Bug 11872 - wbinfo -u or net ads search doesn't work anymore
wbinfo -u or net ads search doesn't work anymore
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
Depends on: 11849
  Show dependency treegraph
Reported: 2016-04-22 14:36 UTC by Stefan Metzmacher
Modified: 2016-08-02 09:59 UTC (History)
5 users (show)

See Also:

tcpdump log (71.83 KB, text/x-log)
2016-04-22 14:50 UTC, Anton Boyarshinov
no flags Details
winbind logs (145.55 KB, application/octet-stream)
2016-04-22 14:51 UTC, Anton Boyarshinov
no flags Details
Possible patches for v4-4 (2.54 KB, patch)
2016-04-22 16:19 UTC, Stefan Metzmacher
no flags Details
Log for winbind with patches (4.75 MB, application/x-tar)
2016-04-26 13:29 UTC, Andrey Cherepanov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-04-22 14:36:39 UTC
After the recent security updates large LDAP searches
with using SASL wrapping stop working.

Windows sends messages up to a length of ~ 0x1b28a33,
we now allow 0xFFFFFFF again.
Comment 1 Anton Boyarshinov 2016-04-22 14:50:13 UTC
Created attachment 12016 [details]
tcpdump log

Tcpdump while executing wbinfo -u from Samba 4.3.8, Samba as AD server
Comment 2 Anton Boyarshinov 2016-04-22 14:51:11 UTC
Created attachment 12017 [details]
winbind logs

winbind logs, log level 10
Comment 3 Anton Boyarshinov 2016-04-22 14:52:06 UTC
In production with Windows AD i've got 'Time limit exeeds' in ads_do_paged_search_args

In test environment with Samba AD i've got 'Operations error' but the result is the same.

All other commands works OK as i see.
Comment 4 Stefan Metzmacher 2016-04-22 16:19:04 UTC
Created attachment 12018 [details]
Possible patches for v4-4
Comment 5 maurer 2016-04-23 17:09:10 UTC

I have tested this patch against 4.4.2 and i can confirm, that with this patch
wbinfo -u and wbinfo -g
work again without
        client ldap sasl wrapping = plain
being set

And indeed, the AD is big...

 [root@rmc-donau SOURCES]# wbinfo -u | wc -l
[root@rmc-donau SOURCES]# wbinfo -g | wc -l

Thank you very much


Comment 6 Andrey Cherepanov 2016-04-26 13:29:45 UTC
Created attachment 12025 [details]
Log for winbind with patches

winbind from samba-4.4.2 with suggested patch. wbinfo -u did not work.
Comment 7 OA 2016-04-26 15:44:43 UTC
Changes made samba-4.2.10 from centos7 work.
wbinfo -u now gives the userlist.

Comment 8 Stefan Metzmacher 2016-04-26 16:26:59 UTC
(In reply to Andrey Cherepanov from comment #6)

winbind-net.log contains just a few (unrelated) packets.

It may be simpler if the following command would also
reproduce your problem:

net ads search -P '(objectClass=user)' '*'

Please also recheck that the patch is really applied.
Comment 9 Stefan Metzmacher 2016-04-28 03:31:36 UTC
Comment on attachment 12018 [details]
Possible patches for v4-4

Please test the patches from bug #11849, thanks!
Comment 10 maurer 2016-04-28 12:20:55 UTC

I can confirm, that the patches from #11849
fix the problem with wbinfo -u and wbinfo -g on 4.4.2

Thank you very much

After the update from 4.4.0 to 4.4.2 additionally I got

[2016/04/28 12:14:30.835305,  1] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit)
  Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR

messages in

I am wondering about, but I do not see any missbehavior.

If I should try to colect further debug information.let me now


Comment 11 Stefan Metzmacher 2016-04-28 12:22:24 UTC
(In reply to maurer from comment #10)

Yes, Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR,
is typically not an error. I guess I'll add a patch that changes the log level
of this message from 1 to 10 in order to avoid this confusion.
Comment 12 Sergey Urushkin 2016-04-29 10:40:00 UTC
Patches from #11849 work for me with ubuntu 16.04 amd64, samba 4.3.8.
Comment 13 Andrey Cherepanov 2016-04-29 16:31:48 UTC
(In reply to Stefan Metzmacher from comment #9)
It works. Thanks.
Comment 14 Stefan Metzmacher 2016-08-01 07:40:44 UTC
Fixed with 4.4.3, 4.3.9, 4.2.12.