Hi, So... it turns out there are issues with winbindd getting group information, and that it may be wrong. The Samba team are currently discussing on the list about ripping some bits of winbindd out, which may include some of the group stuff. Essentially the nice benefit that seemed to be the case with winbindd - all groups being in a large flat list rather than having to work out the right LDAP lookups for nested groups etc - isn't necessarily true and not dealt with correctly. The right way seems to be to get a list of sids after an authentication, and enumerate those, which will list the groups that the user is in. It's only good after an auth when the data has been cached locally. I'm going to stare at the code and see if I can update anything, but in the mean time anyone who is using rlm_winbind for group checks just a warning it may not stay in the current state for much longer :( And it's probably best to call group lookups in post-auth when Samba has the group lists cached, rather than in authorize. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Nov 4, 2016, at 5:33 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
So... it turns out there are issues with winbindd getting group information, and that it may be wrong. The Samba team are currently discussing on the list about ripping some bits of winbindd out, which may include some of the group stuff.
:( Active Directory isn't simple. In fact, it's almost deliberately obtuse.
The right way seems to be to get a list of sids after an authentication, and enumerate those, which will list the groups that the user is in. It's only good after an auth when the data has been cached locally.
Wow.
I'm going to stare at the code and see if I can update anything, but in the mean time anyone who is using rlm_winbind for group checks just a warning it may not stay in the current state for much longer :( And it's probably best to call group lookups in post-auth when Samba has the group lists cached, rather than in authorize.
Sounds good, thanks. Alan DeKok.
Hi Surely this is the same stuff that eg 'wbinfo -g' pulls out? I believe the only issue I've seen is a segfault when the group list was very large. However, if the change is that you can only get group membership after the auth then that's okay as we use that for vlan assignment alan
On Sat, Nov 05, 2016 at 08:20:18PM +0000, Alan Buxey wrote:
Surely this is the same stuff that eg 'wbinfo -g' pulls out?
Yes... they're discussing removing that, because it can be inaccurate.
I believe the only issue I've seen is a segfault when the group list was very large.
That's probably nothing to do with Samba, and more with me trying (and failing) to be more efficient. I've got 90% of a rewrite here that should simplify things, but I'll now have to put it on hold until I can work out what's happening winbind-side.
However, if the change is that you can only get group membership after the auth then that's okay as we use that for vlan assignment
Looks like it... or that's the only time the groups are reliable. But the issue is more that it looks like the groups can only accurately be known by enumerating the list of sids returned after a successful login. Which throws the xlat into a right mess. But I need to look at it more to be sure. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan Buxey -
Alan DeKok -
Matthew Newton