os/user: TestGroupIds fails on windows 10

[tobiaskohlbau]

What version of Go are you using (go version)?

TIP

Does this issue reproduce with the latest release?

No

What operating system and processor architecture are you using (go env)?

set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\TobiasKohlbau\AppData\Local\go-build
set GOEXE=.exe
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:
set GORACE=
set GOROOT=C:\Go
set GOTMPDIR=
set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=0
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\TOBIAS~1\AppData\Local\Temp\go-build684014806=/tmp/go-build -gno-record-gcc-switches

What did you do?

Build latest master from source.

What did you expect to see?

Test succeed.

What did you see instead?

--- FAIL: TestGroupIds (0.01s)
    user_test.go:155: &{Uid:${UID} Gid:${GID} Username:AzureAD\TobiasKohlbau Name:TobiasKohlbau HomeDir:C:\Users\TobiasKohlbau }.GroupIds(): The user name could not be found.
FAIL
FAIL    os/user 3.625s

[tklauser]

/cc @alexbrainman @bradfitz

@gopherbot, please add labels needsinvestigation os-windows

[agnivade]

You need to add a comma I believe. Trying again.

@gopherbot add labels needsinvestigation, os-windows

[ianlancetaylor]

Is anybody else seeing this problem on Windows 10?

The test is new in 1.11; we may need to simply disable it on Windows for now.

[alexbrainman]

@tobiaskohlbau thank you very much for reporting the failure.

... The user name could not be found.

Unfortunately this error message is not very helpful here. Maybe you can see where exactly it fails for you? You could add debugging lines with fmt.Printf to lookup_windows.go file and run test with do test -run=TestGroupIds os/user to see where it takes you. Thank you.

Is anybody else seeing this problem on Windows 10?

I do not see this problem on my computer.

The test is new in 1.11; we may need to simply disable it on Windows for now.

We can disable the test. But would be nice to understand what the problem is.

/cc @neolit123 just in case

Alex

[tobiaskohlbau]

I've digged a little bit into this. Looks like it has something to do with my machine being within a AzureAD. I've verified this by using my private machine which uses a Microsoft account and everything works like a charm. My coworker pointed out that azure active directory had caused troubles with other tools before.

I will have a more advanced look and try to find and fix the issue by myself. Looks like a perfect situation do contribute back to the go project.

[neolit123]

AzureAD was definitely not tested when the feature was developed as i didn't have the infrastructure for that.

please, provide output of what @alexbrainman suggested via some some Printf() calls, then do this:
go test -v -run=TestGroupIds os/user
and share in this thread for me to have a look.

thanks.

[tobiaskohlbau]

=== RUN   TestGroupIds
sid: &{}
username: TobiasKohlbau
domain: AzureAD
joined: false
query: TobiasKohlbau
NEtUserGetLocalGroups error: The user name could not be found.

As far as I found out my AzureAD account isn't registered as a local user account. It's not listed within Local Users and Groups (lusrmgr.msc) whereas my Microsoft account on the private computer is listed there. Therefore the syscall NetUserGetLocalGroups fails to lookup the groups for the user which isn't available for it and returns "The user name could not be found.". For me it sounds right that an AzureAD account isn't listed within local users as it's shared. I'm not ware if the intended behavior for listGroups is to not work with non local accounts.

If you're able to elaborate this more I'm happy to help and contribute further.

Edit:

I've created a local Test account and when I hardcore it's name into the code everything works like expected.

[neolit123]

@tobiaskohlbau

thank you, thinking of possible solutions here.

[neolit123]

@tobiaskohlbau

username: TobiasKohlbau
domain: AzureAD
joined: false
query: TobiasKohlbau

i assume that if you pass AzureAD\TobiasKohlbau as the query instead it would not throw an error?
just wondering if joined: false is the culprit here.

any idea why is the account not joined the domain? joined: false

https://github.com/golang/go/blob/master/src/os/user/lookup_windows.go#L141
i wonder if our isDomainJoined criteria for the query is valid here...

another question: what are you getting for the Gid of this user? (i.e. default group).

[tobiaskohlbau]

@neolit123 I already tried that earlier. I also suspected a failure within isDomainJoined. Looks like the computer is neither joined an AD. As the errors states: The specified domain either does not exist or could not be contacted..

sid: &{}
username: TobiasKohlbau
domain: AzureAD
joined: false
query: AzureAD\TobiasKohlbau

As for the GID I get: S-1-12-1-3053045089-1190341961-1242553017-34924225XX. I've replaced the last two numbers. I'm not sure if these number is related to internal IDs or something.

[neolit123]

@tobiaskohlbau

this is very odd and i think something is not right here...not on the Go side.
what GID do you get for the default group?

the group called "None", i assume?

[tobiaskohlbau]

I will try to try this tomorrow on another computer within our environment. Let's see if it is only my maybe bad configured pc.

How do I retrieve the GID for the default group?

