Bug 2148943
| Summary: | Samba with Winbind can not retrieve user groups from Active Directory | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | ediazten | |
| Component: | samba | Assignee: | Andreas Schneider <asn> | |
| Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.7 | CC: | abokovoy, aboscatt, asn, bthekkep, cave, dchen, dkarpele, gdeschner, msugaya, pfilipen, pjasbuti, pratshar, tscherf | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | samba-4.17.4-0.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2154885 2170468 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-16 09:08:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2154885, 2170468 | |||
|
Description
ediazten
2022-11-28 12:03:56 UTC
What if you set 'winbind expand groups = 1'? (In reply to Andreas Schneider from comment #1) > What if you set 'winbind expand groups = 1'? Tried on my test environment, and the problem is still present, both in 8.7 and in 9.1. Note that you have to restart winbind and relogin as the user in order to get the correct information. (In reply to Andreas Schneider from comment #3) > Note that you have to restart winbind and relogin as the user in order to > get the correct information. I did a full reboot, as those test VMs have no other service and the reboot is only 15 seconds. In the description a non-working case has no 'samba' package installed while working environment has 'samba' package installed. Can you please try with the environments using the same set of the packages? Customer has confirmed that installing 'samba' package solves the issue. But they want to have this working without the package, as up until RHEL 8.6 it was working, and also because having Samba installed, even unconfigured and not running, could cause potential security and compliance problems. We have the same situation. Without the "samba" package, the AD groups are not returned. With the package installed, the AD groups are returned. We would prefer not to install samba to have winbind working correctly. I was able to reproduce the issue and will investigate the proper fix. If only winbind package is installed, following executables are missing, since they belong to samba package:
# rpm -qf /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
samba-4.16.4-2.el8.x86_64
samba-4.16.4-2.el8.x86_64
And winbind fails to open pipe for SAMR connection:
[2022/12/13 09:39:35.770827, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual_ndr.c:490(winbindd_dual_ndrcmd)
winbindd_dual_ndrcmd: Running command wbint_LookupUserAliases (domain 'IP-10-0-198-155')
[2022/12/13 09:39:35.770844, 1, pid=38352, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
in: struct wbint_LookupUserAliases
sids : *
sids: struct wbint_SidArray
num_sids : 0x00000008 (8)
sids: ARRAY(8)
sids : S-1-5-21-1776223824-959228081-484330324-1111
sids : S-1-5-21-1776223824-959228081-484330324-513
sids : S-1-5-21-1776223824-959228081-484330324-1108
sids : S-1-5-21-1776223824-959228081-484330324-1107
sids : S-1-5-21-1776223824-959228081-484330324-1106
sids : S-1-5-21-1776223824-959228081-484330324-1105
sids : S-1-5-21-1776223824-959228081-484330324-1110
sids : S-1-5-21-1776223824-959228081-484330324-1109
[2022/12/13 09:39:35.770898, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:2489(wb_cache_lookup_useraliases)
lookup_usergroups: [Cached] - doing backend query for info for domain IP-10-0-198-155
[2022/12/13 09:39:35.770913, 3, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_samr.c:1252(sam_lookup_useraliases)
sam_lookup_useraliases
[2022/12/13 09:39:35.770976, 10, pid=38352, effective(0, 0), real(0, 0)] ../../source3/rpc_client/local_np.c:172(np_sock_connect_connected)
np_sock_connect_connected: async_connect_recv returned Connection refused
[2022/12/13 09:39:35.770988, 10, pid=38352, effective(0, 0), real(0, 0)] ../../source3/rpc_client/local_np.c:622(local_np_connect_connected)
local_np_connect_connected: np_sock_connect failed: Connection refused
[2022/12/13 09:39:35.771152, 10, pid=38352, effective(0, 0), real(0, 0)] ../../source3/rpc_client/local_np.c:373(start_rpc_host_send)
start_rpc_host_send: posix_spawn() failed: No such file or directory
[2022/12/13 09:39:35.771164, 10, pid=38352, effective(0, 0), real(0, 0)] ../../source3/rpc_client/local_np.c:664(local_np_connect_started)
local_np_connect_started: start_rpc_host_recv failed: No such file or directory
[2022/12/13 09:39:35.771174, 10, pid=38352, effective(0, 0), real(0, 0), class=rpc_cli] ../../source3/rpc_client/cli_pipe.c:3110(rpc_pipe_open_local_np)
rpc_pipe_open_local_np: local_np_connect for samr and user NT AUTHORITY\SYSTEM failed: No such file or directory
[2022/12/13 09:39:35.771181, 0, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_samr.c:72(open_internal_samr_conn)
open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/12/13 09:39:35.771211, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:3487(get_global_winbindd_state_offline)
get_global_winbindd_state_offline: Offline state not set.
[2022/12/13 09:39:35.771230, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:503(wcache_store_seqnum)
wcache_store_seqnum: success [IP-10-0-198-155][1670942375 @ 1670942375]
[2022/12/13 09:39:35.771236, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:561(refresh_sequence_number)
refresh_sequence_number: IP-10-0-198-155 seq number is now 1670942375
[2022/12/13 09:39:35.771241, 1, pid=38352, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
out: struct wbint_LookupUserAliases
rids : *
rids: struct wbint_RidArray
num_rids : 0x00000000 (0)
rids: ARRAY(0)
result : NT_STATUS_OBJECT_NAME_NOT_FOUND
===========
So we need to redesign the package content. Probably move samba-dcerpcd & friends out of the samba package into a new package and to 'Require' this new package in both samba and winbind.
We will create a 'samba-dcerpc' sub-package. For now please install the 'samba' package. *** Bug 2158245 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: samba security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2987 |