After the recent security updates large LDAP searches with using SASL wrapping stop working. Windows sends messages up to a length of ~ 0x1b28a33, we now allow 0xFFFFFFF again.
Created attachment 12016 [details] tcpdump log Tcpdump while executing wbinfo -u from Samba 4.3.8, Samba as AD server
Created attachment 12017 [details] winbind logs winbind logs, log level 10
In production with Windows AD i've got 'Time limit exeeds' in ads_do_paged_search_args In test environment with Samba AD i've got 'Operations error' but the result is the same. All other commands works OK as i see.
Created attachment 12018 [details] Possible patches for v4-4
Hi I have tested this patch against 4.4.2 and i can confirm, that with this patch wbinfo -u and wbinfo -g work again without client ldap sasl wrapping = plain being set And indeed, the AD is big... [root@rmc-donau SOURCES]# wbinfo -u | wc -l 23520 [root@rmc-donau SOURCES]# wbinfo -g | wc -l 79048 Thank you very much Regards Hansjörg
Created attachment 12025 [details] Log for winbind with patches winbind from samba-4.4.2 with suggested patch. wbinfo -u did not work.
Changes made samba-4.2.10 from centos7 work. wbinfo -u now gives the userlist. Thanks
(In reply to Andrey Cherepanov from comment #6) winbind-net.log contains just a few (unrelated) packets. It may be simpler if the following command would also reproduce your problem: net ads search -P '(objectClass=user)' '*' Please also recheck that the patch is really applied.
Comment on attachment 12018 [details] Possible patches for v4-4 Please test the patches from bug #11849, thanks!
Hi I can confirm, that the patches from #11849 fix the problem with wbinfo -u and wbinfo -g on 4.4.2 Thank you very much After the update from 4.4.0 to 4.4.2 additionally I got [2016/04/28 12:14:30.835305, 1] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit) Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR messages in log.wb-XXXX I am wondering about, but I do not see any missbehavior. If I should try to colect further debug information.let me now regards hansjörg
(In reply to maurer from comment #10) Yes, Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR, is typically not an error. I guess I'll add a patch that changes the log level of this message from 1 to 10 in order to avoid this confusion.
Patches from #11849 work for me with ubuntu 16.04 amd64, samba 4.3.8.
(In reply to Stefan Metzmacher from comment #9) It works. Thanks.
Fixed with 4.4.3, 4.3.9, 4.2.12.