[Pkg-samba-maint] Bug#848935: Bug#848935: libnss-winbind: winbind authentication and wbinfo --uid-info no longer work after uprading to 4.5.2+dfsg-1

Stéphane Pgt ps67.dbg at outlook.com
Mon Jan 2 23:56:00 UTC 2017 

Hi Mathieu,


Thank you for pointing me to these bugs that I hadn't found during my previous searches.

>From what I've understood, the changes introduced in response to upstream bug 12155 are likely to be related with the issue.


Indeed, the configuration with which I was able to reproduce the bug contains those lines:

    idmap uid = 10000-20000

    idmap gid = 10000-20000


But the UID and GID returned by getent for the domain accounts are all greater than 100000:

administrator:*:100500:100513:Administrator:/data/administrator:/bin/false
testusr:*:101103:100513:testusr:/data/testusr:/bin/false
krbtgt:*:100502:100513:krbtgt:/data/krbtgt:/bin/false
guest:*:100501:100514:Guest:/data/guest:/bin/false


Therefore, it may cause the computed UID value to fail the boundary check that was introduced in the _wbint_Sids2UnixIDs function.


What I don't explain is that the mapping of a domain account to a local UID seems to works correctly (which is what _wbint_Sids2UnixIDs do), it is the reverse operation that fails.


I've upgraded the lab to 4.5.2+dfsg-2 that has been released to testing since, and I've noticed a very different behavior: the mapped UID and GID now falls within the range defined by the idmap uid and idmap gid directives. It seems that some change introduced in 4.5.2+dfsg-2 has solved this problem:


root at v-smb-fs:~# getent passwd

administrator:*:10000:10004:Administrator:/data/administrator:/bin/false
testusr:*:10001:10004:testusr:/data/testusr:/bin/false
krbtgt:*:10002:10004:krbtgt:/data/krbtgt:/bin/false
guest:*:10003:10005:Guest:/data/guest:/bin/false


root at v-smb-fs:~# wbinfo --user-info=testusr
testusr:*:10001:10004:testusr:/data/testusr:/bin/false

root at v-smb-fs:~# wbinfo --uid-info=10001
testusr:*:10001:10004:testusr:/data/testusr:/bin/false

Thank you for your help,


Best regards,


Stephane

________________________________
De : Mathieu Parent <math.parent at gmail.com>
Envoyé : dimanche 1 janvier 2017 17:36
À : stephane; 848935 at bugs.debian.org
Objet : Re: [Pkg-samba-maint] Bug#848935: libnss-winbind: winbind authentication and wbinfo --uid-info no longer work after uprading to 4.5.2+dfsg-1

Control: tag -1 + upstream

2016-12-21 0:25 GMT+01:00 stephane <ps67.dbg at outlook.com>:
> Package: libnss-winbind
> Version: 2:4.5.2+dfsg-1
> Severity: important
>
> Dear maintener,

Hi,

> I'm encountering the following problem since the upgrade of the libnss-winbind, winbind and samba packages from
> 4.4.7+dfsg-1 to 4.5.2+dfsg-1: users can no longer access network shares
> on a file server joined (as a member) to a samba-ad-dc based domain.
>
> After further troubleshooting, it appears that the local UID and GID
> numbers fails to be mapped to the domain accounts.


Thanks for your complete bug report.

It's hard to me to come to a conclusion, but it looks like:
  https://bugzilla.samba.org/show_bug.cgi?id=12410
and the corresponding change:
  https://bugzilla.samba.org/show_bug.cgi?id=12155
Bug 12155 - Some idmap backends don't perform range checks ...<https://bugzilla.samba.org/show_bug.cgi?id=12155>
bugzilla.samba.org
The Samba-Bugzilla - Bug 12155. Some idmap backends don't perform range checks for the result of sids_to_xids. Last modified: 2016-12-19 18:38:28 UTC



Regards

--
Mathieu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20170102/ce910d0d/attachment.html>

More information about the Pkg-samba-maint mailing list