[Pkg-samba-maint] Bug#491686: closed by Steve Langasek <vorlon at debian.org> (Re: base: the command "groups" doesn't shows local groups using pam_winbind.so authentication module)

Steve Langasek vorlon at debian.org
Mon Jul 28 08:05:58 UTC 2008 

On Thu, Jul 24, 2008 at 08:51:25AM +0200, Paolo Sala wrote:
> Steve Langasek scrisse in data 23/07/2008 20:08:
>> You mention a remote user in a local group; so this means you have the user
>> listed in /etc/groups?  And the command 'groups $remoteuser' shows only the
>> remote group memberships, not the local ones?

> Yes, I mean a remote user in a local group. I have found another strange  
> behaviour: "groups" doesn't shows local groups but "groups remoteuser"  
> shows them:
>> DOMINIOCSA\psala at psala-lx2:~$ whoami
>> DOMINIOCSA\psala
>> DOMINIOCSA\psala at psala-lx2:~$ groups
>> DOMINIOCSA\paolo sala DOMINIOCSA\domain users DOMINIOCSA\gruppo per  
>> gestione faxweb DOMINIOCSA\utenti DOMINIOCSA\gruppo per gestione  
>> nethaudit DOMINIOCSA\rete_amm
>> DOMINIOCSA\psala at psala-lx2:~$ groups dominiocsa\\psala
>> DOMINIOCSA\paolo sala cdrom floppy audio video plugdev users camera  
>> powerdev vboxusers DOMINIOCSA\domain users DOMINIOCSA\gruppo per  
>> gestione faxweb DOMINIOCSA\utenti DOMINIOCSA\gruppo per gestione  
>> nethaudit DOMINIOCSA\rete_amm
> Is it normal?

This indicates a failure in the initgroups() call at the beginning of your
session, which is supposed to retrieve all of the groups from NSS and add
them to your process.

But this is an example where calling "groups $remoteuser" *does* show the
local groups.  Is there a particular test case which *reproducibly* fails to
show the groups for you?  (Not counting running the 'groups' command by
itself, since this doesn't query group membership information from NSS, it
only queries group names.)

> Furthermore, sometimes happens, when I open a console, "I  
> have no name!@psala-lx2:~$" instead of "DOMINIOCSA\psala at psala-lx2:~$":  
> is it normal? can be tied with the problem above?

That means that the getpwuid() call to look up your username has failed. 
It may be related, since all of these issues point to a certain
unreliability in your NSS setup.

> Of course:
>> DOMINIOCSA\psala at psala-lx2:~$ cat /etc/nsswitch.conf | grep -v ^[\;,#]

>> passwd:         files winbind
>> group:          files winbind
>> shadow:         files

>> hosts:          files wins mdns4_minimal [NOTFOUND=return] dns mdns4
>> networks:       files

Please try removing 'wins' from the hosts line as a test.  I don't think it
will fix everything, but it may fix your last problem.

Also, do you have 'winbind enum groups' and 'winbind enum users' enabled in
/etc/samba/smb.conf?  From your description of the problem I suspect that
you already do, but just in case you don't, I recommend you enable the
options.

Beyond that, the symptoms look like NSS is in only *some* cases losing the
group information from the 'files' backend.  In that case, I guess this is a
glibc bug.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-samba-maint mailing list