Bug 6504 - wbinfo -g only shows BUILTIN-groups
wbinfo -g only shows BUILTIN-groups
Status: RESOLVED FIXED
Product: Samba 3.3
Classification: Unclassified
Component: Winbind
3.3.6
x86 Linux
: P3 major
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-24 10:28 UTC by Marc Muehlfeld
Modified: 2009-08-04 08:13 UTC (History)
1 user (show)

See Also:


Attachments
Logfile of the member server on the PDC part 1 (597.17 KB, application/octet-stream)
2009-06-25 14:57 UTC, Marc Muehlfeld
no flags Details
Logfile of the member server on the PDC part 2 (41.98 KB, application/octet-stream)
2009-06-25 14:58 UTC, Marc Muehlfeld
no flags Details
Logfile on the member server (5.25 KB, application/octet-stream)
2009-06-25 14:59 UTC, Marc Muehlfeld
no flags Details
Logfile on the member server (219.49 KB, application/octet-stream)
2009-06-25 14:59 UTC, Marc Muehlfeld
no flags Details
Logfile on the member server (3.83 KB, application/octet-stream)
2009-06-25 15:01 UTC, Marc Muehlfeld
no flags Details
3.3.x patch that fixes various NT_STATUS_ACCESS_DENIED errors (995 bytes, patch)
2009-08-03 09:36 UTC, Guenther Deschner
vl: review+
gd: review? (jra)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2009-06-24 10:28:42 UTC
Hello,

I have a Samba PDC and member server. After switching both from 3.0.32 to 3.3.4 (also happens on 3.3.5 and 3.3.6), "wbinfo -g" on the member server only shows BUILDIN-groups:

# wbinfo -g
BUILTIN\administrators
BUILTIN\users

while "wbinfo -u" shows all users of my PDC. After upgrading, I replaced /lib/libnss_winbind.so with the new version. Also I have the symlink from this file to /lib/libnss_winbind.so.2.

In the filesystem I only see the winbind GID of groups. Access to this files are fine, so some parts behind winbind seem to work. But it's hard to administer only with GIDs.
Comment 1 Guenther Deschner 2009-06-25 10:06:10 UTC
looking into this.

Do you have log level 10 client and server by any chance ?
Comment 2 Guenther Deschner 2009-06-25 12:01:24 UTC
reproduced this.

winbind still gets NT_STATUS_ACCESS_DENIED for samr_EnumDomainGroups.
Comment 3 Guenther Deschner 2009-06-25 12:03:08 UTC
from the pdc log:
_samr_EnumDomainGroups: access check ((granted: 0x000f04fe;  required: 0x00000100)
_samr_EnumDomainGroups: ACCESS DENIED (granted: 0x000f04fe;  required: 0x00000100)
Comment 4 Guenther Deschner 2009-06-25 12:09:45 UTC
and at least here as well:
_samr_GetAliasMembership: access check ((granted: 0x000f04fe;  required: 0x00000080)
_samr_GetAliasMembership: access check ((granted: 0x000f04fe;  required: 0x00000200)
_samr_GetAliasMembership: ACCESS DENIED (granted: 0x000f04fe;  required: 0x00000200)
Comment 5 Guenther Deschner 2009-06-25 13:28:56 UTC
Personal reminder for me: 9c0fc1d83ceae0ac78b8ea2408e6c385402b6f86.
Comment 6 Marc Muehlfeld 2009-06-25 14:57:52 UTC
Created attachment 4352 [details]
Logfile of the member server on the PDC part 1
Comment 7 Marc Muehlfeld 2009-06-25 14:58:50 UTC
Created attachment 4353 [details]
Logfile of the member server on the PDC part 2
Comment 8 Marc Muehlfeld 2009-06-25 14:59:23 UTC
Created attachment 4354 [details]
Logfile on the member server
Comment 9 Marc Muehlfeld 2009-06-25 14:59:46 UTC
Created attachment 4355 [details]
Logfile on the member server
Comment 10 Marc Muehlfeld 2009-06-25 15:01:07 UTC
Created attachment 4356 [details]
Logfile on the member server
Comment 11 Marc Muehlfeld 2009-06-25 15:02:26 UTC
For explanation:

MUC = Name of the domain
Nucleus (192.168.29.2) = member server
Genome (192.168.29.4) = PDC
Comment 12 Marc Muehlfeld 2009-07-16 06:29:13 UTC
New experiences:

When I run 3.4.0 on the PDC and 3.3.6 on the member servers, everything is working (wbinfo -u/g, getent passwd/group, chown/chgrp)

When I run 3.4.0 on PDC and member servers, "wbinfo" is showing domain entries. But even if "wbinfo -u/-g" and "getent passwd/group" is showing the domain user/groups, I can't "chown/chgrp":

