Bug 7770 - AD-idmap is mapping unwanted group ids to user
AD-idmap is mapping unwanted group ids to user
Status: NEW
Product: Samba 3.4
Classification: Unclassified
Component: Winbind
3.4.9
x86 Solaris
: P3 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-02 05:54 UTC by Dietrich Streifert
Modified: 2010-11-02 05:54 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dietrich Streifert 2010-11-02 05:54:20 UTC
This occurs for both samba 3.4.9 and 3.5.6 on solaris 9

Setup: 
active directory on windows 2003 R2 SP2 with rfc2307 schema extension, 
openssl 0.9.8o
libiconv 1.13.1
heimdal 1.4
cyrus-sasl 2.1.23
openldap 2.4.23

The relevant part in smb.conf is in

[global]
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind expand groups = 3
        winbind nss info = rfc2307

        idmap backend = tdb

        idmap config DOMAIN:readonly = yes
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:default = yes
        idmap config DOMAIN:schema_mode = rfc2307
        idmap config DOMAIN:range = 1-65535

        idmap uid = 65536 - 65537
        idmap gid = 65536 - 65537

The setup basicly works, but some group ids are spotted into the group list which do not belong to gid numbers in AD. This seems to happen for users being members in nested groups while some of the groups have gid numbers assigned in AD and some groups don't.

A given user (testuser) is in 3 groups and additionally in the group domain-users. domain-users is member of four other groups without a gid number assigned.

After su to testuser it depends on how id is called:

srv{testuser}[/home/testuser]: id -a
uid=10309(testuser) gid=11007(testgroup) groups=11007(testgroup),65536,65537,10010(domain-users),11009(testgroup3),11008(testgroup2)

srv{testuser}[/home/testuser]: id -a testuser
uid=10309(testuser) gid=11007(testgroup) groups=10010(domain-users),11008(testgroup2),11008(testgroup2),11009(testgroup3),11009(testgroup3)

The additional ids show up as group id 65536 and 65537 in "id -a" but not in "id -a testuser".

Retreiving the groups of the user testuser via wbinfo -r gives:

./wbinfo -r testuser
11007
65536
65537
10010
11009
11008

also showing the non existing ad group ids (65536,65537) which correspond to the settings in "idmap uid" and "idmap gid".

I think the idmap default tdb backend is trying to map somehow ids to the groups which do not have gid numbers assigned in AD.