[neolit123]

just tell me what Gid value you get from the User struct of that user:
https://golang.org/pkg/os/user/#User

BTW, i have a possible workaround for this, but i don't want us to implement it.
at the same time this could be a case where we are not doing something right...so not 100% sure.

[tobiaskohlbau]

@neolit123 I've edited the comment above. Maybe a little bit after you've read it. It contains the GID from my user.

[neolit123]

@tobiaskohlbau

S-1-12-1-3053045089-1190341961-1242553017-34924225XX

please run LookupGroupId() to fetch the name of the group too:
https://golang.org/pkg/os/user/#LookupGroupId

it returns a Group struct with Name:
https://golang.org/pkg/os/user/#Group

looking at the GID - this should not happen. do you happen to know if someone modified the default group for this AD?

[tobiaskohlbau]

The integrated test for LookupGroupId as well as my addition are returning:

user_test.go:129: LookupGroupId("S-1-12-1-3053045089-1190341961-1242553017-34924225XX"): lookupGroupId: should be group account type, not 1

user_test.go:156: Failed to find Group: lookupGroupId: should be group account type, not 1

I've asked the person who is in charge of the AD for any changes group related and will also have a look by myself.

Edit:
There is no obviously named default group within our AD. Do you know how to recognize the default group?

[neolit123]

type 1 is a SID for a user - i.e.SidTypeUser not a group.
are you using Current() to create the User struct or via Lookup(username string)?

this is so odd.

[tobiaskohlbau]

I've modified TestGroupIds to look like this:

checkGroup(t)
	if runtime.GOOS == "solaris" {
		t.Skip("skipping GroupIds, see golang.org/issue/14709")
	}
	user, err := Current()
	if err != nil {
		t.Fatalf("Current(): %v", err)
	}
	group, err := LookupGroupId(user.Gid)
	if err != nil {
		t.Fatalf("Failed to find Group: %v", err)
	}
	fmt.Printf("group: %v", group.Name)
	gids, err := user.GroupIds()
	if err != nil {
		t.Fatalf("%+v.GroupIds(): %v", user, err)
	}
	if !containsID(gids, user.Gid) {
		t.Errorf("%+v.GroupIds() = %v; does not contain user GID %s", user, gids, user.Gid)
	}

So I'm using the Version with Current() and use the GID within LookupGroupId

[neolit123]

There is no obviously named default group within our AD. Do you know how to recognize the default group?

if there is no default group, the default group is called "Domain users" and it's SID should end with 513.

ref:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
SID: S-1-5-21domain-513

the default group is there for Unix compatibility only and should not be changed.

so our code for GetTokenPrimaryGroup() from Current() fetches the SID of a user instead of a Group. this should not happen, so i would blame it on a broken AD at this point.

please, mind that i'm not an AD expert.

I will try to try this tomorrow on another computer within our environment. Let's see if it is only my maybe bad configured pc.

that would be a good confirmation too. thank you.

[tobiaskohlbau]

I don't have any specific knowledge on AD neither. As my coworker suggested that Azure AD does not have the same feature set of a normal AD I found this:

There is no idea of setting up replication across site boundaries, the entire directory service is hosted in Microsoft data-centres in Azure. You cannot domain-join your desktops, laptops, tablets and servers to it. There is no Group Policy, no OUs, no Master Operations, no Read-only-Domain Controllers, indeed there are no Domain Controllers of any sort. Authentication is not done through Kerberos. So although you can apply the principles of what you know about on-prem AD to Azure AD it starts to become really obvious that on-prem AD is designed as an infrastructure directory to manage your core internal infrastructure as well as provide a directory service for applications/users.

https://blogs.msdn.microsoft.com/plankytronixx/2014/05/09/the-differencerelationship-between-azure-active-directory-and-normal-active-directory/

As I didn't find any SID related settings within the settings of Azure AD maybe the Windows 10 experience together with hosted AD screws something over?

[neolit123]

As I didn't find any SID related settings within the settings of Azure AD maybe the Windows 10 experience together with hosted AD screws something over?

i did test this on my corporate laptop which runs Windows 10 and is part of a corporate domain network.
it worked, so i'd say this is Azure specific.

at the same time that user SID being returned instead of a group SID seems like a plain bug to me.
a bug outside of the Go standard library and the WINAPI backend that is.

what user name do you get if you create the User struct via:
https://golang.org/pkg/os/user/#LookupId
and pass that GID as uid to that function?

[tobiaskohlbau]

I've tried to compile the latest tip on another computer at work today. This computer was connected to the same AzureAD but with a different user. At this machine the tests succeeded and no error was thrown.

As I'm quit new at this company maybe my account is missing some information or I've screwed up something on my and. If I find some time on the weekend I will try to find/solve the issue on my pc and will report back what caused the trouble.

For now I will close this issue as it looks like the error is on my end.
Thanks for your help @neolit123.