Bug 247423
| Summary: | wbinfo -r gives incorrect group information | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Bojan Smojver <bojan> |
| Component: | samba | Assignee: | Guenther Deschner <gdeschner> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | qe-baseos-daemons |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.0 | CC: | dpal, gdeschner, jplans |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-04-26 14:29:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Bojan Smojver
2007-07-09 07:51:24 UTC
That patch doesn't actually work on EL5. Hmm... I think I need to work on this one a bit more. Some accounts show up correct info. Could be a misconfiguration after all. Bojan, the bug you reference is a FreeBSD specific bug, I can't see how it can apply to RHEL5. I will close this bug now. If you come up with more info and a reproduceable case then reopen it. Thanks. Yeah, looks like it. Although, there is mention of this happening on Linux in the original Samba bug report. So, maybe the _fix_ is FreeBSD specific... I have two boxes - one running EL4, the other EL5, both trying to determine group membership of users wbinfo -r. On EL4 box I can see some users being members of two groups (which is correct). On EL5, it only shows one. But this could also be some subtle play of domain trust relationships and AD permissions in this environment - I'm not sure. Anyhow, let me play with it a bit more and report back. Group membership is very hard to determine in Windows. The only reliable way to do it is to login using kerberos, the PAC will contain the correct membership. Latest samba versions can decode the pack and cache its contents. Both of these boxes (EL4 and EL5) are configured to use Kerberos (i.e. security = ads). After changing some permissions (making Everyone be able to read that part of the tree), I can now reliably get groups on EL4 machine. Not so on EL5 machine. There I only get groups that belong to the domain from which the account comes - the others do not appear at all. Will try to figure out a bit more... Here is how to replicate the problem. Have two AD domains, A and B, and make them trust each other. Create a universal group G in domain A. Create two users, one in domain A (U1) and one in domain B (U2). Place both these users in group 'A\G'. Then, on both EL4 and EL5 boxes, join domain A using 'security = ads'. Run: wbinfo -n 'A\G' This should give a SID of 'A\G' as the first word on the line. With that, run: wbinfo -Y <SID_displayed_above> This should give the gid of this group. Finally, run: wbinfo -r 'A\U1' | grep <gid_obtained_above> wbinfo -r 'B\U2' | grep <gid_obtained_above> On EL4 box, second command will give the gid of the 'A\G'. On EL5 box, it won't. The first command will give gid of 'A\G' on both EL4 and EL5 boxes. Now, I'm not sure if this is a regression or intended behavior, but another interesting fact is that EL4 box can see problematic groups when running 'wbinfo -g', but EL5 box cannot. Should be fixed in latest Samba package for quite a while. |