Bug 247423 - wbinfo -r gives incorrect group information
wbinfo -r gives incorrect group information
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba (Show other bugs)
5.0
All Linux
high Severity high
: ---
: ---
Assigned To: Guenther Deschner
qe-baseos-daemons
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-09 03:51 EDT by Bojan Smojver
Modified: 2010-04-26 10:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-26 10:29:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 3990 None None None Never

  None (edit)
Description Bojan Smojver 2007-07-09 03:51:24 EDT
Description of problem:
Upon running wbinfo -r on a system with a correctly configured winbindd,
reported groups may be incorrect for certain users.

Version-Release number of selected component (if applicable):
3.0.23c-2.el5.2.0.2

How reproducible:
Always.

Steps to Reproduce:
1. Configure winbind against an AD.
2. Run wbinfo -r for various users and watch output
  
Actual results:
List of group IDs is incomplete/incorrect.

Expected results:
Should give all correct group IDs.

Additional info:
See bug https://bugzilla.samba.org/show_bug.cgi?id=3990, which also has a patch
included. Please backport.
Comment 1 Bojan Smojver 2007-07-09 04:21:56 EDT
That patch doesn't actually work on EL5. Hmm...
Comment 2 Bojan Smojver 2007-07-09 06:45:14 EDT
I think I need to work on this one a bit more. Some accounts show up correct
info. Could be a misconfiguration after all.
Comment 3 Simo Sorce 2007-07-09 09:11:08 EDT
Bojan,
the bug you reference is a FreeBSD specific bug, I can't see how it can apply to
RHEL5.
I will close this bug now.
If you come up with more info and a reproduceable case then reopen it. Thanks.
Comment 4 Bojan Smojver 2007-07-09 17:53:34 EDT
Yeah, looks like it. Although, there is mention of this happening on Linux in
the original Samba bug report. So, maybe the _fix_ is FreeBSD specific...

I have two boxes - one running EL4, the other EL5, both trying to determine
group membership of users wbinfo -r. On EL4 box I can see some users being
members of two groups (which is correct). On EL5, it only shows one. But this
could also be some subtle play of domain trust relationships and AD permissions
in this environment - I'm not sure.

Anyhow, let me play with it a bit more and report back.
Comment 5 Simo Sorce 2007-07-09 17:59:58 EDT
Group membership is very hard to determine in Windows.
The only reliable way to do it is to login using kerberos, the PAC will contain
the correct membership. Latest samba versions can decode the pack and cache its
contents.
Comment 6 Bojan Smojver 2007-07-09 18:45:35 EDT
Both of these boxes (EL4 and EL5) are configured to use Kerberos (i.e. security
= ads). After changing some permissions (making Everyone be able to read that
part of the tree), I can now reliably get groups on EL4 machine. Not so on EL5
machine. There I only get groups that belong to the domain from which the
account comes - the others do not appear at all.

Will try to figure out a bit more...
Comment 7 Bojan Smojver 2007-08-08 04:03:38 EDT
Here is how to replicate the problem. Have two AD domains, A and B, and make
them trust each other. Create a universal group G in domain A. Create two users,
one in domain A (U1) and one in domain B (U2). Place both these users in group
'A\G'.

Then, on both EL4 and EL5 boxes, join domain A using 'security = ads'.

Run:

wbinfo -n 'A\G'

This should give a SID of 'A\G' as the first word on the line. With that, run:

wbinfo -Y <SID_displayed_above>

This should give the gid of this group. Finally, run:

wbinfo -r 'A\U1' | grep <gid_obtained_above>
wbinfo -r 'B\U2' | grep <gid_obtained_above>

On EL4 box, second command will give the gid of the 'A\G'. On EL5 box, it won't.
The first command will give gid of 'A\G' on both EL4 and EL5 boxes.

Now, I'm not sure if this is a regression or intended behavior, but another
interesting fact is that EL4 box can see problematic groups when running 'wbinfo
-g', but EL5 box cannot.
Comment 8 Dmitri Pal 2010-04-26 10:29:14 EDT
Should be fixed in latest Samba package for quite a while.

Note You need to log in before you can comment on or make changes to this bug.