Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1743358

Summary: Upgrading to samba-3.6.23-52.el6 breaks sudo lookup of users in Active Directory domain groups.
Product: Red Hat Enterprise Linux 6 Reporter: John Rash <jrash>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: Andrej Dzilský <adzilsky>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.10CC: apeddire, asn, cilmar, cww, gdeschner, jarrpa, jdizzydunn, jiri.blaha, julian.gilbert, jwooten, kludhwan, labdi, mkielian, mkosek, mpanaous, pegazior, pkulkarn, rcadova, striker, toneata, tscherf, william.biggerstaff
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: samba-3.6.23-53.el6_10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-12 20:57:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Rash 2019-08-19 17:26:40 UTC 
Description of problem:
Upgrading to samba-3.6.23-52.el6 breaks sudo lookup of users in Active Directory domain groups.

Version-Release number of selected component (if applicable):
samba-3.6.23-52.el6

How reproducible:
sudo does not recognize users in AD groups with samba-3.6.23-52.el6 installed.

Steps to Reproduce:
1. Install RHEL6
2. Install samba version before samba-3.6.23-52.el6
3. Join to Active Directory domain
4. Add AD user group to sudoers file or sudoers.d directory, example:"%it_linux_sudo ALL=(ALL) ALL"
5. Update to samba-3.6.23-52.el6 with dependent packages.


Actual results:
[adtestuser@TestRHEL6 ~]$ sudo su -
[sudo] password for adtestuser:
Warning: Your password will expire in 6 days on Mon 26 Aug 2019 02:23:09 PM UTC
adtestuser is not in the sudoers file.  This incident will be reported.

Expected results:
[adtestuser@TestRHEL6 ~]$ sudo su -
[sudo] password for adtestuser:
Warning: Your password will expire in 6 days on Mon 26 Aug 2019 02:23:09 PM UTC
[root@TestRHEL6 ~]#

Additional info:
Downgrading to samba-3.6.23-51.el6 or any other previous version fixes the issue.
Has also been tested with CentOS 6.10 and it is also affected.
Comment 2 Andreas Schneider 2019-08-21 14:09:53 UTC 
Please talk to Red Hat Support.
Comment 4 JD 2019-08-26 21:41:27 UTC 
I have experienced the same issue and can add a bit more detail. Have been troubleshooting this since last week, as I had to exclude samba* from monthly patching on ~25 AD joined RHEL 6.10 VMs.

Upon updating to 3.6.23-52, id is no longer resolving any secondary security groups from AD, and only returns the primary group:

id first.last.adm

uid=########(first.last.adm) gid=########(domain users) groups=########(domain users)

Prior to update, and on rollback to 3.6.23-51, the output of id first.last.adm:

uid=########(first.last.adm) gid=########(domain users) groups=########(domain users),########(sql_admins),########(plone_admins),########(beta_testers),########(domain_servers_local_admin),########(domain_servers_rdp_access),########(global_admins),########(vcenter_system_admins),########(linux_admins),########(domain admins),########(BUILTIN+users),########(BUILTIN+administrators)

In this case, the linux_admins group is in the sudoers file. Have tested changing the primary group in AD to linux_admins: this resolves the sudoers problem, but not the underlying issue of not resolving secondary groups.
Comment 5 joel 2019-08-27 21:58:47 UTC 
I have a case with this issue as well, 02457499.

They updated these packages:
  samba.x86_64 0:3.6.23-52.el6_10
  samba-client.x86_64 0:3.6.23-52.el6_10
  samba-common.x86_64 0:3.6.23-52.el6_10
  samba-winbind.x86_64 0:3.6.23-52.el6_10
  samba-winbind-clients.x86_64 0:3.6.23-52.el6_10

And winbind is no longer able to pull supplementary groups. 

When they roll back the update the systems start working again.

