Klinger, John (N-CSC)
2004-Jan-21 00:39 UTC
[Samba] AD Primary Group Masked by Local Primary Group
Solaris 8, Samba 3.0.1, Winbind with LDAP backend and security = ads. This may or may not be a problem, depending on what is "expected behaviour". We came across a user that was defined both locally and in AD. Their local primary group, call it "localgrp", was not the same as their global primary group, call it "globalgrp". One important note is that by using an LDAP browser, we can see that the user is not explicitly a Member Of globalgrp (ie: there is no "member" entry for the user in globalgrp). The only way the user is tied to the globalgrp is that it is his AD primary group. Now, onto the solaris side. At logon, their groups are determined through nsswitch and a call to the solaris wrapper function nss_winbind_getgroupsbymember_solwrap. With the patch from Bug 972, this returns all local and AD groups, including both the local primary group, localgrp, and the AD primary group, globalgrp. Other functions, like "id -a <username>", go through the getgrent cycle, and only return localgrp. This is due to the user not being an explicit group member. The getgrent cycle does not "see" a user's primary group. Parallels exist in other systems, like NIS, when a local primary group overloads a directory's primary group. In those cases, only the local is shown. So, should the getgrent cycle go through User's primary groups too? The concern is that some applications will use a function to check group access by using a method that does not return the overloaded primary group. john ------------------ The first section below is a modified debug output of an "su - user2a" execution, where both the local primary group, "localgrp", and the global primary group, "globalgrp" (10328), is returned. [ 1277]: nss_winbind: Initialized nss_winbind group backend [ 1277]: nss_winbind: _nss_winbind_getgroupsbymember [ 1277]: initgroups user2a (10) [ 1277]: initgroups gid=10000 [ 1277]: initgroups gid=10328 Below is a modified debug output of an "id -a user2a" execution, where only the local primary group, "localgrp", is returned. [ 932]: nss_winbind: Initialized nss_winbind group backend [ 932]: nss_winbind: _nss_winbind_setgrent_solwrap [ 932]: setgrent ... [ 932]: getgrent group.gr_name = Domain Users group.gr_passwd = x group.gr_gid = 10000 group.gr_mem = 0x25afc (user1a) 0x25b00 (user2a) [ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning group: Domain Users ... [ 932]: getgrent group.gr_name = globalgrp group.gr_passwd = x group.gr_gid = 10328 group.gr_mem = 0x25af8 (user1a) 0x25b00 (domadmin) [ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning group: TBMCS ... [ 932]: getgrent [ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning error: 1. [ 932]: nss_winbind: _nss_winbind_endgrent_solwrap [ 932]: endgrent [ 932]: nss_winbind: _nss_winbind_group_destr uid=1001(user2a) gid=10(localgrp) groups=1(other)[ 932]: nss_winbind: Initialized nss_winbind group backend [ 932]: nss_winbind: _nss_winbind_getgrgid_solwrap [ 932]: getgrgid 10000 ,2(bin),4(adm),14(sysadmin),10000(Domain Users)