Bug 3546 - winbind failing when mapping groups from AD withou SFU attributes defined
winbind failing when mapping groups from AD withou SFU attributes defined
Status: RESOLVED WORKSFORME
Product: Samba 4.0
Classification: Unclassified
Component: Winbind
unspecified
x86 Linux
: P3 enhancement
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-23 08:36 UTC by Vandeir Eduardo
Modified: 2014-01-28 23:34 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vandeir Eduardo 2006-02-23 08:36:34 UTC
When using options idmap backend = idmap_ad and winbind nss info = sfu and a user is member of a group that doesn't have SFU attributes defined on AD, getent passwd user fail completelly. Only when all the groups a user is a member of have SFU attributes defined is that getent passwd user works.
For example: on AD userA is member of groups "Domain Users" and "GroupUnixA".
If both groups has SFU attributes defined, everything works ok. But if, for example, group "Domain Users" doesn't have SFU attributes defined but GroupUnixA has, getent passwd userA will fail and will return no information or errors.
I think that on this scenario, it should return at least the information of GroupUnixA, ignoring the group Domain Users.
Comment 1 Vandeir Eduardo 2006-03-02 08:16:03 UTC
(In reply to comment #0)
> When using options idmap backend = idmap_ad and winbind nss info = sfu and a
> user is member of a group that doesn't have SFU attributes defined on AD,
> getent passwd user fail completelly. Only when all the groups a user is a
> member of have SFU attributes defined is that getent passwd user works.
> For example: on AD userA is member of groups "Domain Users" and "GroupUnixA".
> If both groups has SFU attributes defined, everything works ok. But if, for
> example, group "Domain Users" doesn't have SFU attributes defined but
> GroupUnixA has, getent passwd userA will fail and will return no information or
> errors.
> I think that on this scenario, it should return at least the information of
> GroupUnixA, ignoring the group Domain Users.
> 

I saw in bug 3062 that others people are getting this problems too. I think winbindd should work like nss_ldap, where it only maps AD groups that have SFU attributes defined and ignore the ones that doens't have.
This behavior would be great because is not allways desirable that all groups a user is member off on AD should be mapped/used on the unix side.
Comment 2 Gerald (Jerry) Carter 2006-04-20 08:03:38 UTC
severity should be determined by the developers and not the reporter.
Comment 3 Björn Jacke 2012-10-02 18:19:52 UTC
setting as enhancement and version to 4.0. Still needs to be discussed if this is a wanted feature.
Comment 4 Björn Jacke 2014-01-28 23:34:10 UTC
the posix group memberships are not being used by winbind intentionally. We use only the windows group memberships. And the uidnumber and gidnumber attributes are required to make those users/groups work. The man page of idmap_ad has been made much more verbose about this some time ago also.