← Back to team overview

enterprise-support team mailing list archive

[Bug 2121874] [NEW] Samba Winbind cannot enumerate groups of users in main domain

 

Public bug reported:

Our setup:
- MAINDOMAIN: domain controller is Windows server (version unknown)
- SUBDOMAIN: domain controller is Windows server 2016
- Our PC is running ubuntu 20.04 with samba+winbind 2:4.15.13+dfsg-0ubuntu0.20.04.8 and has joined the SUBDOMAIN.

Problem:
1) FIrst we make sure that the samlogon cache is emty
2) wbinfo --user-groups SUBDOMAIN+user1: works fine.
3) wbinfo --user-groups MAINDOMAIN+user2: returns only two groups: 'MAINDOMA+Domain users' and 'MAINDOMAIN+user2' although user2 is member of 10+ groups defined in MAINDOMAIN.
We cannot retrieve the groups of users which are part of the MAINDOMAIN, but we can for users in SUBDOMAIN. (Note that our ubunutu PC has joined the SUBDOMAIN.)
Further, if the same user logs on to our Ubuntu 20 PC using the MAINDOMAIN+user2 user via SSH, login succeed, command 'groups' shows all the 10+ groups, and we see that the samlogon cache contains the SID of user2.
With other words: group membership is retrieved from MAINDOMAIN during SSH login correctly. But if we query the same group membership on the Ubuntu PC as root user (empty samlogon cache), then retrieving the groups fails (returns only two trivial groups).

Similar question can be found here:
https://unix.stackexchange.com/questions/790257/samba-winbind-in-trusted-forest-cant-enumerate-group-membership


Thank you for your help in advance,
Andreas Zolnay


In the log.winbind, we see no answer at all for the call
wbint_LookupUserGroups:

[2025/09/02 16:10:21.351111,  3, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_util.c:1877(lookup_usergroups_cached)
  : lookup_usergroups_cached
[2025/09/02 16:10:21.351122, 10, pid=3705410, effective(0, 0), real(0, 0)] ../../source3/libsmb/samlogon_cache.c:252(netsamlogon_cache_get)
  netsamlogon_cache_get: SID [S-1-5-21-932686498-1610486119-1155464205-60382]
[2025/09/02 16:10:21.351138,  1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
       wbint_LookupUserGroups: struct wbint_LookupUserGroups
          in: struct wbint_LookupUserGroups
              sid                      : *
                  sid                      : S-1-5-21-932686498-1610486119-1155464205-60382
[2025/09/02 16:10:21.351165, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
  samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x560f0879b4a0
[2025/09/02 16:10:21.351177, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
  samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x560f0879b4a0
[2025/09/02 16:10:21.351196,  1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
       wbint_DsGetDcName: struct wbint_DsGetDcName
          in: struct wbint_DsGetDcName
              domain_name              : *
                  domain_name              : 'MAINDOMAIN'
              domain_guid              : NULL
              site_name                : NULL
              flags                    : 0x40000000 (1073741824)
[2025/09/02 16:10:21.351230, 10, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:3487(get_global_winbindd_state_offline)
  get_global_winbindd_state_offline: Offline state not set.
[2025/09/02 16:10:21.351243, 10, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual_ndr.c:111(wbint_bh_raw_call_send)
  wbint_bh_raw_call_send: Got opnum 15 for domain SUBDOMAIN from cache
[2025/09/02 16:10:21.351253, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
  samba_tevent: Schedule immediate event "tevent_req_trigger": 0x560f087a6d00
[2025/09/02 16:10:21.351263, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
  samba_tevent: Run immediate event "tevent_req_trigger": 0x560f087a6d00
[2025/09/02 16:10:21.351274,  1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
       wbint_DsGetDcName: struct wbint_DsGetDcName
          out: struct wbint_DsGetDcName
              dc_info                  : *
                  dc_info                  : NULL
              result                   : NT_STATUS_ACCESS_DENIED


smb.conf

[global]

   server role = standalone server
   obey pam restrictions = no
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

   security = ADS
   realm = SUBDOMAIN.MAINDOMAIN.NL
   workgroup = SUBDOMAIN
   winbind separator = +
   winbind refresh tickets = yes
   allow trusted domains = yes
   kerberos method = secrets and keytab

   idmap config * : backend = tdb
   idmap config * : range = 3000000 - 3999999

   idmap config SUBDOMAIN : backend = rid
   idmap config SUBDOMAIN : range = 2000000 - 2999999

   idmap config MAINDOMAIN : backend = rid
   idmap config MAINDOMAIN : range = 1000000 - 1999999

   winbind scan trusted domains = yes
   winbind use krb5 enterprise principals = yes

   winbind enum users = yes
   winbind enum groups = yes
   winbind expand groups = 0

   template homedir = /home/%U
   template shell = /bin/bash
   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = yes
   
   lock directory = /var/cache/samba

   winbind use default domain = no
   restrict anonymous = 2

   strict locking = no

   wide links = yes
   unix extensions = no
   hide dot files = no

   wide links = yes
   unix extensions = no
   hide dot files = no

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
   store dos attributes = no

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2121874

Title:
  Samba Winbind cannot enumerate groups of users in main domain

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2121874/+subscriptions