** Description changed: On Trusty, winbind version: 2:4.1.6+dfsg-1ubuntu2 returns groups with GID = -1 when using wbinfo -r: - user@host:~$ wbinfo -r [user] + user@host:~$ wbinfo -r user 2001 -1 -1 10000 -1 -1 100002 100001 On Saucy, winbind 2:3.6.18-1ubuntu3.2 returned only groups with valid GIDs as defined in the active directory using the same command: user@otherhost:~$ wbinfo -r user 2001 10000 - With this configuration, getent group returns only local groups. The - same thing happens on a "groups" command run by the user at a prompt. - However, if "groups [user]" is run, it returns the defined active - directory groups, as well as a number of errors: + With this configuration on a Trusty host, "getent group" returns only + local groups (it does not even enumerate the active directory groups + with GIDs 2001 & 10000): The same thing happens on a "groups" command + run by the user at a prompt. However, if "groups [user]" is run, it + returns the defined active directory groups, as well as a number of + errors (line breaks added to output for readability): + + user@host:~$ groups + localgroup1 sudo user@host:~$ groups user - user : localgroup1 sudo - groups: cannot find name for group ID 4294967295 4294967295 - groups: cannot find name for group ID 4294967295 4294967295 - domain admins - groups: cannot find name for group ID 4294967295 4294967295 - groups: cannot find name for group ID 4294967295 4294967295 - BUILTIN\users + user : localgroup1 sudo + groups: cannot find name for group ID 4294967295 4294967295 + groups: cannot find name for group ID 4294967295 4294967295 + domain admins + groups: cannot find name for group ID 4294967295 4294967295 + groups: cannot find name for group ID 4294967295 4294967295 + BUILTIN\users BUILTIN\administrators The groups on the Trusty host with GIDs 100001 and 100002 as returned by - wbinfo -r belong to BUILTIN\administrator and BUILTIN\users respectively - (per wbinfo --gid-info=100001), neither of which have defined GIDs in - the active directory. There are several others groups within the user's - OU that also do not have GIDs, and I suspect the "-1" values belong to - those groups. + "wbinfo -r" belong to BUILTIN\administrator and BUILTIN\users + respectively (per wbinfo --gid-info=100001), neither of which have + defined GIDs in the active directory. There are several others groups + within the user's OU that also do not have GIDs, and I suspect the "-1" + values belong to those groups. I am not sure why the BUILTIN groups get assigned a dynamic GID (as set - by the idmap config * : range = 100000-200000 line in smb.conf) when + by the idmap config * : range = 100000-300000 line in smb.conf) when they have no LDAP gidNumber assigned to them, while the other groups inside our OU get assigned gid -1 when they also have no gidNumber assigned to them. The smb.conf file is identical between the two hosts except for the server name string. The non-working host was upgraded from Saucy to Trusty today. Two other hosts were also upgraded, and they show exactly the same behavior. This issue breaks domain-wide administrative powers, as we use visudo to give members of the domain admins group local administrative permissions - on all machines. + on all machines. "sudo" commands run on the Trusty host by a domain + admin member not also in the local sudo group fail, declaring the user + is not one of the sudoers - Notably, getent passwd returns local and domain users, and users are - able to login with correct UIDs using domain accounts. + Notably, "getent passwd" returns all local and domain users, and domain + users remain able to login with correct UIDs using domain accounts. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libnss-winbind 2:4.1.6+dfsg-1ubuntu2 ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9 Uname: Linux 3.13.0-24-generic x86_64 ApportVersion: 2.14.1-0ubuntu2 Architecture: amd64 Date: Mon Apr 14 18:50:45 2014 InstallationDate: Installed on 2014-02-13 (60 days ago) InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1) ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=xterm-256color + PATH=(custom, no user) + XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + SHELL=/bin/bash SambaClientRegression: Yes SourcePackage: samba UpgradeStatus: Upgraded to trusty on 2014-04-15 (0 days ago)
** Description changed: On Trusty, winbind version: 2:4.1.6+dfsg-1ubuntu2 returns groups with GID = -1 when using wbinfo -r: user@host:~$ wbinfo -r user 2001 -1 -1 10000 -1 -1 100002 100001 On Saucy, winbind 2:3.6.18-1ubuntu3.2 returned only groups with valid GIDs as defined in the active directory using the same command: user@otherhost:~$ wbinfo -r user 2001 10000 With this configuration on a Trusty host, "getent group" returns only local groups (it does not even enumerate the active directory groups - with GIDs 2001 & 10000): The same thing happens on a "groups" command + with GIDs 2001 & 10000). The same thing happens on a "groups" command run by the user at a prompt. However, if "groups [user]" is run, it returns the defined active directory groups, as well as a number of errors (line breaks added to output for readability): user@host:~$ groups localgroup1 sudo user@host:~$ groups user user : localgroup1 sudo groups: cannot find name for group ID 4294967295 4294967295 groups: cannot find name for group ID 4294967295 4294967295 domain admins groups: cannot find name for group ID 4294967295 4294967295 groups: cannot find name for group ID 4294967295 4294967295 BUILTIN\users BUILTIN\administrators The groups on the Trusty host with GIDs 100001 and 100002 as returned by "wbinfo -r" belong to BUILTIN\administrator and BUILTIN\users respectively (per wbinfo --gid-info=100001), neither of which have defined GIDs in the active directory. There are several others groups within the user's OU that also do not have GIDs, and I suspect the "-1" values belong to those groups. I am not sure why the BUILTIN groups get assigned a dynamic GID (as set by the idmap config * : range = 100000-300000 line in smb.conf) when they have no LDAP gidNumber assigned to them, while the other groups inside our OU get assigned gid -1 when they also have no gidNumber assigned to them. The smb.conf file is identical between the two hosts except for the server name string. The non-working host was upgraded from Saucy to Trusty today. Two other hosts were also upgraded, and they show exactly the same behavior. This issue breaks domain-wide administrative powers, as we use visudo to give members of the domain admins group local administrative permissions on all machines. "sudo" commands run on the Trusty host by a domain admin member not also in the local sudo group fail, declaring the user is not one of the sudoers Notably, "getent passwd" returns all local and domain users, and domain users remain able to login with correct UIDs using domain accounts. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libnss-winbind 2:4.1.6+dfsg-1ubuntu2 ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9 Uname: Linux 3.13.0-24-generic x86_64 ApportVersion: 2.14.1-0ubuntu2 Architecture: amd64 Date: Mon Apr 14 18:50:45 2014 InstallationDate: Installed on 2014-02-13 (60 days ago) InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SambaClientRegression: Yes SourcePackage: samba UpgradeStatus: Upgraded to trusty on 2014-04-15 (0 days ago) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1307778 Title: getent group on trusty returns only local groups To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1307778/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs