[Bug 1307778] Re: getent group on trusty returns only local groups

Ryan Ritterson rrpublic at gmail.com
Tue Oct 14 18:45:32 UTC 2014 

I believe I have tracked down the source of this bug, which will
hopefully lead to an easy fix.

The problem appears to be the inability of SID S-1-18-1 to be mapped
(See https://support.microsoft.com/kb/2830145 for an explanation why).
Winbind gets a list of all groups, and that SID is returned, then
attempts to map them to GIDs but fails because that SID cannot be
mapped.

If one runs:

wbinfo -U [uid]

then takes the SID that results and does

wbinfo --user-sids=[users SID]

a list of groups will be returned, along with the users SID. I am able
to map all of them back to objects/groups in the domain, except for the
S-1-18-1 SID.

This nicely matches the output of

groups [user]

which on my machine returns all of the groups I belong to, except for
one, for which the command returns "groups: cannot find name for group
ID 100000", where 100000 is the beginning of the idmap * range in
smb.conf. I am almost certain the GID 100000 corresponds to the
unmappable S-1-18-1 SID and is the reason "getent group" only returns
local groups.

A patch may be as simple as winbind just ignoring S-1-18-1 and S-1-18-2
when returned as an SID for a group.

This appears to have been the behavior for earlier versions of winbind,
as running

wbinfo -s [user SID]

on a centos 6 machine using Samba 3.6 returns all of the SIDs for the
user's groups, except the bad S-1-18-1 SID.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1307778

Title:
  getent group on trusty returns only local groups

Status in “samba” package in Ubuntu:
  Confirmed

Bug description:
  On Trusty, winbind version: 2:4.1.6+dfsg-1ubuntu2 returns groups with
  GID = -1 when using wbinfo -r:

  user at host:~$ wbinfo -r user
  2001
  -1
  -1
  10000
  -1
  -1
  100002
  100001

  On Saucy, winbind 2:3.6.18-1ubuntu3.2 returned only groups with valid
  GIDs as defined in the active directory using the same command:

  user at otherhost:~$ wbinfo -r user
  2001
  10000

  With this configuration on a Trusty host, "getent group" returns only
  local groups (it does not even enumerate the active directory groups
  with GIDs 2001 & 10000). The same thing happens on a "groups" command
  run by the user at a prompt. However, if "groups [user]" is run, it
  returns the defined active directory groups, as well as a number of
  errors (line breaks added to output for readability):

  user at host:~$ groups
  localgroup1 sudo

  user at host:~$ groups user
  user : localgroup1 sudo
  groups: cannot find name for group ID 4294967295 4294967295
  groups: cannot find name for group ID 4294967295 4294967295
  domain admins
  groups: cannot find name for group ID 4294967295 4294967295
  groups: cannot find name for group ID 4294967295 4294967295
  BUILTIN\users
  BUILTIN\administrators

  The groups on the Trusty host with GIDs 100001 and 100002 as returned
  by "wbinfo -r" belong to BUILTIN\administrator and BUILTIN\users
  respectively (per wbinfo --gid-info=100001), neither of which have
  defined GIDs in the active directory. There are several others groups
  within the user's OU that also do not have GIDs, and I suspect the
  "-1" values belong to those groups.

  I am not sure why the BUILTIN groups get assigned a dynamic GID (as
  set by the idmap config * : range = 100000-300000 line in smb.conf)
  when they have no LDAP gidNumber assigned to them, while the other
  groups inside our OU get assigned gid -1 when they also have no
  gidNumber assigned to them.

  The smb.conf file is identical between the two hosts except for the
  server name string. The non-working host was upgraded from Saucy to
  Trusty today. Two other hosts were also upgraded, and they show
  exactly the same behavior.

  This issue breaks domain-wide administrative powers, as we use visudo
  to give members of the domain admins group local administrative
  permissions on all machines. "sudo" commands run on the Trusty host by
  a domain admin member not also in the local sudo group fail, declaring
  the user is not one of the sudoers

  Notably, "getent passwd" returns all local and domain users, and
  domain users remain able to login with correct UIDs using domain
  accounts.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: libnss-winbind 2:4.1.6+dfsg-1ubuntu2
  ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.1-0ubuntu2
  Architecture: amd64
  Date: Mon Apr 14 18:50:45 2014
  InstallationDate: Installed on 2014-02-13 (60 days ago)
  InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SambaClientRegression: Yes
  SourcePackage: samba
  UpgradeStatus: Upgraded to trusty on 2014-04-15 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1307778/+subscriptions

More information about the foundations-bugs mailing list