4853 – wbinfo doesn't show all user's domain groups

Bug 4853 - wbinfo doesn't show all user's domain groups

Summary: wbinfo doesn't show all user's domain groups

Status:	NEW

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.24
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-08-02 06:59 UTC by Vitezslav Kotrla
Modified:	2007-08-02 06:59 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vitezslav Kotrla 2007-08-02 06:59:29 UTC

We are running Samba 3.0.24 paired with Windows 2003 R2 AD. Samba is used as file server, accessed by domain users.

I've noticed wbinfo is showing only partial domain group info for particular user - user Alice is member of 15 Global Security groups (as verified running 

  net user alice /domain

command on Windows side), but 'wbinfo --user-domgroups' displays only
5 (five!) items:

   $ wbinfo -n DOMAIN+ALICE
   S-1-5-21-...-4604 User (1)

   $ wbinfo --user-domgroups S-1-5-21-...-4604
   S-1-5-21-...-4604
   S-1-5-21-...-1870
   S-1-5-21-...-513
   S-1-5-21-...-1397
   S-1-5-21-...-1404

The same applies to 'net usersidlist':

   # net usersidlist
   ...
   alice
    S-1-5-21-...-4604
    S-1-1-0
    S-1-5-2
    S-1-5-11
    S-1-5-21-...-1870
    S-1-5-21-...-513
    S-1-5-21-...-1397
    S-1-5-21-...-1404
   ...

log.winbind (log level = 10) shows following while running 'wbinfo --user-domgroups':
...
[2007/08/02 12:13:40, 6] nsswitch/winbindd.c:new_connection(601)
  accepted socket 17
[2007/08/02 12:13:40, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn INTERFACE_VERSION
[2007/08/02 12:13:40, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(483)
  [    0]: request interface version
[2007/08/02 12:13:40, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2007/08/02 12:13:40, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(516)
  [    0]: request location of privileged pipe
[2007/08/02 12:13:40, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn GETUSERDOMGROUPS
[2007/08/02 12:13:40, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2006)
  Retrieving response for pid 7620
[2007/08/02 12:13:40, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2028)
  Retrieving extra data length=225
...

Please note, that 

   $ getent group | grep -i alice 

shows all expected groups but Domain Users (14 groups total!)

To sum it all up, user Alice is shown as member of 

* 15 GS groups as reported by AD Users and Computers
* 5 groups as reported by 'wbinfo --user-domgroups'
* 5 groups as reported by 'net usersidlist'
* 14 groups as reported by 'getent group'