Bug 9766 - winbind resolving group names if lookup without a domain name has been cached.
Summary: winbind resolving group names if lookup without a domain name has been cached.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.13
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-04 12:42 UTC by Andreas Schneider
Modified: 2013-12-24 12:38 UTC (History)
1 user (show)

See Also:

Attachments
v4-0-test patch (2.15 KB, patch)
2013-04-10 07:54 UTC, Andreas Schneider 		gd: review+
vl: review+
Details
v3-6-test patch (2.15 KB, patch)
2013-04-10 07:57 UTC, Andreas Schneider 		gd: review+
vl: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2013-04-04 12:42:41 UTC 
We fail do some valid name lookups. This goes back to

require_membership_of = redhat

in pam_winbind.conf. As you can see a group without a domain is specified 
which results in a lookup of that group without a domain name.

[2013/04/04 12:08:52.940058, 10, pid=9331] 
winbindd/winbindd.c:617(process_request)
  process_request: Handling async request 9333:LOOKUPNAME
[2013/04/04 12:08:52.940186,  3, pid=9331] 
winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
  lookupname +redhat
[2013/04/04 12:08:52.940307,  1, pid=9331] 
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          in: struct wbint_LookupName
              domain                   : *
                  domain                   : ''
              name                     : *
                  name                     : 'REDHAT'
              flags                    : 0x00000000 (0)
[2013/04/04 12:08:52.948321,  1, pid=9331] 
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          out: struct wbint_LookupName
              type                     : *
                  type                     : SID_NAME_DOM_GRP (2)
              sid                      : *
                  sid                      : 
S-1-5-21-2175650508-4111995269-951467909-1106
              result                   : NT_STATUS_OK



We end up with the following mappings in the cache:

{
key(10) = "NS//REDHAT"
data(66) = "\00\00\00\00\88A\00\00#R\5CQ\00\00\00\00\02\00\00\00-
S-1-5-21-2175650508-4111995269-951467909-1106"
}

{
key(48) = "SN/S-1-5-21-2175650508-4111995269-951467909-1106"
data(28) = "\00\00\00\00\88A\00\00#R\5CQ\00\00\00\00\02\00\00\00\00\06redhat"
}

If you do an 'id' as the user now. It is not able to find the group name in 
the cache:

DISCWORLD+asn@samba:~> id
uid=100001104(DISCWORLD+asn) gid=100000513(DISCWORLD+domain users) 
groups=100000513(DISCWORLD+domain users),100001106,100001108(DISCWORLD+samba)


I've created a patch which looks up the domain name from the sid if 
domain_name is not set. So we will later find the correct entries when we try 
to lookup DISCWORLD\redhat.
Comment 1 Andreas Schneider 2013-04-10 07:54:46 UTC 
Created attachment 8744 [details]
v4-0-test patch
Comment 2 Andreas Schneider 2013-04-10 07:57:13 UTC 
Created attachment 8747 [details]
v3-6-test patch
Comment 3 Guenther Deschner 2013-04-11 10:33:45 UTC 
Karolin, please add to 4.0.x and 3.6.x. Thanks!
Comment 4 Karolin Seeger 2013-04-12 07:56:39 UTC 
Pushed to v3-6-test and autobuild-v4-0-test.
Comment 5 Karolin Seeger 2013-04-12 10:23:13 UTC 
Pushed to v4-0-test.
Closing out bug report.

Thanks!