Bug 8420 - wb_group_members: non-resistance against garbage
Summary: wb_group_members: non-resistance against garbage
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.5.11
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL: http://lists.samba.org/archive/samba-...
Keywords:
Depends on:
Blocks: 8399
  Show dependency treegraph
 
Reported: 2011-08-29 14:55 UTC by Dmitry Butskoy
Modified: 2011-08-30 19:15 UTC (History)
3 users (show)

See Also:


Attachments
Proposed patch (943 bytes, patch)
2011-08-29 14:55 UTC, Dmitry Butskoy
vl: review+
metze: review+
Details
Patch (985 bytes, patch)
2011-08-29 19:15 UTC, Volker Lendecke
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Butskoy 2011-08-29 14:55:32 UTC
Created attachment 6826 [details]
Proposed patch

I've discovered some (possible rare) issue with
"source3/winbindd/wb_group_members.c:wb_group_members_done()" function.
It seems that it can be more friendly under some broken AD configurations.

1) We have a complex AD forest, where remote corporate branches have its own slave DC.
2) Some of branches have its own"local" domains (I am not familiar whether trusted or not).
3) Some local admins of those branches include its own "local" members into the common corporate AD groups. 8)
4) As a result, we have a "correct" group with an uncorrect member (due to bad unknown sid).

All work fine with this, except the "getent group". We certainly have "winbind enum groups = yes", but
"getent group" fails, whereas "getent group GRPNAME" works fine.

I've discover that the error is NT_STATUS_TRUSTED_DOMAIN_FAILURE when winbindd tryes to obtain group members. Now, this error breaks all the obtaining process, hence "getent groups" return nothing about nss_winbind groups.

IMHO the best way is to ignore such an error, just leave the "bad" group "empty". This way we do not break "getent group", it "continue to obtain" info from AD.

The patch proposed in maillist attached. It fixes the issue for me.
Comment 1 Volker Lendecke 2011-08-29 19:15:13 UTC
Created attachment 6827 [details]
Patch

This is the corresponding patch for 3.6.0.

Volker
Comment 2 Stefan Metzmacher 2011-08-30 06:18:14 UTC
Comment on attachment 6827 [details]
Patch

Looks good
Comment 3 Stefan Metzmacher 2011-08-30 06:18:51 UTC
Comment on attachment 6826 [details]
Proposed patch

Looks good
Comment 4 Stefan Metzmacher 2011-08-30 06:20:03 UTC
Volker, please push to master.
Karolin, please pick for the releases.
Comment 5 Volker Lendecke 2011-08-30 06:24:04 UTC
(In reply to comment #4)
> Volker, please push to master.

71dcb84e61443df3f149693486fde40315d7503d

Volker
Comment 6 Karolin Seeger 2011-08-30 19:15:17 UTC
Pushed to v3-5-test and v3-6-test.
Closing out bug report.

Thanks!