Jochen Schmidt
2003-Dec-02 22:11 UTC
[Samba] Problem with , in Common Name when running samba3 as ADS Member (Problem with Group-Contents)
Hi,
today we found the reason for a problem with Group-Memberships when
running Samba as an ADS Domain Member.
1. Short Summary of the Environment
==================================
= "old" Systems:
- donald: Microsoft Windows 2000 as ADS Controller
with 2 (daisy, tick) Backup Controller
- 800 Users mostly replicated from Microsoft Exchange
- 65 Groups
- fix: Samba 2.2.8 on Solaris 8 as Fileserver using only local groups
- hurra: Samba 3.0.0 on Solaris 8 as NT4 Domain Member using winbindd
= "new" System:
- foxi: Samba 3.0.0 on Solaris 8 as ADS Domain Member using winbind
- lt-js: Samba 3.0.0 on Debian (unstable) as ADS Domain Member using winbind
- all Samba machines have successfully joined the Domain.
2. very curious thing
====================
- on fix and hurra we see any group with all members.
- on foxi and lt-js we see any group but only a view member.
The behavior is completely the same when connecting to any of the three
Domain-Controllers. The Group-Memberships (using foxi or lt-js) are always
the same subset of persons (always missing the same Members).
We thougt that the Active Directory domain has a problem since there where
some other issues. So we got a 'date' with one of our Active Directory
Specialists to track down this issue. We've found some not-samba related
issues and the solution for our samba Problem:
- If there's a "," in the Common Name of the User, samba is not
able to
resolve the groups-Memberships.
we found the following entries in the samba-Log when resolving
Group-Memberships using "getent group" (sure, winbindd is running).
----------------------------- debug level 99 winbindd
-----------------------------
[2003/12/02 12:24:24, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn GETGRENT
[2003/12/02 12:24:24, 3] nsswitch/winbindd_group.c:winbindd_getgrent(608)
[13241]: getgrent
[2003/12/02 12:24:24, 10] nsswitch/winbindd_group.c:winbindd_getgrent(645)
entry_index = 0, num_entries = 0
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(342)
refresh_sequence_number: TOPALISWORLD time ok
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(367)
refresh_sequence_number: TOPALISWORLD seq number is now 4263604
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:centry_expired(391)
centry_expired: Key GL/TOPALISWORLD/domain for domain TOPALISWORLD is good.
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:wcache_fetch(470)
wcache_fetch: returning entry GL/TOPALISWORLD/domain for domain TOPALISWORLD
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:enum_dom_groups(786)
enum_dom_groups: [Cached] - cached list for domain TOPALISWORLD status Success
[2003/12/02 12:24:24, 10] sam/idmap_util.c:idmap_sid_to_gid(179)
sid_to_gid: sid = [S-1-5-21-525015883-470239122-8547516-513]
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)
db_get_id_from_sid
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)
internal_get_id_from_sid: fetching record
S-1-5-21-525015883-470239122-8547516-513 of type 0x2
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)
internal_get_id_from_sid: record S-1-5-21-525015883-470239122-8547516-513
-> GID 10004
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262)
internal_get_id_from_sid: ID_GROUPID fetching record
S-1-5-21-525015883-470239122-8547516-513 -> GID 10004
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)
internal_get_sid_from_id: fetching record GID 10004
[2003/12/02 12:24:24, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)
internal_get_sid_from_id: fetching record GID 10004 ->
S-1-5-21-525015883-470239122-8547516-513
[2003/12/02 12:24:24, 10] sam/idmap_util.c:idmap_sid_to_gid(187)
idmap_sid_to_gid: gid = [10004]
[2003/12/02 12:24:24, 10] nsswitch/winbindd_group.c:winbindd_getgrent(695)
got gid 10004 for group 201
[2003/12/02 12:24:24, 10] nsswitch/winbindd_group.c:fill_grent_mem(103)
group SID S-1-5-21-525015883-470239122-8547516-513
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(342)
refresh_sequence_number: TOPALISWORLD time ok
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(367)
refresh_sequence_number: TOPALISWORLD seq number is now 4263604
[2003/12/02 12:24:24, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1236)
lookup_groupmem: [Cached] - doing backend query for info for domain
TOPALISWORLD
[2003/12/02 12:24:24, 10] nsswitch/winbindd_ads.c:lookup_groupmem(697)
ads: lookup_groupmem TOPALISWORLD sid=S-1-5-21-525015883-470239122-8547516-513
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for
(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\4B\1B\4B\1F\92\47\07\1C\BC\6C\82\00\01\02\00\00)
gave 1 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
ads: dn_lookup
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for (distinguishedName=CN=FIBU
HSt,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 1 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
ads: dn_lookup
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for (distinguishedName=CN=Steinle Solution
Factory,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 1 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
ads: dn_lookup
[...]
