[Bug 275407] New: Samba 3.0.25-0.1.60 does not enumarate domain users properly.
https://bugzilla.novell.com/show_bug.cgi?id=275407 Summary: Samba 3.0.25-0.1.60 does not enumarate domain users properly. Product: openSUSE 10.2 Version: Final Platform: i586 OS/Version: openSUSE 10.2 Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: moby@pcsn.net QAContact: qa@suse.de Samba 3.0.25-0.1.60 does not enumerate domain users. The machine is in a Windows 2003 AD domain. Samba 3.0.23d-19.5 works fine. When upgraded to Samba 3.0.25-0.1.60, wbinfo -g, wbinfo -u, getent group work fine but getent passwd does not return any domain users. When I downgrade Samba back to 3.0.23d-19.5, then getent passwd starts returning domain users again. Please let me know which logs and config files are needed - I would have to sanitize some log files since they contain username information from the domain. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |samba-maintainers@SuSE.de |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 moby@pcsn.net changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 ------- Comment #1 from moby@pcsn.net 2007-05-26 16:51 MST ------- Bug exists in Samba 3.0.25a-0.1.61 as well - wbinfo -g works, wbinfo -u works, getent group works, but getent passwd does not return any domain users. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 anschneider@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Comment #2 from anschneider@novell.com 2007-06-05 10:12 MST ------- This is not a bug it is a feature. Enumerating users and groups has been disabled in 3.0.24 by default cause it sometimes it doesn't work as expected. You can attend the discusssion at the Samba.org mailist list.
From the Samba WHATSNEW.txt
winbind enum users Changed default No winbind enum groups Changed default No You can turn these option on in the smb.conf file. Then 'getent passwd' should work again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 moby@pcsn.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Comment #3 from moby@pcsn.net 2007-06-06 16:32 MST ------- I do have winbind enum users and winbind enum groups set to on in smb.conf- hence getent group is working, and I am calling getent passwd's failure a bug :) User enumeration in and of itself is of no big importance to me (may be to others) - however, I cannot setfacl or chown to AD users and I believe the bug preventing me from doing that is the same that is causing getent passwd to fail despite winbind enum users being set to yes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 ------- Comment #4 from moby@pcsn.net 2007-06-09 12:45 MST ------- Problem exists in the recently released samba-3.0.25a-8.1.63 version as well. Looking at winbindd.log, the following shows up multiple times for each domain entity: [2007/06/09 23:26:07, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728) could not lookup domain user User1 However, doing a wbinfo --name-to-sid=User1 works fine, then a wbinfo --sid-to-uid for the Sid obtained for User1 works fine as well. smb.conf contains the following entries pertaining to uid/gid <-> sid mapping: idmap domains = AD idmap config AD:backend = rid idmap config AD:base_rid = 1000 idmap config AD:range = 10000 - 20000 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 ------- Comment #5 from kwagner@zetex.com 2007-06-13 05:01 MST ------- Created an attachment (id=145892) --> (https://bugzilla.novell.com/attachment.cgi?id=145892&action=view) Log with debug level 10 while doing wbinfo -u -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 ------- Comment #6 from kwagner@zetex.com 2007-06-13 05:01 MST ------- Created an attachment (id=145893) --> (https://bugzilla.novell.com/attachment.cgi?id=145893&action=view) My smb.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 ------- Comment #7 from kwagner@zetex.com 2007-06-13 05:05 MST ------- erm... OK I think I attached these files to the wrong bug. I dont know how.... sorry guys. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 anschneider@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |moby@pcsn.net ------- Comment #8 from anschneider@novell.com 2007-06-13 10:32 MST ------- I've currently updated winbind form 3.0.23d to 3.0.25a. After that I wasn't able to login and getent passwd didn't return any domain users. I had to restart nscd to get it working. Please stop nscd and try. Then start nscd and try again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 ------- Comment #9 from moby@pcsn.net 2007-06-13 13:46 MST ------- Just an FYI, in my case, stopping, starting nscd has no effect on getent passwd not working. Having verified that, I plan on keeping nscd stopped no the test box . -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 ------- Comment #10 from anschneider@novell.com 2007-06-14 16:04 MST ------- Please attach your smb.conf. I can't reproduce it here. It works just fine. krikkit:~ # cat /etc/SuSE-release openSUSE 10.2 (X86-64) VERSION = 10.2 krikkit:~ # rpm -q samba-winbind samba-winbind-3.0.25a-8.1.63 krikkit:~ # getent passwd "SBS-TEST\\anschneider" SBS-TEST\anschneider:*:10000:10000:Andreas Schneider:/home/SBS-TEST/anschneider:/bin/bash -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 moby@pcsn.