Bug 3920 - winbind does not honor "winbind use default domain = Yes" for getent group and wbinfo -g
winbind does not honor "winbind use default domain = Yes" for getent group an...
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.23
x86 Solaris
: P3 major
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-11 22:14 UTC by Dietrich Streifert
Modified: 2006-07-20 12:57 UTC (History)
2 users (show)

See Also:


Attachments
proposed patch (1.20 KB, patch)
2006-07-13 11:05 UTC, Gerald (Jerry) Carter
no flags Details
restore winbind default domain behavior for groups (2.72 KB, patch)
2006-07-20 12:52 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dietrich Streifert 2006-07-11 22:14:51 UTC
Samba is AD member server with security=ADS. Domain controller is Windows 2000 with SFU schema extension. idmap plugin is ad.so. Using libnss_winbind.so for group and passwd in nsswitch.conf.

When setting "windind use default domain" to Yes, wbinfo -u retreives all domain users without preceeding domain name:

heliotrop{root}[/development]: /opt/samba/bin/wbinfo -u
Administrator
Gast
IWAM_JADE
IUSR_JADE
krbtgt
moik
peng
TsInternetUser
ingres
visionet
karlramsauer
malden
schmidt
root
zack
neu
t1000
zissi
depp
IWAM_JASPIS
IUSR_JASPIS
ldapproxy



wheras wbinfo -g retreives all domain groups with preceeding domain:

EDELSTEIN\domänencomputer
EDELSTEIN\domänencontroller
EDELSTEIN\schema-admins
EDELSTEIN\organisations-admins
EDELSTEIN\zertifikatherausgeber
EDELSTEIN\domänen-admins
EDELSTEIN\domänen-benutzer
EDELSTEIN\domänen-gäste
EDELSTEIN\richtlinien-ersteller-besitzer
EDELSTEIN\dnsupdateproxy
EDELSTEIN\anaamb
EDELSTEIN\test
EDELSTEIN\users_korund
EDELSTEIN\jade-vnc
EDELSTEIN\superusers
EDELSTEIN\users
EDELSTEIN\esx_admins

This behaviour changed from 3.0.22 to 3.0.23

In the source if found that changing the last parameter (BOOL can_assume) of the calls to fill_domain_username in nsswitch/winbindd_group.c from False to True gives back the old behaviour, but I'm not shure if this breaks some other code:

diff -r -u samba-3.0.23.orig/source/nsswitch/winbindd_group.c samba-3.0.23/source/nsswitch/winbindd_group.c
--- samba-3.0.23.orig/source/nsswitch/winbindd_group.c  Fri Jun 23 15:16:50 2006
+++ samba-3.0.23/source/nsswitch/winbindd_group.c       Tue Jul 11 18:10:12 2006
@@ -42,7 +42,7 @@
 {
        fstring full_group_name;
 
-       fill_domain_username( full_group_name, dom_name, gr_name, False);
+       fill_domain_username( full_group_name, dom_name, gr_name, True);
 
        gr->gr_gid = unix_gid;
     
@@ -146,7 +146,7 @@
 
                /* Append domain name */
 
-               fill_domain_username(name, domain->name, the_name, False);
+               fill_domain_username(name, domain->name, the_name, True);
 
                len = strlen(name);
                
@@ -752,7 +752,7 @@
                /* Fill in group entry */
 
                fill_domain_username(domain_group_name, ent->domain_name, 
-                        name_list[ent->sam_entry_index].acct_name, False);
+                        name_list[ent->sam_entry_index].acct_name, True);
 
                result = fill_grent(&group_list[group_list_ndx], 
                                    ent->domain_name,
@@ -929,7 +929,7 @@
                                            groups.sam_entries)[i].acct_name; 
                        fstring name;
 
-                       fill_domain_username(name, domain->name, group_name, False);
+                       fill_domain_username(name, domain->name, group_name, True);
                        /* Append to extra data */                      
                        memcpy(&extra_data[extra_data_len], name, 
                                strlen(name));




smb.conf:

[global]
        unix charset = ISO-8859-15
        workgroup = EDELSTEIN
        realm = EDELSTEIN.DE
        security = ADS
        use kerberos keytab = Yes
        log level = 0
        wins server = 192.168.0.23, 192.168.0.223
        ldap ssl = no
        ldap timeout = 2
        pid directory = /opt/samba/localvar/locks
        idmap backend = ad
        idmap uid = 100-60000
        idmap gid = 100-60000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = sfu
        create mask = 0740
        directory mask = 0750
Comment 1 Gerald (Jerry) Carter 2006-07-12 06:05:26 UTC
I can't remember for sure, but I would trust the current code.
I believe this was an expected change and things need to be 
tested thoroughly before reverting anything.  Note that 'winbind
use default domain = yes' is really only intended for usernames
anyways.  Does the current behavior actually break anything
in your setup?  Or are you just noting it as a difference from 3.0.22?
Comment 2 Dietrich Streifert 2006-07-12 06:08:47 UTC
It would break our current installations because some groups which are held in active directory are used on the solaris side and referenced there without the domain prefix.
Comment 3 Dietrich Streifert 2006-07-12 06:15:23 UTC
What was the intention of the change to not have "winbind use default domain" retreive groups without domain prefix?

And I forgot to say that the output of getent group displayed the group members with the domain prefix:

heliotrop{root}[/]: getent group "EDELSTEIN\users"
EDELSTEIN\users:x:2000:EDELSTEIN\neu,EDELSTEIN\zack
Comment 4 Gerald (Jerry) Carter 2006-07-12 06:34:14 UTC
How are you referring to groups?  Configuration files ?
Comment 5 Dietrich Streifert 2006-07-12 06:41:24 UTC
Yes configuration files e.g. automounter maps which retreive the primary group of the user mounts the users Homedirectory to somithing like:

/home/<primary gid>/<uid>/

and configurations like sudo which depend on the group membership of the users executing the sudo command.
Comment 6 Gerald (Jerry) Carter 2006-07-13 11:05:08 UTC
This was an intentional change...

http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&rev=14403

Can I just say once again how much I hate "winbind use default domain'?
Comment 7 Gerald (Jerry) Carter 2006-07-13 11:05:56 UTC
Created attachment 2031 [details]
proposed patch

Please try this patch.  No promises.
Comment 8 Gerald (Jerry) Carter 2006-07-13 13:38:34 UTC
patch doesn't compile.....wait and I'll work on this some more tomorrow.
Comment 9 Dietrich Streifert 2006-07-17 06:21:45 UTC
Anything new to this bug?

Does my patch break anything?
Comment 10 Gerald (Jerry) Carter 2006-07-20 12:52:03 UTC
Created attachment 2051 [details]
restore winbind default domain behavior for groups

Re-enable stripping of domain of group names.  'winbind nest groups'
does still work for domain users.  However, this will break 'winbind 
nested groups' for local users.  There is no way around it.  

The problem is the winbindd_getgroups() preprends the domain name
before calling lookupname() which fails to find a local (unqualified)
user.  See http://lists.samba.org/archive/samba-technical/2006-July/048320.html
for details.
Comment 11 Gerald (Jerry) Carter 2006-07-20 12:57:42 UTC
checked in for 3.0.23a.