Bug 11951 - suplementary groups are not fetched
suplementary groups are not fetched
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.4.3
x64 Solaris
: P5 major
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-06 09:07 UTC by Alexander Pyhalov
Modified: 2016-06-16 19:23 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Pyhalov 2016-06-06 09:07:30 UTC
The same config works fine with Samba 4.1.23 on OpenIndiana. However, when I update samba to 4.2.0 or later (tried 4.2.0, 4.2.12, 4.4.3) suplementary groups are ignored. I mean, "wbinfo -r user" correctly shows user groups, but 'wbinfo --group-info "some group"' doesn't show group's members:

# wbinfo --group-info 'Domain Users'
domain users:x:10513:

# id -a user  # ( doesn't show user's groups:)
uid=19938(user) gid=10512(domain admins) groups=10512(domain admins)

Log from winbind: 

accepted socket 20
[19828]: request interface version (version = 27)
[19828]: request location of privileged pipe
accepted socket 22
closing socket 20, client exited
getgroups root
child daemon request 59
msrpc_name_to_sid: name=SFEDU\ROOT
name_to_sid [rpc] SFEDU\ROOT for domain SFEDU
ldb_wrap open of secrets.ldb
Connecting to 195.208.251.100 at port 135
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 0
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 0
        IPTOS_LOWDELAY = 16
        IPTOS_THROUGHPUT = 16
        SO_SNDBUF = 49152
        SO_RCVBUF = 128872
        Could not test socket option SO_SNDLOWAT.
        Could not test socket option SO_RCVLOWAT.
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_KEEPALIVE_THRESHOLD = 7200000
        TCP_KEEPALIVE_ABORT_THRESHOLD = 480000
Bind RPC Pipe: host sfedu-adc1.ad.sfedu.ru auth_type 0, auth_level 1
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 72
rpc_read_send: data_to_read: 44
check_bind_response: accepted!
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 156
rpc_read_send: data_to_read: 136
Connecting to 195.208.251.100 at port 49155
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 0
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 0
        IPTOS_LOWDELAY = 16
        IPTOS_THROUGHPUT = 16
        SO_SNDBUF = 49152
        SO_RCVBUF = 128872
        Could not test socket option SO_SNDLOWAT.
        Could not test socket option SO_RCVLOWAT.
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_KEEPALIVE_THRESHOLD = 7200000
        TCP_KEEPALIVE_ABORT_THRESHOLD = 480000
check lock order 2 for /var/samba/lock/g_lock.tdb
release lock order 2 for /var/samba/lock/g_lock.tdb
Starting GENSEC mechanism schannel
Bind RPC Pipe: host sfedu-adc1.ad.sfedu.ru auth_type 68, auth_level 6
create_generic_auth_rpc_bind_req: generate first token
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 105
rpc_read_send: data_to_read: 64
check_bind_response: accepted!
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
check lock order 2 for /var/samba/lock/g_lock.tdb
release lock order 2 for /var/samba/lock/g_lock.tdb
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 232
rpc_read_send: data_to_read: 200
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8
Finished processing child request 59
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
closing socket 22, client exited
accepted socket 20
[19835]: request interface version (version = 27)
[19835]: request location of privileged pipe
accepted socket 22
closing socket 20, client exited
getpwnam and
child daemon request 59
msrpc_name_to_sid: name=SFEDU\AND
name_to_sid [rpc] SFEDU\AND for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 232
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8
Finished processing child request 59
child daemon request 59
ads: query_user
Current tickets expire in 35952 seconds (at 1465239282, time is now 1465203330)
Search for (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\21\26?\9FX\F9\89\D3\04{\06\83\D2\26\00\00) in <dc=AD,dc=SFEDU,dc=RU> gave 1 replies
smb_register_idmap_nss: Successfully added idmap nss backend 'template'
ads query_user gave and
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 216
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
Finished processing child request 59
Deregistering messaging pointer for type 33 - private_data=0
Deregistering messaging pointer for type 13 - private_data=0
Deregistering messaging pointer for type 1028 - private_data=0
Deregistering messaging pointer for type 1027 - private_data=0
Deregistering messaging pointer for type 1029 - private_data=0
Deregistering messaging pointer for type 1280 - private_data=0
Deregistering messaging pointer for type 1033 - private_data=0
Deregistering messaging pointer for type 1 - private_data=0
Deregistering messaging pointer for type 1036 - private_data=0
Deregistering messaging pointer for type 1035 - private_data=0
Registering messaging pointer for type 1028 - private_data=0
Registering messaging pointer for type 1027 - private_data=0
Registering messaging pointer for type 1280 - private_data=0
Registering messaging pointer for type 1 - private_data=0
Registering messaging pointer for type 1034 - private_data=0
Overriding messaging pointer for type 1034 - private_data=0
child daemon request 59
Successfully added idmap backend 'tdb'
Successfully added idmap backend 'passdb'
Successfully added idmap backend 'nss'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
check lock order 1 for /var/samba/locks/winbindd_idmap.tdb
release lock order 1 for /var/samba/locks/winbindd_idmap.tdb
check lock order 1 for /var/samba/locks/winbindd_idmap.tdb
release lock order 1 for /var/samba/locks/winbindd_idmap.tdb
check lock order 1 for /var/samba/locks/winbindd_idmap.tdb
release lock order 1 for /var/samba/locks/winbindd_idmap.tdb
idmap backend rid not found
Probing module 'rid'
Probing module 'rid': Trying to load from /usr/lib/samba/idmap/rid.so
Module 'rid' loaded
Successfully added idmap backend 'rid'
Finished processing child request 59
Opening cache file at /var/samba/cache/gencache.tdb
Opening cache file at /var/samba/lock/gencache_notrans.tdb
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-512 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 248
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Mapped sid to [SFEDU]\[Domain Admins]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 248
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Finished processing child request 59
child daemon request 59
Finished processing child request 59
getpwuid 19938
child daemon request 59
pdb_default_uid_to_sid: host has no idea of uid 19938
Finished processing child request 59
child daemon request 59
Finished processing child request 59
child daemon request 59
Finished processing child request 59
getgrgid 10512
child daemon request 59
