Bug 8905 - Enumerating groups over NSS doesn't work with idmap_ad
Enumerating groups over NSS doesn't work with idmap_ad
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.4
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-29 09:11 UTC by sdl
Modified: 2015-04-09 19:01 UTC (History)
5 users (show)

See Also:


Attachments
Winbind log from failed enumeration via getent group (6.74 KB, application/octet-stream)
2012-04-29 09:11 UTC, sdl
no flags Details
Patch for 3.6 (for reference) (2.52 KB, patch)
2015-03-03 15:49 UTC, Michael Adam
no flags Details
Patch for master (2.52 KB, patch)
2015-03-03 15:50 UTC, Michael Adam
no flags Details
Patch for 4.2 (2.64 KB, patch)
2015-03-25 12:51 UTC, Michael Adam
obnox: review+
gd: review+
Details
Patch for 4.1 (2.64 KB, patch)
2015-03-25 12:53 UTC, Michael Adam
obnox: review+
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description sdl 2012-04-29 09:11:05 UTC
Created attachment 7509 [details]
Winbind log from failed enumeration via getent group

This issue seems closely related to fixed bug #8608 but for groups instead of users. On a Winbind configuration with ID Mapping configured using idmap_ad when enumerating groups through NSS with "getent group" the enumeration will fail if Winbind fails to retrieve a GID from a group in AD. This can be easily witnessed in the Winbind logs at level 10. If a gidNumber is defined for the group the enumeration failed on Winbind will successfully enumerate this group but will subsequently choke on another group that doesn't have gidNumber defined (if any).

Is there any reason the behaviour for groups doesn't match that for users post bug #8608 resolution? In our AD environment we wish to only enable UNIX Attributes for users/groups that will actually be used on *nix systems as these represent only a small subset of the greater set of users/groups in the directory. This works fine with users thanks to the previous bug fix but fails to work on groups.

As a sample of where this causes issues, we define some permitted sudoers via groups stored in AD, but because NSS is not enumerating the AD users, sudo fails to grant access to these users on invocation.

Retrieving a list of groups in AD or performing SID -> GID lookups on appropriate groups via wbinfo instead of NSS works perfectly.

Attached is a sample log.winbindd from invoking getent group.

I have not enclosed a patch as I'm not a C coder and thus anything I submit is likely to be a liability :)
Comment 1 sdl 2012-05-05 17:08:54 UTC
Note that this bug may be a regression as I do not see this behaviour on an Ubuntu Server 10.04.4 x64 host running Samba v3.4.7; both users and groups enumerate correctly via a "getent passwd" and "getent group". This host is connected to the same AD domain as the host witnessing the incorrect behaviour and is also using the idmap_ad backend and a very similar configuration (allowing for minor differences due to the v3.4 versus v3.6 branch).
Comment 2 Blindauer Emmanuel 2012-08-25 00:19:04 UTC
I confirm the bug.

The impact is larger:

if the user is member of several groups, and if one of these groups has no gidNumber, a "getent passwd user" will fail.
Comment 3 sdl 2012-09-15 11:42:45 UTC
Just a quick update that the Linux box referenced below as not experiencing the behaviour has been upgraded from Ubuntu Server 10.04 LTS to 12.04 LTS and is now seeing the exact same behaviour as the originally referenced system. The release upgrade process has upgraded Samba to v3.6.3 (same branch as other affected box).
Comment 4 Michael Adam 2015-01-19 23:06:28 UTC
will provide a fix shortly
Comment 5 Michael Adam 2015-03-03 15:49:49 UTC
Created attachment 10811 [details]
Patch for 3.6 (for reference)

Patch for Samba 3.6.
Note this will never get included in a 3.6 release because
3.6 is in security mode.
Providing the patch for testing nonetheles.

Patch for master etc following.
Comment 6 Michael Adam 2015-03-03 15:50:53 UTC
Created attachment 10812 [details]
Patch for master

Patch for master.
This has been tested manually.
Selftest missing (working on it).
Other versions following.
Comment 7 Michael Adam 2015-03-25 12:51:54 UTC
Created attachment 10906 [details]
Patch for 4.2
Comment 8 Michael Adam 2015-03-25 12:53:38 UTC
Created attachment 10907 [details]
Patch for 4.1
Comment 9 Guenther Deschner 2015-03-25 12:56:37 UTC
Comment on attachment 10906 [details]
Patch for 4.2

looks fine.
Comment 10 Guenther Deschner 2015-03-25 12:56:55 UTC
Comment on attachment 10907 [details]
Patch for 4.1

looks fine.
Comment 11 Guenther Deschner 2015-03-25 12:57:47 UTC
Karolin, please add to 4.2.x and 4.1.x (if possible).
Comment 12 Karolin Seeger 2015-03-27 20:18:29 UTC
Pushed to autobuild-v4-[1|2]-test.
Comment 13 Karolin Seeger 2015-04-08 19:11:31 UTC
(In reply to Karolin Seeger from comment #12)
Pushed to v4-1-test.
Comment 14 Karolin Seeger 2015-04-09 19:01:00 UTC
(In reply to Karolin Seeger from comment #13)
Pushed to v4-2-test.
Closing out bug report.

Thanks!