Bug 5157 - AIX+Winbind shows incomplete group membership informations
AIX+Winbind shows incomplete group membership informations
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.26a
PPC AIX
: P3 regression
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-21 11:40 UTC by Jerome Oufella
Modified: 2014-06-11 14:06 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jerome Oufella 2007-12-21 11:40:50 UTC
We are facing a problem on AIX 5.3 (latest patch) where the following
behavior happens. Reproduced with versions of samba from 3.0.23 to
3.0.26a.


# Normal behavior :
# id and id username should return the same info
#
root@srv1:/# id
uid=0(root) gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

root@srv1:/# id root
uid=0(root) gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

# Now let's su to a winbind user :
root@srv1:/# su winuser1

# Running id only returns the users principal group.
# The additional groups are missing.
#
# This also affects file ownership checks that smbd does, which is our
# main problem as smbd is unable to see groups other than the principal one
# for the user it is running as.
winuser1@srv1:/# id
uid=10013(winuser1) gid=10002(domain users)


# while id <user> returns the whole groups list :
# This is a normal behavior.
winuser1@srv1:/$ id winuser1
uid=10013(winuser1) gid=10002(domain users)
groups=10283(lint-lecsysteme-xprc-inventaire),10277(lint-lecsysteme),10224(lint-lec ysteme-imax),10186(lint-lecsysteme-xprc),10162(lint-lecsysteme-txtele),10132(mrm-app-lecinstructdocfisc),10119(mrm-prd-lecs steme-txtele),10118(mrm-dev-lecconstatsinfractions),10819(gsamba),10106(mrm-prd-lecsysteme),10101(mrm-prd-lecresshum-abonn bus),10094(mrm-prd-lecsysteme-xprc),10090(mrm-prd-lecsysteme-imax),10084(mrm-prd-lecdgpar-interne),10083(mrm-app-lecproji pact),10077(mrm-app-lecdgpar-bd),10063(mrm-prd-lecdgpar),10050(mrm-prd-lecsysteme-xprc-inventaire),10048(mrm-prd-lecsonda e-rev_loi-reg),10047(mrm-prd-lecdgppb),10046(mrm-app-lecdgpar),10039(rdgppb-utilisateursbd),10037(mrm-prd-lecdgppb-bd),100 8(mrm-prd-lectelecommunication),10016(mrm-prd-lecinfojrd),10006(mrm-prd-lecdgpar-bd),10001(BUILTIN\users)

# The "lsuser" command also returns the "normal/full" group list,
# as the previous command.
Comment 1 Jürgen Starek 2008-06-04 20:10:39 UTC
Hi everybody...

I faced a similar problem with AIX 5.2:

a) The id-behavour is the same
b) Aix 5.2 does not show the lsuser groups.

The first (a) (your problem) is due to a bug in the following routine:

static attrval_t pwd_to_groupsids(struct passwd *pwd)
{
        attrval_t r;
        char *s, *p;

        if ( (s = wb_aix_getgrset(pwd->pw_name)) == NULL ) {
                r.attr_flag = EINVAL;
                return r;
        }

        if ( (p = malloc(strlen(s)+2)) == NULL ) {
                r.attr_flag = ENOMEM;
                return r;
        }

        strcpy(p, s);
        logit("groupsids -> '%s'\n", p);
        replace_commas(p);
        free(s);

        /* $JUST: this initialization was missing, marking the returned record as
           invalid -> EINVAL or not EOK */
        r.attr_flag = 0;

        r.attr_un.au_char = p;

        return r;
}


The second (b) (your problem) works on 5.3, because lsuser asks for "groups",
whereas 5.2 asks for "groupsids"...

So i just changed to code to responde to S_GROUPS as well as to S_GROUPSIDS.
This should make it work on 5.2 AND on 5.3...

See below.:

static int wb_aix_user_attrib(const char *key, char *attributes[],
                              attrval_t results[], int size)
{
        struct passwd *pwd;
        int i;

        pwd = wb_aix_getpwnam(key);
        if (!pwd) {
                errno = ENOENT;
                return -1;
        }

        for (i=0;i<size;i++) {
                results[i].attr_flag = 0;

                if (strcmp(attributes[i], S_ID) == 0) {
                        results[i].attr_un.au_int = pwd->pw_uid;
#ifdef _AIXVERSION_530
                } else if (strcmp(attributes[i], S_PGID) == 0) {
                        results[i].attr_un.au_int = pwd->pw_gid;
#endif
                } else if (strcmp(attributes[i], S_PWD) == 0) {
                        results[i].attr_un.au_char = strdup(pwd->pw_passwd);
                } else if (strcmp(attributes[i], S_HOME) == 0) {
                        results[i].attr_un.au_char = strdup(pwd->pw_dir);
                } else if (strcmp(attributes[i], S_SHELL) == 0) {
                        results[i].attr_un.au_char = strdup(pwd->pw_shell);
                } else if (strcmp(attributes[i], S_REGISTRY) == 0) {
                        results[i].attr_un.au_char = strdup("WINBIND");
                } else if (strcmp(attributes[i], S_GECOS) == 0) {
                        results[i].attr_un.au_char = strdup(pwd->pw_gecos);
                } else if (strcmp(attributes[i], S_PGRP) == 0) {
                        results[i] = pwd_to_group(pwd);
                } else if (strcmp(attributes[i], S_GROUPS) == 0) {
                     /* $JUST: respond to GROUPS for AIX 5.3*/
                        results[i] = pwd_to_groupsids(pwd);
                } else if (strcmp(attributes[i], S_GROUPSIDS) == 0) {
                     /* $JUST: AND respond to GROUPSIDS for AIX 5.2*/
                        results[i] = pwd_to_groupsids(pwd);
                } else if (strcmp(attributes[i], "SID") == 0) {
                        results[i] = pwd_to_sid(pwd);
                } else {
                        logit("Unknown user attribute '%s'\n", attributes[i]);
                        results[i].attr_flag = EINVAL;
                }
        }

        free_pwd(pwd);

        return 0;
}

Comment 2 Jürgen Starek 2008-06-04 20:11:59 UTC
I forgot to mention the file :-(

of course: source/nsswitch/winbind_nss_aix.c
Comment 3 Jerome Oufella 2008-07-10 16:17:46 UTC
Thanks for your patch Jürgen.

We applied it on a fresh 3.0.29 code base, still on AIX 5.3, and sadly that did not fix our issue.

Have you tried this on AIX 5.3 yet ?

Regards,

Jerome Oufella