[Pkg-samba-maint] Bug#848935: Bug#848935: libnss-winbind: winbind authentication and wbinfo --uid-info no longer work after uprading to 4.5.2+dfsg-1
ps67.dbg at outlook.com
Mon Jan 2 23:56:00 UTC 2017
Thank you for pointing me to these bugs that I hadn't found during my previous searches.
>From what I've understood, the changes introduced in response to upstream bug 12155 are likely to be related with the issue.
Indeed, the configuration with which I was able to reproduce the bug contains those lines:
idmap uid = 10000-20000
idmap gid = 10000-20000
But the UID and GID returned by getent for the domain accounts are all greater than 100000:
Therefore, it may cause the computed UID value to fail the boundary check that was introduced in the _wbint_Sids2UnixIDs function.
What I don't explain is that the mapping of a domain account to a local UID seems to works correctly (which is what _wbint_Sids2UnixIDs do), it is the reverse operation that fails.
I've upgraded the lab to 4.5.2+dfsg-2 that has been released to testing since, and I've noticed a very different behavior: the mapped UID and GID now falls within the range defined by the idmap uid and idmap gid directives. It seems that some change introduced in 4.5.2+dfsg-2 has solved this problem:
root at v-smb-fs:~# getent passwd
root at v-smb-fs:~# wbinfo --user-info=testusr
root at v-smb-fs:~# wbinfo --uid-info=10001
Thank you for your help,
De : Mathieu Parent <math.parent at gmail.com>
Envoyé : dimanche 1 janvier 2017 17:36
À : stephane; 848935 at bugs.debian.org
Objet : Re: [Pkg-samba-maint] Bug#848935: libnss-winbind: winbind authentication and wbinfo --uid-info no longer work after uprading to 4.5.2+dfsg-1
Control: tag -1 + upstream
2016-12-21 0:25 GMT+01:00 stephane <ps67.dbg at outlook.com>:
> Package: libnss-winbind
> Version: 2:4.5.2+dfsg-1
> Severity: important
> Dear maintener,
> I'm encountering the following problem since the upgrade of the libnss-winbind, winbind and samba packages from
> 4.4.7+dfsg-1 to 4.5.2+dfsg-1: users can no longer access network shares
> on a file server joined (as a member) to a samba-ad-dc based domain.
> After further troubleshooting, it appears that the local UID and GID
> numbers fails to be mapped to the domain accounts.
Thanks for your complete bug report.
It's hard to me to come to a conclusion, but it looks like:
and the corresponding change:
Bug 12155 - Some idmap backends don't perform range checks ...<https://bugzilla.samba.org/show_bug.cgi?id=12155>
The Samba-Bugzilla - Bug 12155. Some idmap backends don't perform range checks for the result of sids_to_xids. Last modified: 2016-12-19 18:38:28 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pkg-samba-maint