[Pkg-samba-maint] Bug#1012240: winbind does not return AD groups a user is a member of AT ALL, or only one
Matthew Grant
matt at mattgrant.net.nz
Thu Jun 2 05:48:33 BST 2022
Package: winbind
Version: 2:4.16.1+mag-1
Severity: important
Dear Maintainer,
I have rebuilt samba 4.16.1 packages as I am including a samba INTERNAL DNS
patch, bt I have not altered the packaging significantly other than this, and
have not touched winbind
I have been finding that when I login to the machine using a user from samba AD,with groups from samba AD, none of those AD groups that user is a member of
show up in the output from the 'groups' command.
Further more:
shalom: -root- [/home/admin]
# wbinfo -r grantma
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user grantma
And in the samba logs:
[2022/06/02 16:30:45.687576, 0] ../../source3/winbindd/winbindd_samr.c:71(open_internal_samr_conn)
open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_ACCESS_DENIED
The above works fine when the samba package is installed along with winbind.
After the call find that the following programs are running:
shalom: -root- [/home/admin]
# ps -ef | grep samba
root 139564 1 0 16:29 ? 00:00:00 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=40 --np-helper --debuglevel=0
root 139574 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=5 --debuglevel=0
root 139576 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=6 --debuglevel=0
root 139578 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=7 --debuglevel=0
root 139580 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=8 --debuglevel=0
root 139583 136857 0 16:29 pts/5 00:00:00 grep samba
When the above binaries permisions are set by:
shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
the following happens:
shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
It appears that wind bind needs samba-dcerpcd and rpcd_lsad to function
correctly. Could these binaries and dependent libraries be moved to the
winbind package please?
Thank you!
Matt Grant
-- Package-specific info:
* /etc/samba/smb.conf present, and attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.40-amd64-mag-lts (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages winbind depends on:
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u3
ii libgnutls30 3.7.1-5
ii libldap-2.4-2 2.4.57+dfsg-3+deb11u1
ii libpopt0 1.18-2
ii libtalloc2 2.3.3+mag-1~0mag0
ii libtdb1 1.4.6+mag-1
ii libtevent0 0.11.0+mag-1~0mag0
ii libwbclient0 2:4.16.1+mag-1
ii lsb-base 11.1.0
ii samba-common 2:4.16.1+mag-1
ii samba-common-bin 2:4.16.1+mag-1
ii samba-libs 2:4.16.1+mag-1
winbind recommends no packages.
Versions of packages winbind suggests:
ii libnss-winbind 2:4.16.1+mag-1
ii libpam-winbind 2:4.16.1+mag-1
-- no debconf information
-------------- next part --------------
[Global]
netbios name = SHALOM
realm = AD.ANATHOTH.NET
workgroup = AD
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
server string = %h DebianLinux Host
security = ads
client signing = auto
server signing = auto
# TLS setup
tls certfile = /etc/ipsec.d/certs/anathoth_shalom.ad.anathoth.net.crt
tls keyfile = /etc/ipsec.d/private/anathoth_shalom.ad.anathoth.net.key
tls cafile = /etc/ipsec.d/cacerts/anathoth_vpn_ca.crt
# Winbind settings
#
# Winbind idmap setup
idmap config * : backend = autorid
idmap config * : range = 200000-2000200000
idmap config * : rangesize = 200000
idmap config AD : backend = ad
idmap config AD : range = 10000-59999
idmap config AD : unix_primary_group = yes
idmap config AD : unix_nss_info = yes
# Winbind offline logon
winbind offline logon = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind refresh tickets = yes
winbind cache time = 300
template shell = /bin/bash
template homedir = /home/%D/%U
#
# File server settings
#
# Listen on
bind interfaces only = yes
interfaces = lo fd14:828:ba69:1::9/64
# Samba logging
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
# Samba user share
usershare path = /var/lib/samba/usershares
usershare max shares = 100
usershare allow guests = yes
# Completely disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Various default share settings for below
# Global stuff to help with Unix clients...
unix extensions = yes
case sensitive = auto
delete readonly = yes
ea support = yes
browseable = no
read only = yes
force group = "domain users"
create mask = 0664
directory mask = 0775
[Documents]
comment = Documents
read only = no
browseable = yes
path = /srv/docs
force group = staff-gr
[Music]
comment = Music
read only = no
browseable = yes
path = /srv/media/music
[Pictures]
comment = Pictures
read only = no
browseable = yes
path = /srv/media/pictures
force group = "private-gr"
[Videos]
comment = Videos
read only = no
browseable = yes
path = /srv/media/videos
[scratch]
comment = Scratch
read only = no
browseable = yes
path = /srv/scratch
create mask = 0775
directory mask = 0775
force directory mode = 0775
# force create mode = 0664
More information about the Pkg-samba-maint
mailing list