2148943 – Samba with Winbind can not retrieve user groups from Active Directory

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2148943 - Samba with Winbind can not retrieve user groups from Active Directory

Summary: Samba with Winbind can not retrieve user groups from Active Directory

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	samba
Sub Component:
Version:	8.7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Andreas Schneider
QA Contact:	shridhar
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2158245 (view as bug list)
Depends On:
Blocks:	2154885 2170468
TreeView+	depends on / blocked

Reported:	2022-11-28 12:03 UTC by ediazten
Modified:	2023-05-16 11:13 UTC (History)
CC List:	13 users (show)
Fixed In Version:	samba-4.17.4-0.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2154885 2170468 (view as bug list)
Environment:
Last Closed:	2023-05-16 09:08:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-140627	None	None	None	2022-11-28 12:04:59 UTC
Red Hat Issue Tracker	SSSD-5321	None	None	None	2022-12-19 14:31:24 UTC
Red Hat Knowledge Base (Solution)	6995660	None	None	None	2023-01-27 11:42:14 UTC
Red Hat Product Errata	RHSA-2023:2987	None	None	None	2023-05-16 09:09:23 UTC

Description ediazten 2022-11-28 12:03:56 UTC

Description of problem:
Using Samba with Winbind to join an Active Directory Domain, the system doesn't get any group information back from the AD. id only shows the main group (normally "domain users") but none of the secondary groups. As many times those secondary groups are used for managing security permissions, this causes many problems.

Version-Release number of selected component (if applicable):
RHEL 8.7, but also RHEL 9.1 (probably 9.0, but I've not tested it). In RHEL 8.6 works perfectly.

These are the relevant packages in 8.7:
adcli-0.8.2-12.el8.x86_64
samba-client-libs-4.16.4-2.el8.x86_64
samba-winbind-krb5-locator-4.16.4-2.el8.x86_64
samba-common-libs-4.16.4-2.el8.x86_64
samba-libs-4.16.4-2.el8.x86_64
samba-common-tools-4.16.4-2.el8.x86_64
samba-winbind-clients-4.16.4-2.el8.x86_64
oddjob-mkhomedir-0.34.7-2.el8.x86_64
samba-common-4.16.4-2.el8.noarch
oddjob-0.34.7-2.el8.x86_64
samba-winbind-modules-4.16.4-2.el8.x86_64
samba-winbind-4.16.4-2.el8.x86_64
realmd-0.16.3-25.el8.x86_64

The same list for 8.6, which is the one working:
adcli-0.8.2-12.el8.x86_64
samba-client-libs-4.15.5-5.el8.x86_64
samba-winbind-krb5-locator-4.15.5-5.el8.x86_64
samba-common-libs-4.15.5-5.el8.x86_64
samba-libs-4.15.5-5.el8.x86_64
samba-4.15.5-5.el8.x86_64
samba-common-tools-4.15.5-5.el8.x86_64
samba-winbind-clients-4.15.5-5.el8.x86_64
oddjob-mkhomedir-0.34.7-1.el8.x86_64
samba-common-4.15.5-5.el8.noarch
samba-winbind-modules-4.15.5-5.el8.x86_64
samba-winbind-4.15.5-5.el8.x86_64
oddjob-0.34.7-1.el8.x86_64
realmd-0.16.3-25.el8.x86_64

How reproducible:
Easy, happens each time.

Steps to Reproduce:
1- In a fresh install of RHEL 8.7 or 9.1, follow the instructions to join AD using Samba + Winbind: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-samba-winbind_integrating-rhel-systems-directly-with-active-directory#proc_joining-samba-to-a-domain_connecting-rhel-systems-directly-to-ad-using-samba-winbind
2- Tested on Windows Server 2016 and 2019, both fail.
3- Do an id for an AD user that has at least one extra group assigned. The secondary group(s) won't show up.

Actual results:
No secondary user groups show up.

Expected results:
Should retrieve all the user's groups.

Additional info:
Actual case: https://access.redhat.com/support/cases/#/case/03365756

Comment 1 Andreas Schneider 2022-11-28 14:05:24 UTC

What if you set 'winbind expand groups = 1'?

Comment 2 ediazten 2022-11-28 15:15:23 UTC

(In reply to Andreas Schneider from comment #1)
> What if you set 'winbind expand groups = 1'?

Tried on my test environment, and the problem is still present, both in 8.7 and in 9.1.

Comment 3 Andreas Schneider 2022-11-29 13:00:59 UTC

Note that you have to restart winbind and relogin as the user in order to get the correct information.

Comment 4 ediazten 2022-11-29 13:11:27 UTC

(In reply to Andreas Schneider from comment #3)
> Note that you have to restart winbind and relogin as the user in order to
> get the correct information.

I did a full reboot, as those test VMs have no other service and the reboot is only 15 seconds.

Comment 10 Alexander Bokovoy 2022-12-08 10:00:18 UTC

In the description a non-working case has no 'samba' package installed while working environment has 'samba' package installed. Can you please try with the environments using the same set of the packages?

Comment 11 ediazten 2022-12-12 15:36:03 UTC

Customer has confirmed that installing 'samba' package solves the issue.
But they want to have this working without the package, as up until RHEL 8.6 it was working, and also because having Samba installed, even unconfigured and not running, could cause potential security and compliance problems.