Any help would be appreciated.
Comment 7 julian.gilbert 2019-09-04 09:36:48 UTC 
We have the same issues as described in this bug report. Started after upgrading to samba 3.6.23-52 which appears to have been released with backported patches for Bug 1638774.
Comment 9 jiri.blaha 2019-09-09 10:43:15 UTC 
Have the same issue described by JD above! Please correct it asap. Thank you.
Comment 10 LA 2019-09-11 18:45:38 UTC 
I am also having the same problem and reverted back to 3.6.23-51. Strange as I am not using winbind. Anyone else having the same issues not using winbind?
Comment 12 Andreas Schneider 2019-09-18 07:47:26 UTC 
*** Bug 1744767 has been marked as a duplicate of this bug. ***
Comment 14 cilmar@redhat.com 2019-09-24 12:21:27 UTC 
Hello Team,

There are the customer words from my case (02457494):
===================================================================================================

Hi everyone,
I can confirm that the test RPMs appear to restore the supplemental groups to the user accounts:

Installed:
  samba.x86_64 0:3.6.23-52.el6_10
  samba-client.x86_64 0:3.6.23-52.el6_10
  samba-common.x86_64 0:3.6.23-52.el6_10
  samba-winbind.x86_64 0:3.6.23-52.el6_10
  samba-winbind-clients.x86_64 0:3.6.23-52.el6_10

# just one line of output
[root@tstel6-01 samba-test]# id adm_lai | sed 's/,/\n/g' | wc -l
1

# because no supplemental groups for the sed to newline
[root@tstel6-01 samba-test]# id adm_lai
uid=16778363(adm_lai) gid=16777729(domain users) groups=16777729(domain users)

# with no supplemental groups, this account has no sudo access:
[root@tstel6-01 samba-test]# sudo -U adm_lai -l
User adm_lai is not allowed to run sudo on tstel6-01.

### AND UPGRADE

[root@tstel6-01 samba-test]# rpm -Fvh *rpm
Preparing...                ########################################### [100%]
   1:samba-winbind-clients  ########################################### [ 20%]
   2:samba-common           ########################################### [ 40%]
   3:samba-winbind          ########################################### [ 60%]
   4:samba                  ########################################### [ 80%]
   5:samba-client           ########################################### [100%]
   6:samba                  warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
:
:    :-P
:
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root

# the right gaggle of groups
# (super secret group list redacted)
[root@tstel6-01 samba-test]# id adm_lai | sed 's/,/\n/g' | wc -l
16

# and sudo seems to love us again
[root@tstel6-01 samba-test]# sudo -U adm_lai -l
:
User adm_lai may run the following commands on this host:
    (ALL) ALL

## but let's do that again!

# yum downgrade samba{,-{common,winbind{,-clients},client}} -y
# id adm_lai | sed 's/,/\n/g' | wc -l
1
# rpm -Fvh *rpm
# id adm_lai | sed 's/,/\n/g' | wc -l
16

Yep, I say we're onto something here.  If it passes system-test, and doesn't cause more than it fixes, then I say Ship It !

Thanks for letting me test.
=============================================================================================================================

I'll ask for recheck in the case, just for make sure that everything still working.

Best Regards
Cilmar S. Oliveira
IDM Technical Support Engineer
Red Hat Inc,
https://access.redhat.com
Comment 15 Andreas Schneider 2019-09-25 08:09:38 UTC 
Hi Romana, can you please give PM ACK for this BZ as this is a regression of the lastest update?

Thanks!
Comment 17 cilmar@redhat.com 2019-09-27 01:35:16 UTC 
Hi Team,

The customer have confirmed that the solution works!

Thanks you so much.

Best Regards
Cilmar S. Oliveira
IDM Technical Support Engineer
Red Hat Inc,
https://access.redhat.com
Comment 24 Pegaz 2019-10-08 14:33:41 UTC 
Hi all and Red Hat Team!

When will be fixed package ready to download?

Downgrade is temporary solution i belive.
Comment 31 errata-xmlrpc 2019-11-12 20:57:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3858