We are facing a problem on AIX 5.3 (latest patch) where the following behavior happens. Reproduced with versions of samba from 3.0.23 to 3.0.26a. # Normal behavior : # id and id username should return the same info # root@srv1:/# id uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp) root@srv1:/# id root uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp) # Now let's su to a winbind user : root@srv1:/# su winuser1 # Running id only returns the users principal group. # The additional groups are missing. # # This also affects file ownership checks that smbd does, which is our # main problem as smbd is unable to see groups other than the principal one # for the user it is running as. winuser1@srv1:/# id uid=10013(winuser1) gid=10002(domain users) # while id <user> returns the whole groups list : # This is a normal behavior. winuser1@srv1:/$ id winuser1 uid=10013(winuser1) gid=10002(domain users) groups=10283(lint-lecsysteme-xprc-inventaire),10277(lint-lecsysteme),10224(lint-lec ysteme-imax),10186(lint-lecsysteme-xprc),10162(lint-lecsysteme-txtele),10132(mrm-app-lecinstructdocfisc),10119(mrm-prd-lecs steme-txtele),10118(mrm-dev-lecconstatsinfractions),10819(gsamba),10106(mrm-prd-lecsysteme),10101(mrm-prd-lecresshum-abonn bus),10094(mrm-prd-lecsysteme-xprc),10090(mrm-prd-lecsysteme-imax),10084(mrm-prd-lecdgpar-interne),10083(mrm-app-lecproji pact),10077(mrm-app-lecdgpar-bd),10063(mrm-prd-lecdgpar),10050(mrm-prd-lecsysteme-xprc-inventaire),10048(mrm-prd-lecsonda e-rev_loi-reg),10047(mrm-prd-lecdgppb),10046(mrm-app-lecdgpar),10039(rdgppb-utilisateursbd),10037(mrm-prd-lecdgppb-bd),100 8(mrm-prd-lectelecommunication),10016(mrm-prd-lecinfojrd),10006(mrm-prd-lecdgpar-bd),10001(BUILTIN\users) # The "lsuser" command also returns the "normal/full" group list, # as the previous command.
Hi everybody... I faced a similar problem with AIX 5.2: a) The id-behavour is the same b) Aix 5.2 does not show the lsuser groups. The first (a) (your problem) is due to a bug in the following routine: static attrval_t pwd_to_groupsids(struct passwd *pwd) { attrval_t r; char *s, *p; if ( (s = wb_aix_getgrset(pwd->pw_name)) == NULL ) { r.attr_flag = EINVAL; return r; } if ( (p = malloc(strlen(s)+2)) == NULL ) { r.attr_flag = ENOMEM; return r; } strcpy(p, s); logit("groupsids -> '%s'\n", p); replace_commas(p); free(s); /* $JUST: this initialization was missing, marking the returned record as invalid -> EINVAL or not EOK */ r.attr_flag = 0; r.attr_un.au_char = p; return r; } The second (b) (your problem) works on 5.3, because lsuser asks for "groups", whereas 5.2 asks for "groupsids"... So i just changed to code to responde to S_GROUPS as well as to S_GROUPSIDS. This should make it work on 5.2 AND on 5.3... See below.: static int wb_aix_user_attrib(const char *key, char *attributes[], attrval_t results[], int size) { struct passwd *pwd; int i; pwd = wb_aix_getpwnam(key); if (!pwd) { errno = ENOENT; return -1; } for (i=0;i<size;i++) { results[i].attr_flag = 0; if (strcmp(attributes[i], S_ID) == 0) { results[i].attr_un.au_int = pwd->pw_uid; #ifdef _AIXVERSION_530 } else if (strcmp(attributes[i], S_PGID) == 0) { results[i].attr_un.au_int = pwd->pw_gid; #endif } else if (strcmp(attributes[i], S_PWD) == 0) { results[i].attr_un.au_char = strdup(pwd->pw_passwd); } else if (strcmp(attributes[i], S_HOME) == 0) { results[i].attr_un.au_char = strdup(pwd->pw_dir); } else if (strcmp(attributes[i], S_SHELL) == 0) { results[i].attr_un.au_char = strdup(pwd->pw_shell); } else if (strcmp(attributes[i], S_REGISTRY) == 0) { results[i].attr_un.au_char = strdup("WINBIND"); } else if (strcmp(attributes[i], S_GECOS) == 0) { results[i].attr_un.au_char = strdup(pwd->pw_gecos); } else if (strcmp(attributes[i], S_PGRP) == 0) { results[i] = pwd_to_group(pwd); } else if (strcmp(attributes[i], S_GROUPS) == 0) { /* $JUST: respond to GROUPS for AIX 5.3*/ results[i] = pwd_to_groupsids(pwd); } else if (strcmp(attributes[i], S_GROUPSIDS) == 0) { /* $JUST: AND respond to GROUPSIDS for AIX 5.2*/ results[i] = pwd_to_groupsids(pwd); } else if (strcmp(attributes[i], "SID") == 0) { results[i] = pwd_to_sid(pwd); } else { logit("Unknown user attribute '%s'\n", attributes[i]); results[i].attr_flag = EINVAL; } } free_pwd(pwd); return 0; }
I forgot to mention the file :-( of course: source/nsswitch/winbind_nss_aix.c
Thanks for your patch Jürgen. We applied it on a fresh 3.0.29 code base, still on AIX 5.3, and sadly that did not fix our issue. Have you tried this on AIX 5.3 yet ? Regards, Jerome Oufella
sorry that it took 10 years for your findings to be addressed, Jürgen, they are fixed now with b9496ddb39e685d1f742c26ba390d26f5a3eabfb and 2e1bc87b13c491f47a6fbcf9549ffa8250a2508b. For the initially reported problem it should be said, that a user needs to be *authenticated* through winbind to get it's list of group memberships. A simple "su user" is not sufficient.