Bug 1743358

Please talk to Red Hat Support.

I have experienced the same issue and can add a bit more detail. Have been troubleshooting this since last week, as I had to exclude samba* from monthly patching on ~25 AD joined RHEL 6.10 VMs.

Upon updating to 3.6.23-52, id is no longer resolving any secondary security groups from AD, and only returns the primary group:

id first.last.adm

uid=########(first.last.adm) gid=########(domain users) groups=########(domain users)

Prior to update, and on rollback to 3.6.23-51, the output of id first.last.adm:

uid=########(first.last.adm) gid=########(domain users) groups=########(domain users),########(sql_admins),########(plone_admins),########(beta_testers),########(domain_servers_local_admin),########(domain_servers_rdp_access),########(global_admins),########(vcenter_system_admins),########(linux_admins),########(domain admins),########(BUILTIN+users),########(BUILTIN+administrators)

In this case, the linux_admins group is in the sudoers file. Have tested changing the primary group in AD to linux_admins: this resolves the sudoers problem, but not the underlying issue of not resolving secondary groups.

I have a case with this issue as well, 02457499.

They updated these packages:
  samba.x86_64 0:3.6.23-52.el6_10
  samba-client.x86_64 0:3.6.23-52.el6_10
  samba-common.x86_64 0:3.6.23-52.el6_10
  samba-winbind.x86_64 0:3.6.23-52.el6_10
  samba-winbind-clients.x86_64 0:3.6.23-52.el6_10

And winbind is no longer able to pull supplementary groups. 

When they roll back the update the systems start working again.

Any help would be appreciated.

We have the same issues as described in this bug report. Started after upgrading to samba 3.6.23-52 which appears to have been released with backported patches for Bug 1638774.

Have the same issue described by JD above! Please correct it asap. Thank you.

I am also having the same problem and reverted back to 3.6.23-51. Strange as I am not using winbind. Anyone else having the same issues not using winbind?

*** Bug 1744767 has been marked as a duplicate of this bug. ***

Hello Team,

There are the customer words from my case (02457494):
===================================================================================================

Hi everyone,
I can confirm that the test RPMs appear to restore the supplemental groups to the user accounts:

Installed:
  samba.x86_64 0:3.6.23-52.el6_10
  samba-client.x86_64 0:3.6.23-52.el6_10
  samba-common.x86_64 0:3.6.23-52.el6_10
  samba-winbind.x86_64 0:3.6.23-52.el6_10
  samba-winbind-clients.x86_64 0:3.6.23-52.el6_10

# just one line of output
[root@tstel6-01 samba-test]# id adm_lai | sed 's/,/\n/g' | wc -l
1

# because no supplemental groups for the sed to newline
[root@tstel6-01 samba-test]# id adm_lai
uid=16778363(adm_lai) gid=16777729(domain users) groups=16777729(domain users)

# with no supplemental groups, this account has no sudo access:
[root@tstel6-01 samba-test]# sudo -U adm_lai -l
User adm_lai is not allowed to run sudo on tstel6-01.

### AND UPGRADE

[root@tstel6-01 samba-test]# rpm -Fvh *rpm
Preparing...                ########################################### [100%]
   1:samba-winbind-clients  ########################################### [ 20%]
   2:samba-common           ########################################### [ 40%]
   3:samba-winbind          ########################################### [ 60%]
   4:samba                  ########################################### [ 80%]
   5:samba-client           ########################################### [100%]
   6:samba                  warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
:
:    :-P
:
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root

# the right gaggle of groups
# (super secret group list redacted)
[root@tstel6-01 samba-test]# id adm_lai | sed 's/,/\n/g' | wc -l
16

# and sudo seems to love us again
[root@tstel6-01 samba-test]# sudo -U adm_lai -l
:
User adm_lai may run the following commands on this host:
    (ALL) ALL

## but let's do that again!

# yum downgrade samba{,-{common,winbind{,-clients},client}} -y
# id adm_lai | sed 's/,/\n/g' | wc -l
1
# rpm -Fvh *rpm
# id adm_lai | sed 's/,/\n/g' | wc -l
16

Yep, I say we're onto something here.  If it passes system-test, and doesn't cause more than it fixes, then I say Ship It !

Thanks for letting me test.
=============================================================================================================================

I'll ask for recheck in the case, just for make sure that everything still working.

Best Regards
Cilmar S. Oliveira
IDM Technical Support Engineer
Red Hat Inc,
https://access.redhat.com

Hi Romana, can you please give PM ACK for this BZ as this is a regression of the lastest update?

Thanks!

Hi Team,

The customer have confirmed that the solution works!

Thanks you so much.

Best Regards
Cilmar S. Oliveira
IDM Technical Support Engineer
Red Hat Inc,
https://access.redhat.com

Hi all and Red Hat Team!

When will be fixed package ready to download?

Downgrade is temporary solution i belive.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3858