[Bug 1307778] Re: getent group on trusty returns only local groups

Ezra Van Everbroeck ezra at ucsd.edu
Wed Apr 30 22:08:13 UTC 2014 

Just to add a few data points, we've been running Winbind for years to
use accounts from our university's domain. We don't have Domain Admin
access though so a lot of accounts belong to AD groups out of our
control and that we can't assign GIDs to. This has never been an issue
because Winbind would not report membership in such groups to Linux.
Compare the output of Ubuntu 12.04 and 14.04 for the same account:

  ### 12.04 + winbind 2:3.6.3-2ubuntu2.10
  truffle:~$ groups mhatrak
  mhatrak : domain users ling-mayberrylab BUILTIN\users
  
  truffle:~$ id mhatrak
  uid=100051358(mhatrak) gid=513(domain users) groups=513(domain users),1310022(ling-mayberrylab),287(BUILTIN\users)
  
  
  ### 14.04 + winbind 2:4.1.6+dfsg-1ubuntu2
  enoki:~$groups mhatrak
  mhatrak : domain users groups: cannot find name for group ID 4294967295
  4294967295 groups: cannot find name for group ID 4294967295
  4294967295 ling-mayberrylab libuuid
  
  enoki:~$id mhatrak
  uid=100051358(mhatrak) gid=513(domain users) groups=513(domain users),4294967295,4294967295,1310022(ling- 
  mayberrylab),101(libuuid)


The new behavior breaks sudo because it can't verify all the groups. It may be that this is the only program affected but I haven't done any exhaustive testing.

  enoki:~$sudo bash
  sudo: unable to set runas group vector: Invalid argument


Interestingly, SSSD works better now. It also reports an error but at least sudo is still functional.

  ### 14.04 + sssd 1.11.5-1ubuntu3
  porcini:~$ groups mhatrak
  mhatrak : groups: cannot find name for group ID 1000002
  1000002 ling-mayberrylab domain users
  
  porcini:~$ id mhatrak
  uid=100051358(mhatrak) gid=1000002 groups=1000002,1310022(ling-mayberrylab),513(domain users)
  
  porcini:~$ sudo bash
  porcini:~#

It seems to me the old Winbind behavior is desirable. There's little
point in telling the OS about group membership for groups that are not
going to work due to their lack of a GID. It should be easy to filter
them out automatically or at least provide an option to do so.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1307778

Title:
  getent group on trusty returns only local groups

Status in “samba” package in Ubuntu:
  Confirmed

Bug description:
  On Trusty, winbind version: 2:4.1.6+dfsg-1ubuntu2 returns groups with
  GID = -1 when using wbinfo -r:

  user at host:~$ wbinfo -r user
  2001
  -1
  -1
  10000
  -1
  -1
  100002
  100001

  On Saucy, winbind 2:3.6.18-1ubuntu3.2 returned only groups with valid
  GIDs as defined in the active directory using the same command:

  user at otherhost:~$ wbinfo -r user
  2001
  10000

  With this configuration on a Trusty host, "getent group" returns only
  local groups (it does not even enumerate the active directory groups
  with GIDs 2001 & 10000). The same thing happens on a "groups" command
  run by the user at a prompt. However, if "groups [user]" is run, it
  returns the defined active directory groups, as well as a number of
  errors (line breaks added to output for readability):

  user at host:~$ groups
  localgroup1 sudo

  user at host:~$ groups user
  user : localgroup1 sudo
  groups: cannot find name for group ID 4294967295 4294967295
  groups: cannot find name for group ID 4294967295 4294967295
  domain admins
  groups: cannot find name for group ID 4294967295 4294967295
  groups: cannot find name for group ID 4294967295 4294967295
  BUILTIN\users
  BUILTIN\administrators

  The groups on the Trusty host with GIDs 100001 and 100002 as returned
  by "wbinfo -r" belong to BUILTIN\administrator and BUILTIN\users
  respectively (per wbinfo --gid-info=100001), neither of which have
  defined GIDs in the active directory. There are several others groups
  within the user's OU that also do not have GIDs, and I suspect the
  "-1" values belong to those groups.

  I am not sure why the BUILTIN groups get assigned a dynamic GID (as
  set by the idmap config * : range = 100000-300000 line in smb.conf)
  when they have no LDAP gidNumber assigned to them, while the other
  groups inside our OU get assigned gid -1 when they also have no
  gidNumber assigned to them.

  The smb.conf file is identical between the two hosts except for the
  server name string. The non-working host was upgraded from Saucy to
  Trusty today. Two other hosts were also upgraded, and they show
  exactly the same behavior.

  This issue breaks domain-wide administrative powers, as we use visudo
  to give members of the domain admins group local administrative
  permissions on all machines. "sudo" commands run on the Trusty host by
  a domain admin member not also in the local sudo group fail, declaring
  the user is not one of the sudoers

  Notably, "getent passwd" returns all local and domain users, and
  domain users remain able to login with correct UIDs using domain
  accounts.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: libnss-winbind 2:4.1.6+dfsg-1ubuntu2
  ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.1-0ubuntu2
  Architecture: amd64
  Date: Mon Apr 14 18:50:45 2014
  InstallationDate: Installed on 2014-02-13 (60 days ago)
  InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SambaClientRegression: Yes
  SourcePackage: samba
  UpgradeStatus: Upgraded to trusty on 2014-04-15 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1307778/+subscriptions

More information about the foundations-bugs mailing list