nss-winbind is returing -1 for supplemental groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba |
Unknown
|
Unknown
|
|||
samba (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This is a regression in trusty.
Consider:
$wbinfo -r jgg
1000
-1
10009
10011
10004
10003
-1
1002
-1
Results in:
$ getent initgroups jgg
jgg 4 24 27 30 46 108 124 1000 10009 10011 10004 10003 1002
$ id jgg
uid=2009(jgg) gid=1000(orc) groups=
Those 4294967295 values should not be in the group list.
The underlying issue is that some of the AD groups the user is a part of are not UNIX groups, they are just general AD groups:
$ ldapsearch uid=jgg memberOf
dn: CN=Jason Gunthorpe,
memberOf: CN=XWEB Users,CN=
memberOf: CN=VPN Users,CN=
memberOf: CN=accounting,
memberOf: CN=wsudoers,
memberOf: CN=Boards website editors,
memberOf: CN=Parts website editors,
memberOf: CN=adm,
memberOf: CN=Domain Users,CN=
memberOf: CN=Print Operators,
For instance, 'Print Operators' is not a UNIX group, it doesn't have the RFC2307 schema elements.
# Print Operators, Builtin, ads.orcorp.ca
dn: CN=Print Operators,
objectClass: top
objectClass: group
cn: Print Operators
description: Members can administer domain printers
member: CN=Jason Gunthorpe,
member: CN=Ian Crowe,CN=
distinguishedName: CN=Print Operators,
instanceType: 4
whenCreated: 20080729165935.0Z
whenChanged: 20080808163035.0Z
uSNCreated: 8209
uSNChanged: 30817
name: Print Operators
objectGUID:: SBkgyF4upEG4GO6
objectSid:: AQIAAAAAAAUgAAA
adminCount: 1
sAMAccountName: Print Operators
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,
isCriticalSyste
# wsudoers, Users, ads.orcorp.ca
dn: CN=wsudoers,
objectClass: top
objectClass: group
cn: wsudoers
description: Workstation Sudoers
member: CN=Rolf Manderscheid,
member: CN=Jason Gunthorpe,
member: CN=Ian Crowe,CN=
distinguishedName: CN=wsudoers,
instanceType: 4
whenCreated: 20080808044201.0Z
whenChanged: 20111130193544.0Z
uSNCreated: 30255
info: Members can use sudo on the workstations
uSNChanged: 2007454
name: wsudoers
objectGUID:: oYEd5AZTyESv6SH
objectSid:: AQUAAAAAAAUVAAA
sAMAccountName: wsudoers
sAMAccountType: 536870912
managedBy: CN=Jason Gunthorpe,
groupType: -2147483644
objectCategory: CN=Group,
msSFU30Name: wsudoers
msSFU30NisDomain: ads
gidNumber: 1002
Changed in samba (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in samba (Ubuntu): | |
status: | Fix Released → Confirmed |
Turns out this is not just a cosmetic problem, having -1 in a supplementary group list completely breaks the NFS sever as well, in a very hard to find way.