The Samba-Bugzilla – Bug 8905
Enumerating groups over NSS doesn't work with idmap_ad
Last modified: 2015-04-09 19:01:00 UTC
Created attachment 7509 [details]
Winbind log from failed enumeration via getent group
This issue seems closely related to fixed bug #8608 but for groups instead of users. On a Winbind configuration with ID Mapping configured using idmap_ad when enumerating groups through NSS with "getent group" the enumeration will fail if Winbind fails to retrieve a GID from a group in AD. This can be easily witnessed in the Winbind logs at level 10. If a gidNumber is defined for the group the enumeration failed on Winbind will successfully enumerate this group but will subsequently choke on another group that doesn't have gidNumber defined (if any).
Is there any reason the behaviour for groups doesn't match that for users post bug #8608 resolution? In our AD environment we wish to only enable UNIX Attributes for users/groups that will actually be used on *nix systems as these represent only a small subset of the greater set of users/groups in the directory. This works fine with users thanks to the previous bug fix but fails to work on groups.
As a sample of where this causes issues, we define some permitted sudoers via groups stored in AD, but because NSS is not enumerating the AD users, sudo fails to grant access to these users on invocation.
Retrieving a list of groups in AD or performing SID -> GID lookups on appropriate groups via wbinfo instead of NSS works perfectly.
Attached is a sample log.winbindd from invoking getent group.
I have not enclosed a patch as I'm not a C coder and thus anything I submit is likely to be a liability :)
Note that this bug may be a regression as I do not see this behaviour on an Ubuntu Server 10.04.4 x64 host running Samba v3.4.7; both users and groups enumerate correctly via a "getent passwd" and "getent group". This host is connected to the same AD domain as the host witnessing the incorrect behaviour and is also using the idmap_ad backend and a very similar configuration (allowing for minor differences due to the v3.4 versus v3.6 branch).
I confirm the bug.
The impact is larger:
if the user is member of several groups, and if one of these groups has no gidNumber, a "getent passwd user" will fail.
Just a quick update that the Linux box referenced below as not experiencing the behaviour has been upgraded from Ubuntu Server 10.04 LTS to 12.04 LTS and is now seeing the exact same behaviour as the originally referenced system. The release upgrade process has upgraded Samba to v3.6.3 (same branch as other affected box).
will provide a fix shortly
Created attachment 10811 [details]
Patch for 3.6 (for reference)
Patch for Samba 3.6.
Note this will never get included in a 3.6 release because
3.6 is in security mode.
Providing the patch for testing nonetheles.
Patch for master etc following.
Created attachment 10812 [details]
Patch for master
Patch for master.
This has been tested manually.
Selftest missing (working on it).
Other versions following.
Created attachment 10906 [details]
Patch for 4.2
Created attachment 10907 [details]
Patch for 4.1
Comment on attachment 10906 [details]
Patch for 4.2
Comment on attachment 10907 [details]
Patch for 4.1
Karolin, please add to 4.2.x and 4.1.x (if possible).
Pushed to autobuild-v4-[1|2]-test.
(In reply to Karolin Seeger from comment #12)
Pushed to v4-1-test.
(In reply to Karolin Seeger from comment #13)
Pushed to v4-2-test.
Closing out bug report.