9344 – Intermittent failure of AD BUILTIN group enumeration

Bug 9344 - Intermittent failure of AD BUILTIN group enumeration

Summary: Intermittent failure of AD BUILTIN group enumeration

Status:	NEW

Alias:	None

Product:	Samba 3.6
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	3.6.6
Hardware:	x64 Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	Michael Adam
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-11-01 15:09 UTC by Marc Doughty
Modified:	2012-11-01 15:09 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc Doughty 2012-11-01 15:09:48 UTC

This has been happening throughout the Samba 3.6.x series.

I run Debian Squeeze with backports, so I'm on Samba 3.6.6 now.

Here's the setup:

Host machine runs Samba as a file server. Guest VM runs an ADC under Windows Server 2008 R2 or Windows Server 2012, with Domain Functional Level at 2008 R2 or 2012, respectively (the problem existed in both Windows versions).

The host is bound to the AD as a member server based on these excellent instructions:

http://www.ccs.neu.edu/home/battista/articles/winbind/

Basically, after I do a 'net ads join', I can enumerate users and groups properly, but after several hours or days, something breaks. Custom groups that I created in AD still seem to enumerate properly, but not the built-in ones:

     #id mpd
     uid=16778320(mpd) gid=16777729(HOSTBOX\none)
     groups=16777729(HOSTBOX\none),16778331(vpn users),16778322(desktop admins),16778340(mpd consulting),16777217

Those 'HOSTBOX\none' entries should be resolving to AD builtins like 'domain users', and they do for a while, until they don't. Once they break, my rights to files from Windows to the Samab server with permissions set to the builtins get messed up.

#wbinfo -g still shows the group names for the builtins.


Below is the output from 'testparm' Please let me know what config dumps or logs you'd like to diagnose this further.

[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.NET
        server string = %h
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1024
        max protocol = SMB2
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config * : range = 16777216-33554431 # Same as Red Hat Enterprise, for consistency
        idmap config * : default = yes
        idmap config * : backend = rid
        use sendfile = Yes