Bug 8538 - When using ldapsam:editposix, winbind cannot retrieve group information from LDAP.
When using ldapsam:editposix, winbind cannot retrieve group information from ...
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.0
x64 Linux
: P5 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-20 13:48 UTC by Vladimir Koshelenko
Modified: 2011-10-20 14:30 UTC (History)
0 users

See Also:


Attachments
Config, ldif and all logs (24.16 KB, application/gzip)
2011-10-20 13:48 UTC, Vladimir Koshelenko
no flags Details
Right logs (81.48 KB, application/gzip)
2011-10-20 14:30 UTC, Vladimir Koshelenko
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Koshelenko 2011-10-20 13:48:54 UTC
Created attachment 7013 [details]
Config, ldif and all logs

When using ldapsam:editposix, winbind cannot retrieve group information from LDAP.

Samba config and 'smbd -b' output is in attachment


How to reproduce bug (doing mostly as written in http://wiki.samba.org/index.php/Ldapsam_Editposix):

1. Modify /etc/nsswitch.conf:
    passwd:     files winbind
    shadow:     files
    group:      files winbind

2. Create enties in LDAP (ldif is in attachment)

3. smbpasswd -w 11111111

4. /etc/init.d/winbind start

5. net sam provision
    Checking for Domain Users group.
    Adding the Domain Users group.
    Checking for Domain Admins group.
    Adding the Domain Admins group.
    Check for Administrator account.
    Adding the Administrator user.
    Checking for Guest user.
    Adding the Guest user.
    Checking Guest's group.
    Adding the Domain Guests group.


6.
net sam createbuiltingroup Administrators
    Created BUILTIN group Administrators with RID 544
net sam createbuiltingroup Users
    Created BUILTIN group Users with RID 545
net sam createbuiltingroup Guests
    Created BUILTIN group Guests with RID 546

New ldif after provisioning is in attachment.

8. /etc/init.d/smb start

9. Some winbind checks:
wbinfo -t
    checking the trust secret for domain XYZZY via RPC calls succeeded
wbinfo -n XYZZY\\administrator
    S-1-5-21-291514870-970769412-1889819721-500 SID_USER (1)
wbinfo -s S-1-5-21-291514870-970769412-1889819721-500
    XYZZY\Administrator 1
wbinfo -S S-1-5-21-291514870-970769412-1889819721-500
    1000
wbinfo -n XYZZY\\domadmins
    S-1-5-21-291514870-970769412-1889819721-512 SID_DOM_GROUP (2)
wbinfo -s S-1-5-21-291514870-970769412-1889819721-512
    XYZZY\Domain Admins 2
wbinfo -Y S-1-5-21-291514870-970769412-1889819721-512
    1001


10. Groups and users listing
wbinfo -u
    administrator
    nobody
wbinfo -g
    domain users
    domain admins
    domain guests


11. Now, interesting thing begins:
getent passwd administrator
    administrator:*:1000:1001:Administrator:/home/XYZZY/administrator:/bin/false
    Works!
getent group domadmins
getent group XYZZY\\domadmins
getent group XYZZY\\domain\ admins
    NOTNING!

LDAP log and 10th level log when 'getent group domadmins' executed is in attachment


12 [details]. Simple perl script:
#!/usr/bin/perl
print 'getpwuid(1000) = ', join('; ', getpwuid(1000)), "\n";
print 'getgrgid(1001) = ', join('; ', getgrgid(1001)), "\n";
    prints:
    getpwuid(1000) = administrator; *; 1000; 1001; ; ; Administrator; /home/XYZZY/administrator; /bin/false
    getgrgid(1001) =
NO GROUPS INFORMATION!

LDAP log and 10th level Samba log when 'getgrgid(1001)' called is in attachment


13 [details]. Additional winbind checks:
wbinfo --user-info=XYZZY\\Administrator
    administrator:*:1000:1001:Administrator:/home/XYZZY/administrator:/bin/false
wbinfo --group-info=XYZZY\\domadmins
    failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
    Could not get info for group XYZZY\domadmins

Very strange, why WBC_ERR_DOMAIN_NOT_FOUND here?
LDAP log and 10th level Samba log when 'wbinfo --group-info=XYZZY\\domadmins' executed is in attachment


14 [details]. ACHTUNG! 'getent group' and 'getgrid' WORKS when in smb.conf there is parameter:
winbind expand groups = 0   # (default is '1')
But then all groups are ALWAYS EMPTY (have no members).
getent group domusers:
    domain users:x:1000:
perl script with getgrgid:
    getpwuid(1000) = administrator; *; 1000; 1001; ; ; Administrator; /home/XYZZY/administrator; /bin/false
    getgrgid(1001) = domain admins; x; 1001;
Comment 1 Vladimir Koshelenko 2011-10-20 14:30:05 UTC
Created attachment 7014 [details]
Right logs

Sorry, in previous message 'log level' wasn't actually 10.
Right logs in attacment.