Bug 5157 - AIX+Winbind shows incomplete group membership informations
Summary: AIX+Winbind shows incomplete group membership informations
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.26a
Hardware: PPC AIX
: P3 regression
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-21 11:40 UTC by Jerome Oufella
Modified: 2018-12-22 23:27 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jerome Oufella 2007-12-21 11:40:50 UTC
We are facing a problem on AIX 5.3 (latest patch) where the following
behavior happens. Reproduced with versions of samba from 3.0.23 to
3.0.26a.


# Normal behavior :
# id and id username should return the same info
#
root@srv1:/# id
uid=0(root) gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

root@srv1:/# id root
uid=0(root) gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

# Now let's su to a winbind user :
root@srv1:/# su winuser1

# Running id only returns the users principal group.
# The additional groups are missing.
#
# This also affects file ownership checks that smbd does, which is our
# main problem as smbd is unable to see groups other than the principal one
# for the user it is running as.
winuser1@srv1:/# id
uid=10013(winuser1) gid=10002(domain users)


# while id <user> returns the whole groups list :
# This is a normal behavior.
winuser1@srv1:/$ id winuser1
uid=10013(winuser1) gid=10002(domain users)
groups=10283(lint-lecsysteme-xprc-inventaire),10277(lint-lecsysteme),10224(lint-lec ysteme-imax),10186(lint-lecsysteme-xprc),10162(lint-lecsysteme-txtele),10132(mrm-app-lecinstructdocfisc),10119(mrm-prd-lecs steme-txtele),10118(mrm-dev-lecconstatsinfractions),10819(gsamba),10106(mrm-prd-lecsysteme),10101(mrm-prd-lecresshum-abonn bus),10094(mrm-prd-lecsysteme-xprc),10090(mrm-prd-lecsysteme-imax),10084(mrm-prd-lecdgpar-interne),10083(mrm-app-lecproji pact),10077(mrm-app-lecdgpar-bd),10063(mrm-prd-lecdgpar),10050(mrm-prd-lecsysteme-xprc-inventaire),10048(mrm-prd-lecsonda e-rev_loi-reg),10047(mrm-prd-lecdgppb),10046(mrm-app-lecdgpar),10039(rdgppb-utilisateursbd),10037(mrm-prd-lecdgppb-bd),100 8(mrm-prd-lectelecommunication),10016(mrm-prd-lecinfojrd),10006(mrm-prd-lecdgpar-bd),10001(BUILTIN\users)

# The "lsuser" command also returns the "normal/full" group list,
# as the previous command.
Comment 1 Jürgen Starek 2008-06-04 20:10:39 UTC
Hi everybody...

I faced a similar problem with AIX 5.2:

a) The id-behavour is the same
b) Aix 5.2 does not show the lsuser groups.

The first (a) (your problem) is due to a bug in the following routine:

static attrval_t pwd_to_groupsids(struct passwd *pwd)
{
        attrval_t r;
        char *s, *p;

        if ( (s = wb_aix_getgrset(pwd->pw_name)) == NULL ) {
                r.attr_flag = EINVAL;
                return r;
        }

        if ( (p = malloc(strlen(s)+2)) == NULL ) {
                r.attr_flag = ENOMEM;
                return r;
        }

        strcpy(p, s);
        logit("groupsids -> '%s'\n", p);
        replace_commas(p);
        free(s);

        /* $JUST: this initialization was missing, marking the returned record as
           invalid -> EINVAL or not EOK */
        r.attr_flag = 0;

        r.attr_un.au_char = p;

        return r;
}


The second (b) (your problem) works on 5.3, because lsuser asks for "groups",
whereas 5.2 asks for "groupsids"...

So i just changed to code to responde to S_GROUPS as well as to S_GROUPSIDS.
This should make it work on 5.2 AND on 5.3...

See below.:

static int wb_aix_user_attrib(const char *key, char *attributes[],
                              attrval_t results[], int size)
{
        struct passwd *pwd;
        int i;

        pwd = wb_aix_getpwnam(key);
        if (!pwd) {
                errno = ENOENT;
                return -1;
        }

        for (i=0;i<size;i++) {
                results[i].attr_flag = 0;

                if (strcmp(attributes[i], S_ID) == 0) {
                        results[i].attr_un.au_int = pwd->pw_uid;
#ifdef _AIXVERSION_530
                } else if (strcmp(attributes[i], S_PGID) == 0) {
                        results[i].attr_un.au_int = pwd->pw_gid;
#endif
                } else if (strcmp(attributes[i], S_PWD) == 0) {
                        results[i].attr_un.au_char = strdup(pwd->pw_passwd);
                } else if (strcmp(attributes[i], S_HOME) == 0) {
                        results[i].attr_un.au_char = strdup(pwd->pw_dir);
                } else if (strcmp(attributes[i], S_SHELL) == 0) {
                        results[i].attr_un.au_char = strdup(pwd->pw_shell);
                } else if (strcmp(attributes[i], S_REGISTRY) == 0) {
                        results[i].attr_un.au_char = strdup("WINBIND");
                } else if (strcmp(attributes[i], S_GECOS) == 0) {
                        results[i].attr_un.au_char = strdup(pwd->pw_gecos);
                } else if (strcmp(attributes[i], S_PGRP) == 0) {
                        results[i] = pwd_to_group(pwd);
                } else if (strcmp(attributes[i], S_GROUPS) == 0) {
                     /* $JUST: respond to GROUPS for AIX 5.3*/
                        results[i] = pwd_to_groupsids(pwd);
                } else if (strcmp(attributes[i], S_GROUPSIDS) == 0) {
                     /* $JUST: AND respond to GROUPSIDS for AIX 5.2*/
                        results[i] = pwd_to_groupsids(pwd);
                } else if (strcmp(attributes[i], "SID") == 0) {
                        results[i] = pwd_to_sid(pwd);
                } else {
                        logit("Unknown user attribute '%s'\n", attributes[i]);
                        results[i].attr_flag = EINVAL;
                }
        }

        free_pwd(pwd);

        return 0;
}

Comment 2 Jürgen Starek 2008-06-04 20:11:59 UTC
I forgot to mention the file :-(

of course: source/nsswitch/winbind_nss_aix.c
Comment 3 Jerome Oufella 2008-07-10 16:17:46 UTC
Thanks for your patch Jürgen.

We applied it on a fresh 3.0.29 code base, still on AIX 5.3, and sadly that did not fix our issue.

Have you tried this on AIX 5.3 yet ?

Regards,

Jerome Oufella
Comment 4 Björn Jacke 2018-12-22 23:27:22 UTC
sorry that it took 10 years for your findings to be addressed, Jürgen, they are fixed now with b9496ddb39e685d1f742c26ba390d26f5a3eabfb and 2e1bc87b13c491f47a6fbcf9549ffa8250a2508b. For the initially reported problem it should be said, that a user needs to be *authenticated* through winbind to get it's list of group memberships. A simple "su user" is not sufficient.