Bug 4853 - wbinfo doesn't show all user's domain groups
wbinfo doesn't show all user's domain groups
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.24
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-02 06:59 UTC by Vitezslav Kotrla
Modified: 2007-08-02 06:59 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vitezslav Kotrla 2007-08-02 06:59:29 UTC
We are running Samba 3.0.24 paired with Windows 2003 R2 AD. Samba is used as file server, accessed by domain users.

I've noticed wbinfo is showing only partial domain group info for particular user - user Alice is member of 15 Global Security groups (as verified running 

  net user alice /domain

command on Windows side), but 'wbinfo --user-domgroups' displays only
5 (five!) items:

   $ wbinfo -n DOMAIN+ALICE
   S-1-5-21-...-4604 User (1)

   $ wbinfo --user-domgroups S-1-5-21-...-4604
   S-1-5-21-...-4604
   S-1-5-21-...-1870
   S-1-5-21-...-513
   S-1-5-21-...-1397
   S-1-5-21-...-1404

The same applies to 'net usersidlist':

   # net usersidlist
   ...
   alice
    S-1-5-21-...-4604
    S-1-1-0
    S-1-5-2
    S-1-5-11
    S-1-5-21-...-1870
    S-1-5-21-...-513
    S-1-5-21-...-1397
    S-1-5-21-...-1404
   ...

log.winbind (log level = 10) shows following while running 'wbinfo --user-domgroups':
...
[2007/08/02 12:13:40, 6] nsswitch/winbindd.c:new_connection(601)
  accepted socket 17
[2007/08/02 12:13:40, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn INTERFACE_VERSION
[2007/08/02 12:13:40, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(483)
  [    0]: request interface version
[2007/08/02 12:13:40, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2007/08/02 12:13:40, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(516)
  [    0]: request location of privileged pipe
[2007/08/02 12:13:40, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn GETUSERDOMGROUPS
[2007/08/02 12:13:40, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2006)
  Retrieving response for pid 7620
[2007/08/02 12:13:40, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2028)
  Retrieving extra data length=225
...

Please note, that 

   $ getent group | grep -i alice 

shows all expected groups but Domain Users (14 groups total!)

To sum it all up, user Alice is shown as member of 

* 15 GS groups as reported by AD Users and Computers
* 5 groups as reported by 'wbinfo --user-domgroups'
* 5 groups as reported by 'net usersidlist'
* 14 groups as reported by 'getent group'