[Bug 1315565] Re: nss-winbind is returing -1 for supplemental groups

Tue Jun 10 19:39:07 UTC 2014

Turns out this is not just a cosmetic problem, having -1 in a
supplementary group list completely breaks the NFS sever as well, in a
very hard to find way.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1315565

Title:
  nss-winbind is returing -1 for supplemental groups

Status in “samba” package in Ubuntu:
  New

Bug description:
  This is a regression in trusty.

  Consider:

  $wbinfo -r jgg
  1000
  -1
  10009
  10011
  10004
  10003
  -1
  1002
  -1

  Results in:

  $ getent initgroups jgg
  jgg                   4 24 27 30 46 108 124 1000 10009 10011 10004 10003 1002
  $ id jgg
  uid=2009(jgg) gid=1000(orc) groups=1000(orc),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),4294967295,10009(vpn_users),10011(xweb_users),10004(accounting),10003(domain_users),4294967295,1002(wsudoers),4294967295

  Those 4294967295 values should not be in the group list.

  The underlying issue is that some of the AD groups the user is a part
  of are not UNIX groups, they are just general AD groups:

  $ ldapsearch uid=jgg memberOf
  dn: CN=Jason Gunthorpe,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=XWEB Users,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=VPN Users,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=accounting,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=wsudoers,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=Boards website editors,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=Parts website editors,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=adm,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=Domain Users,CN=Users,DC=ads,DC=orcorp,DC=ca
  memberOf: CN=Print Operators,CN=Builtin,DC=ads,DC=orcorp,DC=ca

  For instance, 'Print Operators' is not a UNIX group, it doesn't have
  the RFC2307 schema elements.

  # Print Operators, Builtin, ads.orcorp.ca
  dn: CN=Print Operators,CN=Builtin,DC=ads,DC=orcorp,DC=ca
  objectClass: top
  objectClass: group
  cn: Print Operators
  description: Members can administer domain printers
  member: CN=Jason Gunthorpe,CN=Users,DC=ads,DC=orcorp,DC=ca
  member: CN=Ian Crowe,CN=Users,DC=ads,DC=orcorp,DC=ca
  distinguishedName: CN=Print Operators,CN=Builtin,DC=ads,DC=orcorp,DC=ca
  instanceType: 4
  whenCreated: 20080729165935.0Z
  whenChanged: 20080808163035.0Z
  uSNCreated: 8209
  uSNChanged: 30817
  name: Print Operators
  objectGUID:: SBkgyF4upEG4GO6bRhj17g==
  objectSid:: AQIAAAAAAAUgAAAAJgIAAA==
  adminCount: 1
  sAMAccountName: Print Operators
  sAMAccountType: 536870912
  systemFlags: -1946157056
  groupType: -2147483643
  objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=orcorp,DC=ca
  isCriticalSystemObject: TRUE

  # wsudoers, Users, ads.orcorp.ca
  dn: CN=wsudoers,CN=Users,DC=ads,DC=orcorp,DC=ca
  objectClass: top
  objectClass: group
  cn: wsudoers
  description: Workstation Sudoers
  member: CN=Rolf Manderscheid,CN=Users,DC=ads,DC=orcorp,DC=ca
  member: CN=Jason Gunthorpe,CN=Users,DC=ads,DC=orcorp,DC=ca
  member: CN=Ian Crowe,CN=Users,DC=ads,DC=orcorp,DC=ca
  distinguishedName: CN=wsudoers,CN=Users,DC=ads,DC=orcorp,DC=ca
  instanceType: 4
  whenCreated: 20080808044201.0Z
  whenChanged: 20111130193544.0Z
  uSNCreated: 30255
  info: Members can use sudo on the workstations
  uSNChanged: 2007454
  name: wsudoers
  objectGUID:: oYEd5AZTyESv6SHZoxBGeQ==
  objectSid:: AQUAAAAAAAUVAAAAmm48yDCxnAEu012CfgQAAA==
  sAMAccountName: wsudoers
  sAMAccountType: 536870912
  managedBy: CN=Jason Gunthorpe,CN=Users,DC=ads,DC=orcorp,DC=ca
  groupType: -2147483644
  objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=orcorp,DC=ca
  msSFU30Name: wsudoers
  msSFU30NisDomain: ads
  gidNumber: 1002

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1315565/+subscriptions