RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1743358 - Upgrading to samba-3.6.23-52.el6 breaks sudo lookup of users in Active Directory domain groups.
Summary: Upgrading to samba-3.6.23-52.el6 breaks sudo lookup of users in Active Direct...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: samba
Version: 6.10
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Andrej Dzilský
URL:
Whiteboard:
: 1744767 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-19 17:26 UTC by John Rash
Modified: 2023-03-24 15:16 UTC (History)
22 users (show)

Fixed In Version: samba-3.6.23-53.el6_10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-12 20:57:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4388231 0 None None None 2019-09-18 07:47:26 UTC
Red Hat Product Errata RHBA-2019:3858 0 None None None 2019-11-12 20:57:38 UTC
Samba Project 12612 0 None None None 2019-09-17 07:42:00 UTC

Description John Rash 2019-08-19 17:26:40 UTC 
Description of problem:
Upgrading to samba-3.6.23-52.el6 breaks sudo lookup of users in Active Directory domain groups.

Version-Release number of selected component (if applicable):
samba-3.6.23-52.el6

How reproducible:
sudo does not recognize users in AD groups with samba-3.6.23-52.el6 installed.

Steps to Reproduce:
1. Install RHEL6
2. Install samba version before samba-3.6.23-52.el6
3. Join to Active Directory domain
4. Add AD user group to sudoers file or sudoers.d directory, example:"%it_linux_sudo ALL=(ALL) ALL"
5. Update to samba-3.6.23-52.el6 with dependent packages.


Actual results:
[adtestuser@TestRHEL6 ~]$ sudo su -
[sudo] password for adtestuser:
Warning: Your password will expire in 6 days on Mon 26 Aug 2019 02:23:09 PM UTC
adtestuser is not in the sudoers file.  This incident will be reported.

Expected results:
[adtestuser@TestRHEL6 ~]$ sudo su -
[sudo] password for adtestuser:
Warning: Your password will expire in 6 days on Mon 26 Aug 2019 02:23:09 PM UTC
[root@TestRHEL6 ~]#

Additional info:
Downgrading to samba-3.6.23-51.el6 or any other previous version fixes the issue.
Has also been tested with CentOS 6.10 and it is also affected.
Comment 2 Andreas Schneider 2019-08-21 14:09:53 UTC 
Please talk to Red Hat Support.
Comment 4 JD 2019-08-26 21:41:27 UTC 
I have experienced the same issue and can add a bit more detail. Have been troubleshooting this since last week, as I had to exclude samba* from monthly patching on ~25 AD joined RHEL 6.10 VMs.

Upon updating to 3.6.23-52, id is no longer resolving any secondary security groups from AD, and only returns the primary group:

id first.last.adm

uid=########(first.last.adm) gid=########(domain users) groups=########(domain users)

Prior to update, and on rollback to 3.6.23-51, the output of id first.last.adm:

uid=########(first.last.adm) gid=########(domain users) groups=########(domain users),########(sql_admins),########(plone_admins),########(beta_testers),########(domain_servers_local_admin),########(domain_servers_rdp_access),########(global_admins),########(vcenter_system_admins),########(linux_admins),########(domain admins),########(BUILTIN+users),########(BUILTIN+administrators)

In this case, the linux_admins group is in the sudoers file. Have tested changing the primary group in AD to linux_admins: this resolves the sudoers problem, but not the underlying issue of not resolving secondary groups.
Comment 5 joel 2019-08-27 21:58:47 UTC 
I have a case with this issue as well, 02457499.

They updated these packages:
  samba.x86_64 0:3.6.23-52.el6_10
  samba-client.x86_64 0:3.6.23-52.el6_10
  samba-common.x86_64 0:3.6.23-52.el6_10
  samba-winbind.x86_64 0:3.6.23-52.el6_10
  samba-winbind-clients.x86_64 0:3.6.23-52.el6_10

And winbind is no longer able to pull supplementary groups. 

When they roll back the update the systems start working again.

