Bug 10221 - RID backend : wbinfo --group-info=<ad group> fails
RID backend : wbinfo --group-info=<ad group> fails
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.6
x86 Linux
: P5 critical
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-22 18:18 UTC by fledorze
Modified: 2013-11-01 09:51 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description fledorze 2013-10-22 18:18:23 UTC
After upgrade from Debian Squeeze to Debian Wheezy, winbind was upgraded from 3.5 to 3.6.6.
It seems that AD groups are not always there.

The config is :
###############
idmap config * : backend = rid
idmap config * : range = 10000-20000
in replacement of old syntax :
idmap backend = idmap_rid:RMS=10000-20000
idmap uid = 10000-20000


We do the following tests :
###########################
idmap gid = 10000-20000kinit <AD login>
klist
wbinfo -t
wbinfo -u
wbinfo -g
wbinfo -i <RMS login>
getent passwd
net ads info
wbinfo --group-info='domain users'
getent group

Only the last 2 are not working :
the first one gives :failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group domain users

The second one shows only local groups.

Samba logs gives :
##################
  ads_ranged_search failed with: Time limit exceeded
[2013/10/22 20:08:05.598683,  0] winbindd/winbindd_ads.c:1084(lookup_groupmem)
  ads_ranged_search failed with: Time limit exceeded

Winbind installation is
#######################
i  libnss-winbind:i386      2:3.6.6-6         i386              Samba nameservice integration plugins
ii  libpam-winbind:i386      2:3.6.6-6         i386              Windows domain authentication integration plugin
ii  winbind                  2:3.6.6-6         i386              Samba nameservice integration server


The only fix I found is reboot. But if winbind restart, the groups disappear again after a while.

It is very critical for us as some of applications relies on winbind groups to authorize access to users.

All migrated systems don't seem to be affected, for the moment.
We monitor through Nagios the presence of AD groups.
But had to stop migration to Debian Wheezy in waiting for a fix.

It seems to be related to https://bugzilla.samba.org/show_bug.cgi?id=8676 but not sure.
Comment 1 fledorze 2013-11-01 09:51:14 UTC
I have more information : by upgrading on affected servers to Debian testing version of Winbind (3.6.19-1), it works fine. But it breaks the coherence of our servers :
- the ones which were not affected are in pure stable version,
- the affected ones will be in stable except or winbind and dependencies, which will be testing version.
Not realy satisfying.