Red Hat Bugzilla – Bug 247423
wbinfo -r gives incorrect group information
Last modified: 2010-04-26 10:29:14 EDT
Description of problem:
Upon running wbinfo -r on a system with a correctly configured winbindd,
reported groups may be incorrect for certain users.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure winbind against an AD.
2. Run wbinfo -r for various users and watch output
List of group IDs is incomplete/incorrect.
Should give all correct group IDs.
See bug https://bugzilla.samba.org/show_bug.cgi?id=3990, which also has a patch
included. Please backport.
That patch doesn't actually work on EL5. Hmm...
I think I need to work on this one a bit more. Some accounts show up correct
info. Could be a misconfiguration after all.
the bug you reference is a FreeBSD specific bug, I can't see how it can apply to
I will close this bug now.
If you come up with more info and a reproduceable case then reopen it. Thanks.
Yeah, looks like it. Although, there is mention of this happening on Linux in
the original Samba bug report. So, maybe the _fix_ is FreeBSD specific...
I have two boxes - one running EL4, the other EL5, both trying to determine
group membership of users wbinfo -r. On EL4 box I can see some users being
members of two groups (which is correct). On EL5, it only shows one. But this
could also be some subtle play of domain trust relationships and AD permissions
in this environment - I'm not sure.
Anyhow, let me play with it a bit more and report back.
Group membership is very hard to determine in Windows.
The only reliable way to do it is to login using kerberos, the PAC will contain
the correct membership. Latest samba versions can decode the pack and cache its
Both of these boxes (EL4 and EL5) are configured to use Kerberos (i.e. security
= ads). After changing some permissions (making Everyone be able to read that
part of the tree), I can now reliably get groups on EL4 machine. Not so on EL5
machine. There I only get groups that belong to the domain from which the
account comes - the others do not appear at all.
Will try to figure out a bit more...
Here is how to replicate the problem. Have two AD domains, A and B, and make
them trust each other. Create a universal group G in domain A. Create two users,
one in domain A (U1) and one in domain B (U2). Place both these users in group
Then, on both EL4 and EL5 boxes, join domain A using 'security = ads'.
wbinfo -n 'A\G'
This should give a SID of 'A\G' as the first word on the line. With that, run:
wbinfo -Y <SID_displayed_above>
This should give the gid of this group. Finally, run:
wbinfo -r 'A\U1' | grep <gid_obtained_above>
wbinfo -r 'B\U2' | grep <gid_obtained_above>
On EL4 box, second command will give the gid of the 'A\G'. On EL5 box, it won't.
The first command will give gid of 'A\G' on both EL4 and EL5 boxes.
Now, I'm not sure if this is a regression or intended behavior, but another
interesting fact is that EL4 box can see problematic groups when running 'wbinfo
-g', but EL5 box cannot.
Should be fixed in latest Samba package for quite a while.