Bug 10343 - Domain-local groups not showing / working again
Summary: Domain-local groups not showing / working again
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.22
Hardware: x64 Linux
: P5 major
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2013-12-24 03:15 UTC by BerndW
Modified: 2021-02-17 11:59 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description BerndW 2013-12-24 03:15:02 UTC

Samba 3.6.22 seems to have reintroduced an old winbind bug, that existed from 3.5.x (don't know the exact version) until 3.6.6, i.e. domain-local groups don't seem to work anymore.
Domain-local groups from my Windows 2008 R2 domain worked fine for me with Samba 3.6.21. After my recent update to 3.6.22 when I logged in with a Windows-user and checked my groups using "id", only the built-in and global groups were listed.
After downgrading to 3.6.21 everything once again worked as expected.

Steps to Reproduce:
-Upgrade to or install Samba 3.6.22 on a machine joined to a Windows domain
-Restart machine (or Samba services)
-Login with a Windows user that is member of at least one domain-local group
-Check group membership with "id" command

Actual Results:
Only the built-in / global groups are listed.

Expected Results:
Built-in, global and domain-local groups are listed.

Build Date & Platform:
Ubuntu 12.04 LTS x64
Sernet Enterprise Samba 3.6.22 packages:

Ubuntu 12.04 LTS x64 by default unfortunately comes with Samba 3.6.3, which has the exact same problem with domain-local groups.
Comment 1 BerndW 2014-01-08 02:43:35 UTC
I retried installing Samba 3.6.22 (Sernet Enterprise packages) after purging every trace of older packages and rejoined the domain, and now domain-local groups seem to work fine again.
Sorry if I caused any inconveniences.
Comment 2 BerndW 2014-01-10 17:22:36 UTC
Unfortunately the problem reappeared today after about 2 days of uptime. Once again after logging in with an AD-Account and checking with "id", domain-local groups were missing.

Interestingly "wbinfo -g" as well as "getent group" still were listing domain-local groups.

After restarting the winbind daemon domain-local groups started working again. So there seems to be a problem that only manifests itself after some time.

I hope the problem can be fixed soon as my server already went productive. I realise that I could restart winbind regularly using a cronjob, but a fix would still be great.

Sidenote: My other server running Centos 6.5 with Samba 3.6.9 doesn't have this problem after 36 days of uptime (and didn't for severeal months before that while running Samba 3.5.6).
Comment 3 Philippe MARASSE 2014-06-24 20:53:57 UTC
In our organization, we have the same problem. 

Environment :
  - Windows 2008R2 AD ( = domain level = forest level )
  - 2x Win 2008R2 DC servers
  - 2x Win 2012 DC servers
  - ~2k user accounts
  - ~1k groups (with a majority of Domain-local groups)

Samba member server :
  - Debian 7.5 with Samba 3.6.6 : same problem
  - Debian 7.5 with Samba 4.1.9 from backports : same problem

It's really annoying because most of our ACL are applied to Domain-Local groups.

Steps to reproduce :
 - Disconnects samba clients and stop samba & winbind services
 - Clear logs, cache, /run/samba/* and winbind mappings
 - Start winbind
 - read groups :

root@debian7-dev:~# wbinfo -r my-user | wc -l

 - start samba
 - connect from a client with my user
 - read groups :

root@debian7-dev:~# wbinfo -r my-user | wc -l

root@debian7-dev:~# wbinfo -r my-user
Comment 4 Björn Jacke 2021-02-17 11:59:04 UTC
those -1 group memberships usually come from bad idmap configurations. With working idmapping for earch and every group without conflict there, I've never seen issues with this.