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED Info Provider|moby@pcsn.net | ------- Comment #11 from moby@pcsn.net 2007-06-14 19:00 MST ------- Created an attachment (id=146421) --> (https://bugzilla.novell.com/attachment.cgi?id=146421&action=view) My smb.conf Here is my smb.conf. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 anschneider@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |moby@pcsn.net ------- Comment #12 from anschneider@novell.com 2007-06-15 02:34 MST ------- I've used your config, disabled the password server and changed the domainname and netbios name. It works just fine for me. krikkit:~ # wbinfo --sequence && getent passwd "anschneider" BUILTIN : 1181895891 KRIKKIT : 1181895891 SBS-TEST : 389838 anschneider:*:10239:10000:Andreas Schneider:/home/SBS-TEST/anschneider:/bin/false As mentioned before enumerating users and groups has been disabled in 3.0.24 by default cause *sometimes it doesn't work as expected*. So wbinfo -u should do the job. Does everything else work? So can we close the bug? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 moby@pcsn.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED Info Provider|moby@pcsn.net | ------- Comment #13 from moby@pcsn.net 2007-06-15 12:14 MST ------- I do not see how this bug can be left "as is". It is not really getent passwd that I am worked up about, it is the fact that the user accounts from the domain that are not listed by getent passwd cannot be used to set ACLs, which, IMHO, is of critical use for most users of Samba. The primary use of Samba on Linux, for myself and I am sure many others, is to replace Microsoft Windows member servers in a Windows domain. I have done that with great success in many cases using Samba 3.0.23d-19.5. Using ACLs and AD domain integration, I have replaced many Windows file servers with Linux machines. Now, with this latest release of Samba, I cannot use setfacl or anything else that requires using domain accounts at the file system level (chown etc). This makes the use of Samba on Linux as a file server replacement for MS Windows impossible, and I am sure one of the primary uses of Samba, together with it's AD integration, is on file servers. Having said all that and hoping the bug will not be closed, here are some more observations. Going through the source for winbind (nsswitch/winbindd_user.c to be exact), I notice that the GID for the user's "primary" group is looked up. I re-did my tests for getent group. I was wrong in saying that getent group works fine - it does not show the built-in domain users or domain admins groups. Further, when if I go into dsa.msc (AD users and groups console) and set a group that does show up in the getent group output, then that user shows up in getent passwd. So the problem is not one of getent passwd not showing certain users - that is an effect. A more fundamental cause is certain built-in groups (I am only sure about domain admins and domain users so far - I am looking further) do not show up in getent group - and if those groups are the only, or the primary, groups for users, then those users fail to show up in getnet passwd output. Trying to track why built in group domain users does not show up in getent group, I ran the following tests: wbinfo --name-to-sid="domain users" S-1-5-21-4075376926-2798723368-2832161110-513 Domain Group (2) [root@suse-test:/var/log/samba]wbinfo --sid-to-gid=S-1-5-21-4075376926-2798723368-2832161110-513 Could not convert sid S-1-5-21-4075376926-2798723368-2832161110-513 to gid So the problem is ~why~ is wbinfo --sid-to-gid using the well known RID for a built-in group failing? That, at least IMHO, is the root cause of the problem. I am going to trawl through the logs and see if I can find out anything else. In the meantime, can you verify that the wbinfo tests above work for you using my (albeit modified for your environment) smb.conf? Many thanks for sticking with this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407 moby@pcsn.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Comment #14 from moby@pcsn.net 2007-06-15 13:22 MST ------- Ok, I think the problem is solved. The culprit is the idmap config <domain>:base rid=1000 setting. With this in place, no RIDs less than 1000 will ever get mapped to UIDs or GIDs. This causes all the built-in default groups (including domain users) to not get mapped - that in turn causes a failure to enumerate any users that belong to these groups - and most users will belong to the domain users group. Setting idmap config <domain> base rid = 0 fixes the issue and I see no ill-effects from it. All the man pages seem to suggest that a value of 1000 for this setting is good, but that is what causes a failure to map to GIDs the SIDs of all built-in groups. I would say the suggested, example configs listed in the docs should reflect this somehow, or this will cause quite a lot of grief for people who decide to use the idmap rid module. Thanks for all your help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=275407#c15
Andreas Schneider
https://bugzilla.novell.com/show_bug.cgi?id=275407#c16
Andreas Schneider
participants (1)
-
bugzilla_noreply@novell.com