Comment 12 cave 2022-12-13 09:32:15 UTC

We have the same situation.
Without the "samba" package, the AD groups are not returned.
With the package installed, the AD groups are returned.

We would prefer not to install samba to have winbind working correctly.

Comment 13 Pavel Filipensky 2022-12-13 14:52:23 UTC

I was able to reproduce the issue and will investigate the proper fix.

Comment 14 Pavel Filipensky 2022-12-13 21:28:26 UTC

If only winbind package is installed, following executables are missing, since they belong to samba package:

# rpm -qf /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad 
samba-4.16.4-2.el8.x86_64
samba-4.16.4-2.el8.x86_64

And winbind fails to open pipe for SAMR connection:


[2022/12/13 09:39:35.770827, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual_ndr.c:490(winbindd_dual_ndrcmd)
    winbindd_dual_ndrcmd: Running command wbint_LookupUserAliases (domain 'IP-10-0-198-155')
  [2022/12/13 09:39:35.770844,  1, pid=38352, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
         wbint_LookupUserAliases: struct wbint_LookupUserAliases
            in: struct wbint_LookupUserAliases
                sids                     : *
                    sids: struct wbint_SidArray
                        num_sids                 : 0x00000008 (8)
                        sids: ARRAY(8)
                            sids                     : S-1-5-21-1776223824-959228081-484330324-1111
                            sids                     : S-1-5-21-1776223824-959228081-484330324-513
                            sids                     : S-1-5-21-1776223824-959228081-484330324-1108
                            sids                     : S-1-5-21-1776223824-959228081-484330324-1107
                            sids                     : S-1-5-21-1776223824-959228081-484330324-1106
                            sids                     : S-1-5-21-1776223824-959228081-484330324-1105
                            sids                     : S-1-5-21-1776223824-959228081-484330324-1110
                            sids                     : S-1-5-21-1776223824-959228081-484330324-1109
  [2022/12/13 09:39:35.770898, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:2489(wb_cache_lookup_useraliases)
    lookup_usergroups: [Cached] - doing backend query for info for domain IP-10-0-198-155
  [2022/12/13 09:39:35.770913,  3, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_samr.c:1252(sam_lookup_useraliases)
    sam_lookup_useraliases
  [2022/12/13 09:39:35.770976, 10, pid=38352, effective(0, 0), real(0, 0)] ../../source3/rpc_client/local_np.c:172(np_sock_connect_connected)
    np_sock_connect_connected: async_connect_recv returned Connection refused
  [2022/12/13 09:39:35.770988, 10, pid=38352, effective(0, 0), real(0, 0)] ../../source3/rpc_client/local_np.c:622(local_np_connect_connected)
    local_np_connect_connected: np_sock_connect failed: Connection refused
  [2022/12/13 09:39:35.771152, 10, pid=38352, effective(0, 0), real(0, 0)] ../../source3/rpc_client/local_np.c:373(start_rpc_host_send)
    start_rpc_host_send: posix_spawn() failed: No such file or directory
  [2022/12/13 09:39:35.771164, 10, pid=38352, effective(0, 0), real(0, 0)] ../../source3/rpc_client/local_np.c:664(local_np_connect_started)
    local_np_connect_started: start_rpc_host_recv failed: No such file or directory
  [2022/12/13 09:39:35.771174, 10, pid=38352, effective(0, 0), real(0, 0), class=rpc_cli] ../../source3/rpc_client/cli_pipe.c:3110(rpc_pipe_open_local_np)
    rpc_pipe_open_local_np: local_np_connect for samr and user NT AUTHORITY\SYSTEM failed: No such file or directory
  [2022/12/13 09:39:35.771181,  0, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_samr.c:72(open_internal_samr_conn)
    open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_OBJECT_NAME_NOT_FOUND
  [2022/12/13 09:39:35.771211, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:3487(get_global_winbindd_state_offline)
    get_global_winbindd_state_offline: Offline state not set.
  [2022/12/13 09:39:35.771230, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:503(wcache_store_seqnum)
    wcache_store_seqnum: success [IP-10-0-198-155][1670942375 @ 1670942375]
  [2022/12/13 09:39:35.771236, 10, pid=38352, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:561(refresh_sequence_number)
    refresh_sequence_number: IP-10-0-198-155 seq number is now 1670942375
  [2022/12/13 09:39:35.771241,  1, pid=38352, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
         wbint_LookupUserAliases: struct wbint_LookupUserAliases
            out: struct wbint_LookupUserAliases
                rids                     : *
                    rids: struct wbint_RidArray
                        num_rids                 : 0x00000000 (0)
                        rids: ARRAY(0)
                result                   : NT_STATUS_OBJECT_NAME_NOT_FOUND


===========

So we need to redesign the package content. Probably move samba-dcerpcd & friends out of the samba package into a new package and to 'Require' this new package in both samba and winbind.

Comment 15 Andreas Schneider 2022-12-19 14:14:37 UTC

We will create a 'samba-dcerpc' sub-package. For now please install the 'samba' package.

Comment 27 Andreas Schneider 2023-03-28 11:51:49 UTC

*** Bug 2158245 has been marked as a duplicate of this bug. ***

Comment 29 errata-xmlrpc 2023-05-16 09:08:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: samba security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2987

Note You need to log in before you can comment on or make changes to this bug.