Bug 9052 - winbind doesn't return "Domain Local" groups from own domain
winbind doesn't return "Domain Local" groups from own domain
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.6
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-19 08:04 UTC by Andreas Schneider
Modified: 2013-04-08 15:25 UTC (History)
3 users (show)

See Also:


Attachments
v3-6-test patch (1.46 KB, patch)
2012-07-19 08:07 UTC, Andreas Schneider
no flags Details
Replacement patch for master and 3.6.next with the removal of the sid_array_from_info3() paramter. (3.70 KB, patch)
2012-07-21 00:14 UTC, Jeremy Allison
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2012-07-19 08:04:03 UTC
This is a regression since Samba 3.5.9. With the bugfix for bug #7843 winbind stopped returning Domain Local groups for it's own domain.

It is likely that this also fixes bug #8523. We see this problem in different scenarios. Here is the scenario how I reproduced it and tested the fix. I will ask different parties to test the fix.

Scenario:

You have two AD forest with an AD server in each. The domains are named LEVEL1.DISCWORLD.SITE and LEVEL2.DISCWORLD.SITE and they have a two way transitive trust.

LEVEL1 is the domain which manages all user accounts.
LEVEL2 manages groups and machines.

There is a user LEVEL1\asn and a Domain Local group LEVEL2\samba. winbind is joined to LEVEL2.

I authenticate the user with

wbinfo -a LEVEL1\\asn%secret

and then do

id LEVEL1\\asn

This worked with Samba versions up to version 3.5.8 and stopped working with 3.5.9 which fixes bug #7843.

With the following patch fixes the problem for me. After that you can see again Domain Local groups of you own domain (the domain winbind is joined too).
Comment 1 Andreas Schneider 2012-07-19 08:07:33 UTC
Created attachment 7711 [details]
v3-6-test patch
Comment 2 Michael Adam 2012-07-19 10:17:40 UTC
You don't seem to fully describe what the problem is.

I assume that 

(1) user LEVEL1\asn is member of LEVEL2\samba.

(2) "id LEVEL1\asn" listed the group LEVEL2\samba before.

(3) "id LEVEL1\asn" does not list LEVEL2\samba any more.

right?

If so, then yes, bug #8523 might be aduplicate.
That bugreport fixes the problem by removing the
call to lookup_usergroups_cached() instead of fixing
the function. :-)

The patch looks reasonable, although I am not
certain that the long comment is necessary.
IMHO, the important thing is that the commit
message carries that explanation.

Cheers - Michael
Comment 3 Andreas Schneider 2012-07-20 10:47:40 UTC
Yes, that's correct.
Comment 4 Jeremy Allison 2012-07-21 00:05:20 UTC
Note that with this patch, sid_array_from_info3() is *never* called from anywhere in the code with the parameter "skip_ressource_groups" set to true.

So we can just remove it, and remove the part of the code referring to it inside sid_array_from_info3() as well.

Jeremy.
Comment 5 Jeremy Allison 2012-07-21 00:14:38 UTC
Created attachment 7715 [details]
Replacement patch for master and 3.6.next with the removal of the sid_array_from_info3() paramter.
Comment 6 Andreas Schneider 2012-07-21 08:15:32 UTC
Comment on attachment 7715 [details]
Replacement patch for master and 3.6.next with the removal of the sid_array_from_info3() paramter.

Thanks, looks fine for me.
Comment 7 Jeremy Allison 2012-07-23 16:56:46 UTC
Re-assigning to Karolin for inclusion in 3.6.next.
Jeremy.
Comment 8 Karolin Seeger 2012-07-24 18:56:05 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks!
Comment 9 Richard Sharpe 2013-03-09 01:06:03 UTC
Hmmm, this still seems to be in 3.6.12, at least on FreeBSD:

Here are the groups dummy-1 is in:

$ wbinfo --user-domgroups=`wbinfo -n dummy-1 | cut -f1 -d\ `
S-1-5-21-757122879-414339038-1732654586-513
S-1-5-21-757122879-414339038-1732654586-42349

The first is Domain Users, the second the domain local group I set up.

Here is what id dummy-1 displays:

$ id dummy-1
uid=1344820287(dummy-1) gid=1344799233(domain users) groups=1344799233(domain users)

Domain Users is listed twice but the second group is not listed at all.

Now to figure out why.
Comment 10 Eric Jones 2013-04-08 14:52:28 UTC
I am also experiencing this problem using both the stock packages from RHEL 6.3 (3.6.9-151) as well as the latest packages from enterprisesamba.org (3.6.13-45). The user's domain local groups will show up initially and after some period of time they are dropped both from the wbinfo and id commands. Setting the groups to global scope appears to resolve the issue.
Comment 11 Andreas Schneider 2013-04-08 15:25:31 UTC
Yes, cause the information is only available with the credentials with the user.

samba:~ # wbinfo --user-domgroups=$(wbinfo -n DISCWORLD+asn | cut -f1 -d\ )
S-1-5-21-2175650508-4111995269-951467909-513
S-1-5-21-2175650508-4111995269-951467909-1109
S-1-5-21-2175650508-4111995269-951467909-1106
S-1-5-21-2175650508-4111995269-951467909-1108
samba:~ # wbinfo -K DISCWORLD+asn
Enter DISCWORLD+asn's password: 
plaintext kerberos password authentication for [DISCWORLD+asn] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
samba:~ # wbinfo --user-domgroups=$(wbinfo -n DISCWORLD+asn | cut -f1 -d\ )
S-1-5-21-2175650508-4111995269-951467909-513
S-1-5-21-2175650508-4111995269-951467909-1109
S-1-5-21-2175650508-4111995269-951467909-1106
S-1-5-21-2175650508-4111995269-951467909-1108
S-1-5-21-2175650508-4111995269-951467909-1110
samba:~ # wbinfo --sid-to-name=S-1-5-21-2175650508-4111995269-951467909-1110
DISCWORLD+domain_local_group 4


I've wrote a blog post about this:

https://blog.cryptomilk.org/2012/11/08/understanding-winbind/