Question: winbindd & expand groups value

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Question: winbindd & expand groups value

Noel Power

I am a little unsure and confused about what is the expected behaviour
with this. The man page state "This option controls the maximum depth
that winbindd will traverse when flattening nested group memberships of
Windows domain groups" However it seems that this setting also affects
how membership of normal (non nested) groups is returned. For example
with the new default

getent group AD\\groupname won't return any members at all

so is it just the text here is confusing and/or inaccurate or is this
behaviour expected?

Now the smb.conf also states "Some broken applications calculate the
group memberships of users by traversing groups, such applications will
require "winbind expand groups = 1" No mention this time of nested
groups implying that perhaps this setting does indeed affect non nested
groups. So, does this mean that any calls (e.g. getgrnam) that trigger
'wb_group_members_send' are doomed to fail to return anything for the
new default ? This question arose from a customer query where the newgrp
& sg were failing (and at least in the case of newgrp it checks if the
user running the cmd is mentioned as a member(s) returned from 'getgrnam'.

Thanks in advance for any clarification


Noel




Reply | Threaded
Open this post in threaded view
|

Re: Question: winbindd & expand groups value

Samba - samba-technical mailing list
Hi Metze,

I believe you introduced the change to the default "winbind expand
groups" to 0, I'm hoping you can tell me what is the expectation when
say calling a function like getgrnam is, should it return any group
members at all with the new default ? Maybe it's just me but I find the
man page confusing with regard to how this parameter affects
nested/non-nested groups.

thanks,
Noel

On 07/03/17 15:11, Noel Power wrote:

> I am a little unsure and confused about what is the expected behaviour
> with this. The man page state "This option controls the maximum depth
> that winbindd will traverse when flattening nested group memberships of
> Windows domain groups" However it seems that this setting also affects
> how membership of normal (non nested) groups is returned. For example
> with the new default
>
> getent group AD\\groupname won't return any members at all
>
> so is it just the text here is confusing and/or inaccurate or is this
> behaviour expected?
>
> Now the smb.conf also states "Some broken applications calculate the
> group memberships of users by traversing groups, such applications will
> require "winbind expand groups = 1" No mention this time of nested
> groups implying that perhaps this setting does indeed affect non nested
> groups. So, does this mean that any calls (e.g. getgrnam) that trigger
> 'wb_group_members_send' are doomed to fail to return anything for the
> new default ? This question arose from a customer query where the newgrp
> & sg were failing (and at least in the case of newgrp it checks if the
> user running the cmd is mentioned as a member(s) returned from 'getgrnam'.
>
> Thanks in advance for any clarification
>
>
> Noel
>
>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Question: winbindd & expand groups value

Samba - samba-technical mailing list
Hi There

Any more info about this, it would be great to get some clarity, could
propose doc change if more clue about what is correct or not

Noel


On 14/03/17 11:45, nopower at suse.com (Noel Power) wrote:

> Hi Metze,
>
> I believe you introduced the change to the default "winbind expand
> groups" to 0, I'm hoping you can tell me what is the expectation when
> say calling a function like getgrnam is, should it return any group
> members at all with the new default ? Maybe it's just me but I find the
> man page confusing with regard to how this parameter affects
> nested/non-nested groups.
>
> thanks,
> Noel
>
> On 07/03/17 15:11, Noel Power wrote:
>> I am a little unsure and confused about what is the expected behaviour
>> with this. The man page state "This option controls the maximum depth
>> that winbindd will traverse when flattening nested group memberships of
>> Windows domain groups" However it seems that this setting also affects
>> how membership of normal (non nested) groups is returned. For example
>> with the new default
>>
>> getent group AD\\groupname won't return any members at all
>>
>> so is it just the text here is confusing and/or inaccurate or is this
>> behaviour expected?
>>
>> Now the smb.conf also states "Some broken applications calculate the
>> group memberships of users by traversing groups, such applications will
>> require "winbind expand groups = 1" No mention this time of nested
>> groups implying that perhaps this setting does indeed affect non nested
>> groups. So, does this mean that any calls (e.g. getgrnam) that trigger
>> 'wb_group_members_send' are doomed to fail to return anything for the
>> new default ? This question arose from a customer query where the newgrp
>> & sg were failing (and at least in the case of newgrp it checks if the
>> user running the cmd is mentioned as a member(s) returned from 'getgrnam'.
>>
>> Thanks in advance for any clarification
>>
>>
>> Noel
>>
>>
>>
>>
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Question: winbindd & expand groups value

Samba - samba-technical mailing list
Hi Noel,

> Any more info about this, it would be great to get some clarity, could
> propose doc change if more clue about what is correct or not

Sorry for the delayed response I forgot to reply...

The default value of 0 means we don't query group member ships at all,
so we always report an empty member list.

We only do the lsa lookup names and id mapping to deliver the group
record.

Using netlogon and lsa lookup names/sids against our primary domain
are the only reliable calls we are available for our machine account.

Everything else like ldap or samr calls just cause problems in a lot
of situations. And the list of group members is not really needed
for most applications at all. All sane applications use
initgroups_dyn() to get the groups of a specific user, which gets
answered from the netsamlogon cache.

I hope that helps a bit.

metze


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question: winbindd & expand groups value

Samba - samba-technical mailing list
Hi Metz
Thanks, yes this does help :-)
Noel
On 19/07/17 19:56, Stefan Metzmacher wrote:

> Hi Noel,
>
>> Any more info about this, it would be great to get some clarity, could
>> propose doc change if more clue about what is correct or not
> Sorry for the delayed response I forgot to reply...
>
> The default value of 0 means we don't query group member ships at all,
> so we always report an empty member list.
>
> We only do the lsa lookup names and id mapping to deliver the group
> record.
>
> Using netlogon and lsa lookup names/sids against our primary domain
> are the only reliable calls we are available for our machine account.
>
> Everything else like ldap or samr calls just cause problems in a lot
> of situations. And the list of group members is not really needed
> for most applications at all. All sane applications use
> initgroups_dyn() to get the groups of a specific user, which gets
> answered from the netsamlogon cache.
>
> I hope that helps a bit.
>
> metze
>