Any help would be appreciated.
Comment 7 julian.gilbert 2019-09-04 09:36:48 UTC 
We have the same issues as described in this bug report. Started after upgrading to samba 3.6.23-52 which appears to have been released with backported patches for Bug 1638774.
Comment 9 jiri.blaha 2019-09-09 10:43:15 UTC 
Have the same issue described by JD above! Please correct it asap. Thank you.
Comment 10 LA 2019-09-11 18:45:38 UTC 
I am also having the same problem and reverted back to 3.6.23-51. Strange as I am not using winbind. Anyone else having the same issues not using winbind?
Comment 12 Andreas Schneider 2019-09-18 07:47:26 UTC 
*** Bug 1744767 has been marked as a duplicate of this bug. ***
Comment 14 cilmar@redhat.com 2019-09-24 12:21:27 UTC 
Hello Team,

There are the customer words from my case (02457494):
===================================================================================================

Hi everyone,
I can confirm that the test RPMs appear to restore the supplemental groups to the user accounts:

Installed:
  samba.x86_64 0:3.6.23-52.el6_10
  samba-client.x86_64 0:3.6.23-52.el6_10
  samba-common.x86_64 0:3.6.23-52.el6_10
  samba-winbind.x86_64 0:3.6.23-52.el6_10
  samba-winbind-clients.x86_64 0:3.6.23-52.el6_10

# just one line of output
[root@tstel6-01 samba-test]# id adm_lai | sed 's/,/\n/g' | wc -l
1

# because no supplemental groups for the sed to newline
[root@tstel6-01 samba-test]# id adm_lai
uid=16778363(adm_lai) gid=16777729(domain users) groups=16777729(domain users)

# with no supplemental groups, this account has no sudo access:
[root@tstel6-01 samba-test]# sudo -U adm_lai -l
User adm_lai is not allowed to run sudo on tstel6-01.

### AND UPGRADE

[root@tstel6-01 samba-test]# rpm -Fvh *rpm
Preparing...                ########################################### [100%]
   1:samba-winbind-clients  ########################################### [ 20%]
   2:samba-common           ########################################### [ 40%]
   3:samba-winbind          ########################################### [ 60%]
   4:samba                  ########################################### [ 80%]
   5:samba-client           ########################################### [100%]
   6:samba                  warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
:
:    :-P
:
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root

# the right gaggle of groups
# (super secret group list redacted)
[root@tstel6-01 samba-test]# id adm_lai | sed 's/,/\n/g' | wc -l
16

# and sudo seems to love us again
[root@tstel6-01 samba-test]# sudo -U adm_lai -l
:
User adm_lai may run the following commands on this host:
    (ALL) ALL

## but let's do that again!

# yum downgrade samba{,-{common,winbind{,-clients},client}} -y
# id adm_lai | sed 's/,/\n/g' | wc -l
1
# rpm -Fvh *rpm
# id adm_lai | sed 's/,/\n/g' | wc -l
16

Yep, I say we're onto something here.  If it passes system-test, and doesn't cause more than it fixes, then I say Ship It !

Thanks for letting me test.
=============================================================================================================================

I'll ask for recheck in the case, just for make sure that everything still working.

Best Regards
Cilmar S. Oliveira
IDM Technical Support Engineer
Red Hat Inc,
https://access.redhat.com
Comment 15 Andreas Schneider 2019-09-25 08:09:38 UTC 
Hi Romana, can you please give PM ACK for this BZ as this is a regression of the lastest update?

Thanks!
Comment 17 cilmar@redhat.com 2019-09-27 01:35:16 UTC 
Hi Team,

The customer have confirmed that the solution works!

Thanks you so much.

Best Regards
Cilmar S. Oliveira
IDM Technical Support Engineer
Red Hat Inc,
https://access.redhat.com
Comment 24 Pegaz 2019-10-08 14:33:41 UTC 
Hi all and Red Hat Team!

When will be fixed package ready to download?

Downgrade is temporary solution i belive.
Comment 31 errata-xmlrpc 2019-11-12 20:57:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3858
Note You need to log in before you can comment on or make changes to this bug.