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for (distinguishedName=CN=Waldherr\,
Bernhard,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 0 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
ads: dn_lookup
[2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for (distinguishedName=CN=Damaschke\,
Klaus,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 0 replies
[2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361)
ads: dn_lookup
[...]
----------------------------- debug level 99 winbindd
-----------------------------
As you can see at the last few lines "CN=Damaschke\,
Klaus,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de"
gaves 0 replies from the ldap Server. The Syntax of this entry is LDAP v3
compliant (ftp://ftp.rfc-editor.org/in-notes/rfc2253.txt - Section 2.4).
- If you use ldapsearch from the openldap Packages you get an
"ldap_search_ext: Bad search filter (87)"
- If you remove the backslash (which escapes the ,) the ldapsearch will succeed
3. Reproduce
===========
0. Memory your group-memberships (using "getent group" or similar
things)
1. Open your "Active Directory Users and Computer"
2. select one user.
3. left click on the selected user to got an cursor within the name
4. insert a comma into the name
5. a window "Rename User" will popup
6. the "Common Name" (not the "Display Name") have a comma
7. click "OK"
8. only to be sure: restart winbind (or flush cache or whatever)
9. get the group memberships ("getent group")
10. make a diff between the results of 0. and 9.
11. Oops
4. Future
========
We currently think this is an openldap-Issue. We will track down this
issue and find an suiteable solution for this Problem.
5. Comments, Flamewars, ....
===========================
are always welcome
Greetings
Jochen
--
--------------------------------------------------------------------
Jochen Schmidt jochen.schmidt@millenux.com
Mi||enux GmbH mobile: +49.175.5752483
Lilienthalstra?e 2 phone: +49.711.88770.300
70825 Stuttgart-Korntal fax: +49.711.88770.349
-= linux without limits -=- http://linux.zSeries.org/ =-
PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5
Guenther Deschner
2003-Dec-02 22:26 UTC
[Samba] Problem with , in Common Name when running samba3 as ADS Member (Problem with Group-Contents)
Hi, this has been fixed after the 3.0.0 release. see https://bugzilla.samba.org/show_bug.cgi?id=592 for the patch. On Tue, Dec 02, 2003 at 11:11:15PM +0100, Jochen Schmidt wrote: ...> - If there's a "," in the Common Name of the User, samba is not able to > resolve the groups-Memberships.bye, guenther -- Guenther Deschner gd@suse.de SuSE Linux AG GnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20031202/d5192c20/attachment.bin
Gerald (Jerry) Carter
2003-Dec-04 16:47 UTC
[Samba] Problem with , in Common Name when running samba3 as ADS Member (Problem with Group-Contents)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jochen Schmidt wrote: | Hi, | | today we found the reason for a problem with Group-Memberships when | running Samba as an ADS Domain Member. .... | | As you can see at the last few lines "CN=Damaschke\, | Klaus,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de" | gaves 0 replies from the ldap Server. The Syntax of this | entry is LDAP v3 compliant (rfc2253.txt - Section 2.4). There were some LDAP escape fixes post 3.0.0. You might want to try 3.0.1pre3. - -- ciao, jerry ~ ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/z2U1IR7qMdg1EfYRArFGAJ9wfQhqIEC3FsvUR0XOUgGCxHZFBwCeNnJA UI331RvmYRbynVey23T0vRg=Wk6Q -----END PGP SIGNATURE-----