Finished processing child request 59
child daemon request 59
Finished processing child request 59
[19835]: getgrent
Deregistering messaging pointer for type 33 - private_data=0
Deregistering messaging pointer for type 13 - private_data=0
Deregistering messaging pointer for type 1028 - private_data=0
Deregistering messaging pointer for type 1027 - private_data=0
Deregistering messaging pointer for type 1029 - private_data=0
Deregistering messaging pointer for type 1280 - private_data=0
Deregistering messaging pointer for type 1033 - private_data=0
Deregistering messaging pointer for type 1 - private_data=0
Deregistering messaging pointer for type 1036 - private_data=0
Deregistering messaging pointer for type 1035 - private_data=0
Registering messaging pointer for type 1028 - private_data=0
Registering messaging pointer for type 1027 - private_data=0
Registering messaging pointer for type 1280 - private_data=0
Registering messaging pointer for type 1 - private_data=0
Registering messaging pointer for type 1034 - private_data=0
Overriding messaging pointer for type 1034 - private_data=0
child daemon request 59
samr: sequence number
Create pipe requested samr
Created internal pipe samr
_samr_Connect2: 3866
_samr_Connect2: ACCESS should be DENIED  (requested: 0x000f003f)
but overritten by euid == initial uid
_samr_Connect2: access GRANTED (requested: 0x000f003f, granted: 0x000f003f)
Opened policy hnd[1] [0000] 00 00 00 00 01 00 00 00   00 00 00 00 55 57 82 3A   ........ ....UW.:
[0010] 7D 4D 00 00                                        }M.. 
_samr_Connect2: 3895
Found policy hnd[0] [0000] 00 00 00 00 01 00 00 00   00 00 00 00 55 57 82 3A   ........ ....UW.:
[0010] 7D 4D 00 00                                        }M.. 
access_check_object: user rights access mask [0x3f0]
_samr_OpenDomain: ACCESS should be DENIED  (requested: 0x000f040f)
but overritten by euid == initial uid
_samr_OpenDomain: access GRANTED (requested: 0x000f040f, granted: 0x000f07ff)
Opened policy hnd[2] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 55 57 82 3A   ........ ....UW.:
[0010] 7D 4D 00 00                                        }M.. 
_samr_OpenDomain: 500
_samr_QueryDomainInfo: 3499
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 55 57 82 3A   ........ ....UW.:
[0010] 7D 4D 00 00                                        }M.. 
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
_samr_QueryDomainInfo: 3589
Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00   00 00 00 00 55 57 82 3A   ........ ....UW.:
[0010] 7D 4D 00 00                                        }M.. 
Closed policy
Finished processing child request 59
child daemon request 59
ads: enum_dom_groups
Current tickets expire in 35952 seconds (at 1465239282, time is now 1465203330)
Search for (&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1)))) in <dc=AD,dc=SFEDU,dc=RU> gave 317 replies
ads enum_dom_groups gave 317 entries
Finished processing child request 59
child daemon request 59
Finished processing child request 59
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-520 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 264
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
Mapped sid to [SFEDU]\[Group Policy Creator Owners]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 264
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
Finished processing child request 59
child daemon request 59
Finished processing child request 59
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-513 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 232
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
Mapped sid to [SFEDU]\[Domain Users]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 232
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
Finished processing child request 59
child daemon request 59
Finished processing child request 59
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-521 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 264
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
Mapped sid to [SFEDU]\[Read-only Domain Controllers]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 264
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
Finished processing child request 59
child daemon request 59
Finished processing child request 59
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-514 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 248
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Mapped sid to [SFEDU]\[Domain Guests]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 248
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Finished processing child request 59
child daemon request 59
Finished processing child request 59
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-516 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 248
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 4
Mapped sid to [SFEDU]\[Domain Controllers]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 248
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 4
Finished processing child request 59
child daemon request 59
Finished processing child request 59
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-515 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 248
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8
Mapped sid to [SFEDU]\[Domain Computers]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 248
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8
Finished processing child request 59
child daemon request 59
Finished processing child request 59
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-522 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 280
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Mapped sid to [SFEDU]\[Клонируемые контроллеры домена]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 280
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Finished processing child request 59
.... A lot of other groups here.....
child daemon request 59
msrpc_sid_to_name: S-1-5-21-2671715873-3549034840-2198240004-91610 for domain SFEDU
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 232
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Mapped sid to [SFEDU]\[IPAMUG]
Finished processing child request 59
child daemon request 59
rpc_api_pipe: host sfedu-adc1.ad.sfedu.ru
rpc_write_send: data_to_write: 168
rpc_read_send: data_to_read: 232
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Finished processing child request 59
child daemon request 59
Finished processing child request 59
[19852]: getgrent
getgrent failed: NT_STATUS_NO_MORE_ENTRIES
getgrgid 10512
child daemon request 59
Finished processing child request 59
child daemon request 59
Finished processing child request 59
closing socket 22, client exited