# chgrp systemadministration test
chgrp: ungültige Gruppe „systemadministration“

# getent group | grep systemadministration
systemadministration:x:30000:administrator,technik

# wbinfo -g | grep systemadministration
systemadministration


I build 3.4.0 only samba3 (no samba4). The nsswitch/libnss_winbind.so I replaced in /lib after installing
Comment 13 David Markey 2009-07-20 05:02:42 UTC
I cant reproduce this:
Server : 3.4

Client : 3.3.6

root@dmarkey-laptop:~# touch bleh
root@dmarkey-laptop:~# wbinfo -i TESTDOM\\dmarkey
TESTDOM\dmarkey:*:10002:10000:David Markey:/home/TESTDOM/dmarkey:/bin/bash
root@dmarkey-laptop:~# chown TESTDOM\\dmarkey bleh
root@dmarkey-laptop:~# chgrp TESTDOM\\"Domain Users" bleh
root@dmarkey-laptop:~# stat bleh
  File: `bleh'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fc00h/64512d	Inode: 650957      Links: 1
Access: (0644/-rw-r--r--)  Uid: (10002/TESTDOM\dmarkey)   Gid: (10000/TESTDOM\domain users)
Access: 2009-07-20 10:57:40.000000000 +0100
Modify: 2009-07-20 10:57:40.000000000 +0100
Change: 2009-07-20 10:58:37.000000000 +0100



Please not that I had to compile a new winbind on ubuntu 9.04, the one that came with ubuntu was crashing when doing a getent group.


Comment 14 Marc Muehlfeld 2009-07-20 05:19:10 UTC
> I cant reproduce this:
> Server : 3.4
> Client : 3.3.6

In this combination it's working here too (see my Comment #12). It's broken when PDC and member server are *both 3.3.6* or *both 3.4.0*.
Comment 15 David Markey 2009-07-20 11:49:02 UTC
hmm.. strange.

I'll try reproducing this later on.

Its known that 3.3 as a PDC(to unix clients) is broken. so we'll rule that out, i'll be working off 3.4 on the PDC side.


Perhaps something is broken in 3.4 on the client side.

Comment 16 David Markey 2009-07-20 17:26:46 UTC
Sorry still cant reproduce. 3.4 client and server.


SambaClient:~# /opt/samba/sbin/winbindd -V
Version 3.4.0
SambaClient:~# touch bleh
SambaClient:~# chown "TESTDOM\dmarkey":"TESTDOM\domain users" bleh
SambaClient:~# stat bleh
  File: `bleh'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 301h/769d	Inode: 293         Links: 1
Access: (0644/-rw-r--r--)  Uid: (10000/TESTDOM\dmarkey)   Gid: (10000/TESTDOM\domain users)
Access: 2009-07-20 23:10:57.000000000 +0100
Modify: 2009-07-20 23:10:57.000000000 +0100
Change: 2009-07-20 23:10:59.000000000 +0100
Comment 17 David Markey 2009-07-20 17:41:29 UTC
also with    winbind use default domain = yes

SambaClient:~# chown dmarkey:domadmins hello
SambaClient:~# stat hello
  File: `hello'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 301h/769d	Inode: 294         Links: 1
Access: (0644/-rw-r--r--)  Uid: (10000/ dmarkey)   Gid: (10001/domadmins)
Access: 2009-07-20 23:23:01.000000000 +0100
Modify: 2009-07-20 23:23:01.000000000 +0100
Change: 2009-07-20 23:24:46.000000000 +0100


What version of unix you using on the client side? 
Comment 18 Marc Muehlfeld 2009-07-21 00:42:05 UTC
PDC and member server run openSUSE 10.3

# uname -a
Linux genome 2.6.22.19-0.3-default #1 SMP 2009-05-27 10:35:34 +0200 i686 i686 i386 GNU/Linux
Comment 19 Marc Muehlfeld 2009-07-21 00:48:24 UTC
I also did a new fresh samba installation on PDC and member server. I removed all tdb (in lock dir and secrets.tdb). I only keep my LDAP. But still the same problem. It only works in the combination 3.3.x on the member and 3.4.0 on the client.
Comment 20 Guenther Deschner 2009-08-03 09:36:38 UTC
Created attachment 4501 [details]
3.3.x patch that fixes various NT_STATUS_ACCESS_DENIED errors 

This patch fixes winbind member 3.3.x against a samba dc 3.3.x here.
Comment 21 Marc Muehlfeld 2009-08-03 12:33:17 UTC
I applied the patch to 3.3.7 on my PDC and member server and recompiled/installed. With the patch everything works like it should now.

Thanks
Comment 22 Guenther Deschner 2009-08-04 05:25:38 UTC
Ok, Karolin, this is definitely something we need for the next 3.3.x and 3.2.x release. Reassigning to you (as volker acked).
Comment 23 Karolin Seeger 2009-08-04 08:13:09 UTC
Picked for 3.3.8 and 3.2.14.
Closing out bug report.

Thanks!