[Pkg-samba-maint] Bug#848935: Bug#848935: libnss-winbind: winbind authentication and wbinfo --uid-info no longer work after uprading to 4.5.2+dfsg-1

Stéphane Pgt ps67.dbg at outlook.com
Mon Jan 2 23:56:00 UTC 2017

Hi Mathieu,

Thank you for pointing me to these bugs that I hadn't found during my previous searches.

>From what I've understood, the changes introduced in response to upstream bug 12155 are likely to be related with the issue.

Indeed, the configuration with which I was able to reproduce the bug contains those lines:

    idmap uid = 10000-20000

    idmap gid = 10000-20000

But the UID and GID returned by getent for the domain accounts are all greater than 100000:


Therefore, it may cause the computed UID value to fail the boundary check that was introduced in the _wbint_Sids2UnixIDs function.

What I don't explain is that the mapping of a domain account to a local UID seems to works correctly (which is what _wbint_Sids2UnixIDs do), it is the reverse operation that fails.

I've upgraded the lab to 4.5.2+dfsg-2 that has been released to testing since, and I've noticed a very different behavior: the mapped UID and GID now falls within the range defined by the idmap uid and idmap gid directives. It seems that some change introduced in 4.5.2+dfsg-2 has solved this problem:

root at v-smb-fs:~# getent passwd


root at v-smb-fs:~# wbinfo --user-info=testusr

root at v-smb-fs:~# wbinfo --uid-info=10001

Thank you for your help,

Best regards,


De : Mathieu Parent <math.parent at gmail.com>
Envoyé : dimanche 1 janvier 2017 17:36
À : stephane; 848935 at bugs.debian.org
Objet : Re: [Pkg-samba-maint] Bug#848935: libnss-winbind: winbind authentication and wbinfo --uid-info no longer work after uprading to 4.5.2+dfsg-1

Control: tag -1 + upstream

2016-12-21 0:25 GMT+01:00 stephane <ps67.dbg at outlook.com>:
> Package: libnss-winbind
> Version: 2:4.5.2+dfsg-1
> Severity: important
> Dear maintener,


> I'm encountering the following problem since the upgrade of the libnss-winbind, winbind and samba packages from
> 4.4.7+dfsg-1 to 4.5.2+dfsg-1: users can no longer access network shares
> on a file server joined (as a member) to a samba-ad-dc based domain.
> After further troubleshooting, it appears that the local UID and GID
> numbers fails to be mapped to the domain accounts.

Thanks for your complete bug report.

It's hard to me to come to a conclusion, but it looks like:
and the corresponding change:
Bug 12155 - Some idmap backends don't perform range checks ...<https://bugzilla.samba.org/show_bug.cgi?id=12155>
The Samba-Bugzilla - Bug 12155. Some idmap backends don't perform range checks for the result of sids_to_xids. Last modified: 2016-12-19 18:38:28 UTC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20170102/ce910d0d/attachment.html>

More information about the Pkg-samba-maint mailing list