Bug 7770 - AD-idmap is mapping unwanted group ids to user
Summary: AD-idmap is mapping unwanted group ids to user
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.4.9
Hardware: x86 Solaris
: P3 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2010-11-02 05:54 UTC by Dietrich Streifert
Modified: 2020-12-22 03:12 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Dietrich Streifert 2010-11-02 05:54:20 UTC
This occurs for both samba 3.4.9 and 3.5.6 on solaris 9

active directory on windows 2003 R2 SP2 with rfc2307 schema extension, 
openssl 0.9.8o
libiconv 1.13.1
heimdal 1.4
cyrus-sasl 2.1.23
openldap 2.4.23

The relevant part in smb.conf is in

        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind expand groups = 3
        winbind nss info = rfc2307

        idmap backend = tdb

        idmap config DOMAIN:readonly = yes
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:default = yes
        idmap config DOMAIN:schema_mode = rfc2307
        idmap config DOMAIN:range = 1-65535

        idmap uid = 65536 - 65537
        idmap gid = 65536 - 65537

The setup basicly works, but some group ids are spotted into the group list which do not belong to gid numbers in AD. This seems to happen for users being members in nested groups while some of the groups have gid numbers assigned in AD and some groups don't.

A given user (testuser) is in 3 groups and additionally in the group domain-users. domain-users is member of four other groups without a gid number assigned.

After su to testuser it depends on how id is called:

srv{testuser}[/home/testuser]: id -a
uid=10309(testuser) gid=11007(testgroup) groups=11007(testgroup),65536,65537,10010(domain-users),11009(testgroup3),11008(testgroup2)

srv{testuser}[/home/testuser]: id -a testuser
uid=10309(testuser) gid=11007(testgroup) groups=10010(domain-users),11008(testgroup2),11008(testgroup2),11009(testgroup3),11009(testgroup3)

The additional ids show up as group id 65536 and 65537 in "id -a" but not in "id -a testuser".

Retreiving the groups of the user testuser via wbinfo -r gives:

./wbinfo -r testuser

also showing the non existing ad group ids (65536,65537) which correspond to the settings in "idmap uid" and "idmap gid".

I think the idmap default tdb backend is trying to map somehow ids to the groups which do not have gid numbers assigned in AD.
Comment 1 Björn Jacke 2020-12-22 03:12:03 UTC
idmap ad id assignments are working as designed. The "id" command usually returns also results from local nss sources, that's not Samba's business.