Hello, I have a Samba PDC and member server. After switching both from 3.0.32 to 3.3.4 (also happens on 3.3.5 and 3.3.6), "wbinfo -g" on the member server only shows BUILDIN-groups: # wbinfo -g BUILTIN\administrators BUILTIN\users while "wbinfo -u" shows all users of my PDC. After upgrading, I replaced /lib/libnss_winbind.so with the new version. Also I have the symlink from this file to /lib/libnss_winbind.so.2. In the filesystem I only see the winbind GID of groups. Access to this files are fine, so some parts behind winbind seem to work. But it's hard to administer only with GIDs.
looking into this. Do you have log level 10 client and server by any chance ?
reproduced this. winbind still gets NT_STATUS_ACCESS_DENIED for samr_EnumDomainGroups.
from the pdc log: _samr_EnumDomainGroups: access check ((granted: 0x000f04fe; required: 0x00000100) _samr_EnumDomainGroups: ACCESS DENIED (granted: 0x000f04fe; required: 0x00000100)
and at least here as well: _samr_GetAliasMembership: access check ((granted: 0x000f04fe; required: 0x00000080) _samr_GetAliasMembership: access check ((granted: 0x000f04fe; required: 0x00000200) _samr_GetAliasMembership: ACCESS DENIED (granted: 0x000f04fe; required: 0x00000200)
Personal reminder for me: 9c0fc1d83ceae0ac78b8ea2408e6c385402b6f86.
Created attachment 4352 [details] Logfile of the member server on the PDC part 1
Created attachment 4353 [details] Logfile of the member server on the PDC part 2
Created attachment 4354 [details] Logfile on the member server
Created attachment 4355 [details] Logfile on the member server
Created attachment 4356 [details] Logfile on the member server
For explanation: MUC = Name of the domain Nucleus (192.168.29.2) = member server Genome (192.168.29.4) = PDC
New experiences: When I run 3.4.0 on the PDC and 3.3.6 on the member servers, everything is working (wbinfo -u/g, getent passwd/group, chown/chgrp) When I run 3.4.0 on PDC and member servers, "wbinfo" is showing domain entries. But even if "wbinfo -u/-g" and "getent passwd/group" is showing the domain user/groups, I can't "chown/chgrp": # chgrp systemadministration test chgrp: ungültige Gruppe „systemadministration“ # getent group | grep systemadministration systemadministration:x:30000:administrator,technik # wbinfo -g | grep systemadministration systemadministration I build 3.4.0 only samba3 (no samba4). The nsswitch/libnss_winbind.so I replaced in /lib after installing
I cant reproduce this: Server : 3.4 Client : 3.3.6 root@dmarkey-laptop:~# touch bleh root@dmarkey-laptop:~# wbinfo -i TESTDOM\\dmarkey TESTDOM\dmarkey:*:10002:10000:David Markey:/home/TESTDOM/dmarkey:/bin/bash root@dmarkey-laptop:~# chown TESTDOM\\dmarkey bleh root@dmarkey-laptop:~# chgrp TESTDOM\\"Domain Users" bleh root@dmarkey-laptop:~# stat bleh File: `bleh' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fc00h/64512d Inode: 650957 Links: 1 Access: (0644/-rw-r--r--) Uid: (10002/TESTDOM\dmarkey) Gid: (10000/TESTDOM\domain users) Access: 2009-07-20 10:57:40.000000000 +0100 Modify: 2009-07-20 10:57:40.000000000 +0100 Change: 2009-07-20 10:58:37.000000000 +0100 Please not that I had to compile a new winbind on ubuntu 9.04, the one that came with ubuntu was crashing when doing a getent group.
> I cant reproduce this: > Server : 3.4 > Client : 3.3.6 In this combination it's working here too (see my Comment #12). It's broken when PDC and member server are *both 3.3.6* or *both 3.4.0*.
hmm.. strange. I'll try reproducing this later on. Its known that 3.3 as a PDC(to unix clients) is broken. so we'll rule that out, i'll be working off 3.4 on the PDC side. Perhaps something is broken in 3.4 on the client side.
Sorry still cant reproduce. 3.4 client and server. SambaClient:~# /opt/samba/sbin/winbindd -V Version 3.4.0 SambaClient:~# touch bleh SambaClient:~# chown "TESTDOM\dmarkey":"TESTDOM\domain users" bleh SambaClient:~# stat bleh File: `bleh' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 301h/769d Inode: 293 Links: 1 Access: (0644/-rw-r--r--) Uid: (10000/TESTDOM\dmarkey) Gid: (10000/TESTDOM\domain users) Access: 2009-07-20 23:10:57.000000000 +0100 Modify: 2009-07-20 23:10:57.000000000 +0100 Change: 2009-07-20 23:10:59.000000000 +0100
also with winbind use default domain = yes SambaClient:~# chown dmarkey:domadmins hello SambaClient:~# stat hello File: `hello' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 301h/769d Inode: 294 Links: 1 Access: (0644/-rw-r--r--) Uid: (10000/ dmarkey) Gid: (10001/domadmins) Access: 2009-07-20 23:23:01.000000000 +0100 Modify: 2009-07-20 23:23:01.000000000 +0100 Change: 2009-07-20 23:24:46.000000000 +0100 What version of unix you using on the client side?
PDC and member server run openSUSE 10.3 # uname -a Linux genome 2.6.22.19-0.3-default #1 SMP 2009-05-27 10:35:34 +0200 i686 i686 i386 GNU/Linux
I also did a new fresh samba installation on PDC and member server. I removed all tdb (in lock dir and secrets.tdb). I only keep my LDAP. But still the same problem. It only works in the combination 3.3.x on the member and 3.4.0 on the client.
Created attachment 4501 [details] 3.3.x patch that fixes various NT_STATUS_ACCESS_DENIED errors This patch fixes winbind member 3.3.x against a samba dc 3.3.x here.
I applied the patch to 3.3.7 on my PDC and member server and recompiled/installed. With the patch everything works like it should now. Thanks
Ok, Karolin, this is definitely something we need for the next 3.3.x and 3.2.x release. Reassigning to you (as volker acked).
Picked for 3.3.8 and 3.2.14. Closing out bug report. Thanks!