Bug 9766 - winbind resolving group names if lookup without a domain name has been cached.
Summary: winbind resolving group names if lookup without a domain name has been cached.
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.13
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2013-04-04 12:42 UTC by Andreas Schneider
Modified: 2013-12-24 12:38 UTC (History)
1 user (show)

See Also:

v4-0-test patch (2.15 KB, patch)
2013-04-10 07:54 UTC, Andreas Schneider
gd: review+
vl: review+
v3-6-test patch (2.15 KB, patch)
2013-04-10 07:57 UTC, Andreas Schneider
gd: review+
vl: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2013-04-04 12:42:41 UTC
We fail do some valid name lookups. This goes back to

require_membership_of = redhat

in pam_winbind.conf. As you can see a group without a domain is specified 
which results in a lookup of that group without a domain name.

[2013/04/04 12:08:52.940058, 10, pid=9331] 
  process_request: Handling async request 9333:LOOKUPNAME
[2013/04/04 12:08:52.940186,  3, pid=9331] 
  lookupname +redhat
[2013/04/04 12:08:52.940307,  1, pid=9331] 
       wbint_LookupName: struct wbint_LookupName
          in: struct wbint_LookupName
              domain                   : *
                  domain                   : ''
              name                     : *
                  name                     : 'REDHAT'
              flags                    : 0x00000000 (0)
[2013/04/04 12:08:52.948321,  1, pid=9331] 
       wbint_LookupName: struct wbint_LookupName
          out: struct wbint_LookupName
              type                     : *
                  type                     : SID_NAME_DOM_GRP (2)
              sid                      : *
                  sid                      : 
              result                   : NT_STATUS_OK

We end up with the following mappings in the cache:

key(10) = "NS//REDHAT"
data(66) = "\00\00\00\00\88A\00\00#R\5CQ\00\00\00\00\02\00\00\00-

key(48) = "SN/S-1-5-21-2175650508-4111995269-951467909-1106"
data(28) = "\00\00\00\00\88A\00\00#R\5CQ\00\00\00\00\02\00\00\00\00\06redhat"

If you do an 'id' as the user now. It is not able to find the group name in 
the cache:

DISCWORLD+asn@samba:~> id
uid=100001104(DISCWORLD+asn) gid=100000513(DISCWORLD+domain users) 
groups=100000513(DISCWORLD+domain users),100001106,100001108(DISCWORLD+samba)

I've created a patch which looks up the domain name from the sid if 
domain_name is not set. So we will later find the correct entries when we try 
to lookup DISCWORLD\redhat.
Comment 1 Andreas Schneider 2013-04-10 07:54:46 UTC
Created attachment 8744 [details]
v4-0-test patch
Comment 2 Andreas Schneider 2013-04-10 07:57:13 UTC
Created attachment 8747 [details]
v3-6-test patch
Comment 3 Guenther Deschner 2013-04-11 10:33:45 UTC
Karolin, please add to 4.0.x and 3.6.x. Thanks!
Comment 4 Karolin Seeger 2013-04-12 07:56:39 UTC
Pushed to v3-6-test and autobuild-v4-0-test.
Comment 5 Karolin Seeger 2013-04-12 10:23:13 UTC
Pushed to v4-0-test.
Closing out bug report.