[Bug 1307778] [NEW] getent group on trusty returns only local groups

Ryan Ritterson rrpublic at gmail.com
Tue Apr 15 02:08:48 UTC 2014 

Public bug reported:

On Trusty, winbind version: 2:4.1.6+dfsg-1ubuntu2 returns groups with
GID = -1 when using wbinfo -r:

user at host:~$ wbinfo -r [user]
2001
-1
-1
10000
-1
-1
100002
100001

On Saucy, winbind 2:3.6.18-1ubuntu3.2 returned only groups with valid
GIDs as defined in the active directory using the same command:

user at otherhost:~$ wbinfo -r user
2001
10000

With this configuration, getent group returns only local groups. The
same thing happens on a "groups" command run by the user at a prompt.
However, if "groups [user]" is run, it returns the defined active
directory groups, as well as a number of errors:

user at host:~$ groups user
user : localgroup1 sudo 
groups: cannot find name for group ID 4294967295 4294967295 
groups: cannot find name for group ID 4294967295 4294967295 
domain admins 
groups: cannot find name for group ID 4294967295 4294967295 
groups: cannot find name for group ID 4294967295 4294967295 
BUILTIN\users 
BUILTIN\administrators

The groups on the Trusty host with GIDs 100001 and 100002 as returned by
wbinfo -r belong to BUILTIN\administrator and BUILTIN\users respectively
(per wbinfo --gid-info=100001), neither of which have defined GIDs in
the active directory. There are several others groups within the user's
OU that also do not have GIDs, and I suspect the "-1" values belong to
those groups.

I am not sure why the BUILTIN groups get assigned a dynamic GID (as set
by the idmap config * : range = 100000-200000 line in smb.conf) when
they have no LDAP gidNumber assigned to them, while the other groups
inside our OU get assigned gid -1 when they also have no gidNumber
assigned to them.

The smb.conf file is identical between the two hosts except for the
server name string. The non-working host was upgraded from Saucy to
Trusty today. Two other hosts were also upgraded, and they show exactly
the same behavior.

This issue breaks domain-wide administrative powers, as we use visudo to
give members of the domain admins group local administrative permissions
on all machines.

Notably, getent passwd returns local and domain users, and users are
able to login with correct UIDs using domain accounts.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libnss-winbind 2:4.1.6+dfsg-1ubuntu2
ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
Uname: Linux 3.13.0-24-generic x86_64
ApportVersion: 2.14.1-0ubuntu2
Architecture: amd64
Date: Mon Apr 14 18:50:45 2014
InstallationDate: Installed on 2014-02-13 (60 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SambaClientRegression: Yes
SourcePackage: samba
UpgradeStatus: Upgraded to trusty on 2014-04-15 (0 days ago)

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug trusty

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1307778

Title:
  getent group on trusty returns only local groups

Status in “samba” package in Ubuntu:
  New

Bug description:
  On Trusty, winbind version: 2:4.1.6+dfsg-1ubuntu2 returns groups with
  GID = -1 when using wbinfo -r:

  user at host:~$ wbinfo -r [user]
  2001
  -1
  -1
  10000
  -1
  -1
  100002
  100001

  On Saucy, winbind 2:3.6.18-1ubuntu3.2 returned only groups with valid
  GIDs as defined in the active directory using the same command:

  user at otherhost:~$ wbinfo -r user
  2001
  10000

  With this configuration, getent group returns only local groups. The
  same thing happens on a "groups" command run by the user at a prompt.
  However, if "groups [user]" is run, it returns the defined active
  directory groups, as well as a number of errors:

  user at host:~$ groups user
  user : localgroup1 sudo 
  groups: cannot find name for group ID 4294967295 4294967295 
  groups: cannot find name for group ID 4294967295 4294967295 
  domain admins 
  groups: cannot find name for group ID 4294967295 4294967295 
  groups: cannot find name for group ID 4294967295 4294967295 
  BUILTIN\users 
  BUILTIN\administrators

  The groups on the Trusty host with GIDs 100001 and 100002 as returned
  by wbinfo -r belong to BUILTIN\administrator and BUILTIN\users
  respectively (per wbinfo --gid-info=100001), neither of which have
  defined GIDs in the active directory. There are several others groups
  within the user's OU that also do not have GIDs, and I suspect the
  "-1" values belong to those groups.

  I am not sure why the BUILTIN groups get assigned a dynamic GID (as
  set by the idmap config * : range = 100000-200000 line in smb.conf)
  when they have no LDAP gidNumber assigned to them, while the other
  groups inside our OU get assigned gid -1 when they also have no
  gidNumber assigned to them.

  The smb.conf file is identical between the two hosts except for the
  server name string. The non-working host was upgraded from Saucy to
  Trusty today. Two other hosts were also upgraded, and they show
  exactly the same behavior.

  This issue breaks domain-wide administrative powers, as we use visudo
  to give members of the domain admins group local administrative
  permissions on all machines.

  Notably, getent passwd returns local and domain users, and users are
  able to login with correct UIDs using domain accounts.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: libnss-winbind 2:4.1.6+dfsg-1ubuntu2
  ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.1-0ubuntu2
  Architecture: amd64
  Date: Mon Apr 14 18:50:45 2014
  InstallationDate: Installed on 2014-02-13 (60 days ago)
  InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SambaClientRegression: Yes
  SourcePackage: samba
  UpgradeStatus: Upgraded to trusty on 2014-04-15 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1307778/+subscriptions

More information about the foundations-bugs mailing list