Bug 9344 - Intermittent failure of AD BUILTIN group enumeration
Summary: Intermittent failure of AD BUILTIN group enumeration
Status: NEW
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.6
Hardware: x64 Linux
: P5 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-01 15:09 UTC by Marc Doughty
Modified: 2012-11-01 15:09 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Doughty 2012-11-01 15:09:48 UTC
This has been happening throughout the Samba 3.6.x series.

I run Debian Squeeze with backports, so I'm on Samba 3.6.6 now.

Here's the setup:

Host machine runs Samba as a file server. Guest VM runs an ADC under Windows Server 2008 R2 or Windows Server 2012, with Domain Functional Level at 2008 R2 or 2012, respectively (the problem existed in both Windows versions).

The host is bound to the AD as a member server based on these excellent instructions:

http://www.ccs.neu.edu/home/battista/articles/winbind/

Basically, after I do a 'net ads join', I can enumerate users and groups properly, but after several hours or days, something breaks. Custom groups that I created in AD still seem to enumerate properly, but not the built-in ones:

     #id mpd
     uid=16778320(mpd) gid=16777729(HOSTBOX\none)
     groups=16777729(HOSTBOX\none),16778331(vpn users),16778322(desktop admins),16778340(mpd consulting),16777217

Those 'HOSTBOX\none' entries should be resolving to AD builtins like 'domain users', and they do for a while, until they don't. Once they break, my rights to files from Windows to the Samab server with permissions set to the builtins get messed up.

#wbinfo -g still shows the group names for the builtins.


Below is the output from 'testparm' Please let me know what config dumps or logs you'd like to diagnose this further.

[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.NET
        server string = %h
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1024
        max protocol = SMB2
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config * : range = 16777216-33554431 # Same as Red Hat Enterprise, for consistency
        idmap config * : default = yes
        idmap config * : backend = rid
        use sendfile = Yes