Hi Mathieu,
Thank you for pointing me to these bugs that I hadn't found during my previous
searches.
>From what I've understood, the changes introduced in response to upstream bug
>12155 are likely to be related with the issue.
Indeed, the configuration with which I was able to reproduce the bug contains
those lines:
idmap uid = 10000-20000
idmap gid = 10000-20000
But the UID and GID returned by getent for the domain accounts are all greater
than 100000:
administrator:*:100500:100513:Administrator:/data/administrator:/bin/false
testusr:*:101103:100513:testusr:/data/testusr:/bin/false
krbtgt:*:100502:100513:krbtgt:/data/krbtgt:/bin/false
guest:*:100501:100514:Guest:/data/guest:/bin/false
Therefore, it may cause the computed UID value to fail the boundary check that
was introduced in the _wbint_Sids2UnixIDs function.
What I don't explain is that the mapping of a domain account to a local UID
seems to works correctly (which is what _wbint_Sids2UnixIDs do), it is the
reverse operation that fails.
I've upgraded the lab to 4.5.2+dfsg-2 that has been released to testing since,
and I've noticed a very different behavior: the mapped UID and GID now falls
within the range defined by the idmap uid and idmap gid directives. It seems
that some change introduced in 4.5.2+dfsg-2 has solved this problem:
root@v-smb-fs:~# getent passwd
administrator:*:10000:10004:Administrator:/data/administrator:/bin/false
testusr:*:10001:10004:testusr:/data/testusr:/bin/false
krbtgt:*:10002:10004:krbtgt:/data/krbtgt:/bin/false
guest:*:10003:10005:Guest:/data/guest:/bin/false
root@v-smb-fs:~# wbinfo --user-info=testusr
testusr:*:10001:10004:testusr:/data/testusr:/bin/false
root@v-smb-fs:~# wbinfo --uid-info=10001
testusr:*:10001:10004:testusr:/data/testusr:/bin/false
Thank you for your help,
Best regards,
Stephane
________________________________
De : Mathieu Parent <math.par...@gmail.com>
Envoyé : dimanche 1 janvier 2017 17:36
À : stephane; 848...@bugs.debian.org
Objet : Re: [Pkg-samba-maint] Bug#848935: libnss-winbind: winbind
authentication and wbinfo --uid-info no longer work after uprading to
4.5.2+dfsg-1
Control: tag -1 + upstream
2016-12-21 0:25 GMT+01:00 stephane <ps67....@outlook.com>:
> Package: libnss-winbind
> Version: 2:4.5.2+dfsg-1
> Severity: important
>
> Dear maintener,
Hi,
> I'm encountering the following problem since the upgrade of the
> libnss-winbind, winbind and samba packages from
> 4.4.7+dfsg-1 to 4.5.2+dfsg-1: users can no longer access network shares
> on a file server joined (as a member) to a samba-ad-dc based domain.
>
> After further troubleshooting, it appears that the local UID and GID
> numbers fails to be mapped to the domain accounts.
Thanks for your complete bug report.
It's hard to me to come to a conclusion, but it looks like:
https://bugzilla.samba.org/show_bug.cgi?id=12410
and the corresponding change:
https://bugzilla.samba.org/show_bug.cgi?id=12155
Bug 12155 - Some idmap backends don't perform range checks
...<https://bugzilla.samba.org/show_bug.cgi?id=12155>
bugzilla.samba.org
The Samba-Bugzilla - Bug 12155. Some idmap backends don't perform range checks
for the result of sids_to_xids. Last modified: 2016-12-19 18:38:28 UTC
Regards
--
Mathieu
