3546 – winbind failing when mapping groups from AD withou SFU attributes defined

Bug 3546 - winbind failing when mapping groups from AD withou SFU attributes defined

Summary: winbind failing when mapping groups from AD withou SFU attributes defined

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	x86 Linux

Importance:	P3 enhancement (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-02-23 08:36 UTC by Vandeir Eduardo
Modified:	2014-01-28 23:34 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vandeir Eduardo 2006-02-23 08:36:34 UTC

When using options idmap backend = idmap_ad and winbind nss info = sfu and a user is member of a group that doesn't have SFU attributes defined on AD, getent passwd user fail completelly. Only when all the groups a user is a member of have SFU attributes defined is that getent passwd user works.
For example: on AD userA is member of groups "Domain Users" and "GroupUnixA".
If both groups has SFU attributes defined, everything works ok. But if, for example, group "Domain Users" doesn't have SFU attributes defined but GroupUnixA has, getent passwd userA will fail and will return no information or errors.
I think that on this scenario, it should return at least the information of GroupUnixA, ignoring the group Domain Users.

Comment 1 Vandeir Eduardo 2006-03-02 08:16:03 UTC

(In reply to comment #0)
> When using options idmap backend = idmap_ad and winbind nss info = sfu and a
> user is member of a group that doesn't have SFU attributes defined on AD,
> getent passwd user fail completelly. Only when all the groups a user is a
> member of have SFU attributes defined is that getent passwd user works.
> For example: on AD userA is member of groups "Domain Users" and "GroupUnixA".
> If both groups has SFU attributes defined, everything works ok. But if, for
> example, group "Domain Users" doesn't have SFU attributes defined but
> GroupUnixA has, getent passwd userA will fail and will return no information or
> errors.
> I think that on this scenario, it should return at least the information of
> GroupUnixA, ignoring the group Domain Users.
> 

I saw in bug 3062 that others people are getting this problems too. I think winbindd should work like nss_ldap, where it only maps AD groups that have SFU attributes defined and ignore the ones that doens't have.
This behavior would be great because is not allways desirable that all groups a user is member off on AD should be mapped/used on the unix side.

Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-04-20 08:03:38 UTC

severity should be determined by the developers and not the reporter.

Comment 3 Björn Jacke 2012-10-02 18:19:52 UTC

setting as enhancement and version to 4.0. Still needs to be discussed if this is a wanted feature.

Comment 4 Björn Jacke 2014-01-28 23:34:10 UTC

the posix group memberships are not being used by winbind intentionally. We use only the windows group memberships. And the uidnumber and gidnumber attributes are required to make those users/groups work. The man page of idmap_ad has been made much more verbose about this some time ago also.