it is a sudo bug. It's likely to be something in samba/winbind since the results of getent passwd and getend group are different across the two machines with different samba versions and I've noticed that only the account which has a different case returned from getent is being problematic, the other domain admins member can sudo perfectly fine.

I've logged on as Administrator@hostname and administrator@hostname. Administrator turns in to administrator as soon as the login is complete and sudo fails regardless...
Comment 1 Hari Sekhon 2006-02-22 09:57:34 UTC
here is the output from getent group on SUSE samba-3.0.20b-3.1:

unix local groups...
Domain Computers:x:15001:
Domain Controllers:x:15002:
Schema Admins:x:15003:Administrator
Enterprise Admins:x:15004:Administrator
Cert Publishers:x:15007:
Domain Admins:x:15005:someuser,testuser,Administrator
Domain Users:x:15000:
Domain Guests:x:15008:Guest
Group Policy Creator Owners:x:15006:Administrator

but with samba-3.0.14a-r2 on Gentoo I get :

domain computers:x:15036:
domain controllers:x:15037:
schema admins:x:15035:administrator
enterprise admins:x:15034:administrator
cert publishers:x:15038:
domain admins:x:15033:someuser,testuser,administrator
domain users:x:15031:
domain guests:x:15039:guest
group policy creator owners:x:15032:administrator
BUILTIN\system operators:x:15007:
BUILTIN\power users:x:15010:
BUILTIN\print operators:x:15011:
BUILTIN\account operators:x:15013:
BUILTIN\backup operators:x:15014:

Obviously the earlier version is giving more groups and also they are lower case , they also work without a hitch so far... even with sudo...
Comment 2 Guenther Deschner 2006-02-22 10:03:35 UTC
Can you please try to reproduce this with the latest samba version?
Comment 3 Guenther Deschner 2006-02-22 10:06:23 UTC
Also the older version was presenting you the builtin groups from the AD server which was wrong and got fixed in the newer release. Apart from the builtin groups, the amount of groups showing up is correct in both cases.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2006-02-22 10:15:36 UTC
This was supposedly fixed in 3.0.20a and if working 
corrcetly for me now.  Can you test with 'winbind use 
default domain = no' and see if that makes any difference 
on the off chance?  Thanks.
Comment 5 Hari Sekhon 2006-02-22 10:27:20 UTC
Ok, you were correct regarding builtin groups and the number of groups although the capitalisation is strange. I've set winbind use default domain = no in smb.conf and restarted nmb smb and winbind - the groups are all now in lower case and appear as follows:

DOMAIN\domain computers:x:15001:
DOMAIN\domain controllers:x:15002:
DOMAIN\schema admins:x:15003:DOMAIN\administrator
DOMAIN\enterprise admins:x:15004:DOMAIN\administrator
DOMAIN\cert publishers:x:15007:
DOMAIN\domain admins:x:15005:DOMAIN\someuser,DOMAIN\testuser,DOMAIN\administrator
DOMAIN\domain users:x:15000:
DOMAIN\domain guests:x:15008:DOMAIN\guest
DOMAIN\group policy creator owners:x:15006:DOMAIN\administrator

However, this is a bit awkward since you have to type DOMAIN\administrator@hostname log on now and sudo is even more broken - it doesn't work for any user - all now get the following error:

DOMAIN\administrator@test2:~> sudo su
Permissions on the password database may be too restrictive.
DOMAIN\administrator is not in the sudoers file.  This incident will be reported.

Comment 6 Hari Sekhon 2006-02-24 09:35:22 UTC
ok, I've upgraded samba to 3.0.21b on gentoo and now it has the same problem as the suse box. I'm convinced this must be a samba bug. Administrator now shows up with a capital leading "A" when it had a small "a" before, just as it did on the suse box.

I can work around this by putting the line:

administrator   ALL=(ALL) ALL

in /etc/sudoers, and then "sudo su" as administrator works.

What appears to be happening is that Administrator is a member of the domain admins group but administrator is not. When logging in as Administrator@hostname   the prompt shows administrator so when I "sudo su" obviously administrator is being put forward regardless and is failing the group membership test for domain admins.

I've tried deleting the home directory of administrator and then logging in as Administrator@hostname (the home dir is recreated via pam line:"session    optional     pam_mkhomedir.so skel=/etc/skel/ umask=0077") to try to get it to stay as Administrator but it still reverts to the lowercase name and sudo still fails.

I don't know what else this weird samba/winbind thing breaks but it may break other things I'm not yet aware of.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2007-04-14 17:34:05 UTC
Fixed fine for me in the latest code (3.0.25rc1)