....

Config: 
[global]
        # Generic
        netbios name            = backup-smb
        workgroup               = SFEDU
        server string           = File Server

        # Browsing
        os level                = 65

        # Access & security
        security                = ads
        password server         = *
        realm                   = AD.SFEDU.RU
        preferred master        = no

        idmap config SFEDU : backend = rid
        idmap config SFEDU: range = 10000 - 155000
        idmap uid = 10000 - 155000
        idmap gid = 10000 - 155000
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind use default domain = yes
        winbind offline logon = yes
        winbind refresh tickets = yes
        template homedir = /export/home/%U
        template shell = /usr/bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        restrict anonymous = 1

        ldap timeout = 200

        hosts allow             = 195.208.240.0/255.255.240.0   \
                                  10.0.0.0/255.0.0.0 \
                                  127.0.0.1

        # Charset settings
        unix charset            = utf-8
        dos charset             = cp1251

        #
        # Defaults for shares
        #

        # DOS attributes
        store dos attributes    = no
        map hidden              = no
        map system              = no
        map archive             = no
        map read only           = permissions

        # UNIX permissions
        create mask             = 660   ; AND
        force create mode       = 660   ; OR
        directory mask          = 770
        force directory mode    = 770
Comment 1 Alexander Pyhalov 2016-06-15 09:11:55 UTC
Sorry, actually this was an effect of changing "winbind expand groups" default value in Samba 4.2.
Comment 2 Jeremy Allison 2016-06-16 19:23:55 UTC
Thanks for letting us know.