enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #10988
[Bug 2121874] [NEW] Samba Winbind cannot enumerate groups of users in main domain
Public bug reported:
Our setup:
- MAINDOMAIN: domain controller is Windows server (version unknown)
- SUBDOMAIN: domain controller is Windows server 2016
- Our PC is running ubuntu 20.04 with samba+winbind 2:4.15.13+dfsg-0ubuntu0.20.04.8 and has joined the SUBDOMAIN.
Problem:
1) FIrst we make sure that the samlogon cache is emty
2) wbinfo --user-groups SUBDOMAIN+user1: works fine.
3) wbinfo --user-groups MAINDOMAIN+user2: returns only two groups: 'MAINDOMA+Domain users' and 'MAINDOMAIN+user2' although user2 is member of 10+ groups defined in MAINDOMAIN.
We cannot retrieve the groups of users which are part of the MAINDOMAIN, but we can for users in SUBDOMAIN. (Note that our ubunutu PC has joined the SUBDOMAIN.)
Further, if the same user logs on to our Ubuntu 20 PC using the MAINDOMAIN+user2 user via SSH, login succeed, command 'groups' shows all the 10+ groups, and we see that the samlogon cache contains the SID of user2.
With other words: group membership is retrieved from MAINDOMAIN during SSH login correctly. But if we query the same group membership on the Ubuntu PC as root user (empty samlogon cache), then retrieving the groups fails (returns only two trivial groups).
Similar question can be found here:
https://unix.stackexchange.com/questions/790257/samba-winbind-in-trusted-forest-cant-enumerate-group-membership
Thank you for your help in advance,
Andreas Zolnay
In the log.winbind, we see no answer at all for the call
wbint_LookupUserGroups:
[2025/09/02 16:10:21.351111, 3, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_util.c:1877(lookup_usergroups_cached)
: lookup_usergroups_cached
[2025/09/02 16:10:21.351122, 10, pid=3705410, effective(0, 0), real(0, 0)] ../../source3/libsmb/samlogon_cache.c:252(netsamlogon_cache_get)
netsamlogon_cache_get: SID [S-1-5-21-932686498-1610486119-1155464205-60382]
[2025/09/02 16:10:21.351138, 1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
wbint_LookupUserGroups: struct wbint_LookupUserGroups
in: struct wbint_LookupUserGroups
sid : *
sid : S-1-5-21-932686498-1610486119-1155464205-60382
[2025/09/02 16:10:21.351165, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x560f0879b4a0
[2025/09/02 16:10:21.351177, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x560f0879b4a0
[2025/09/02 16:10:21.351196, 1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
wbint_DsGetDcName: struct wbint_DsGetDcName
in: struct wbint_DsGetDcName
domain_name : *
domain_name : 'MAINDOMAIN'
domain_guid : NULL
site_name : NULL
flags : 0x40000000 (1073741824)
[2025/09/02 16:10:21.351230, 10, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:3487(get_global_winbindd_state_offline)
get_global_winbindd_state_offline: Offline state not set.
[2025/09/02 16:10:21.351243, 10, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual_ndr.c:111(wbint_bh_raw_call_send)
wbint_bh_raw_call_send: Got opnum 15 for domain SUBDOMAIN from cache
[2025/09/02 16:10:21.351253, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Schedule immediate event "tevent_req_trigger": 0x560f087a6d00
[2025/09/02 16:10:21.351263, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
samba_tevent: Run immediate event "tevent_req_trigger": 0x560f087a6d00
[2025/09/02 16:10:21.351274, 1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
wbint_DsGetDcName: struct wbint_DsGetDcName
out: struct wbint_DsGetDcName
dc_info : *
dc_info : NULL
result : NT_STATUS_ACCESS_DENIED
smb.conf
[global]
server role = standalone server
obey pam restrictions = no
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
security = ADS
realm = SUBDOMAIN.MAINDOMAIN.NL
workgroup = SUBDOMAIN
winbind separator = +
winbind refresh tickets = yes
allow trusted domains = yes
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config * : range = 3000000 - 3999999
idmap config SUBDOMAIN : backend = rid
idmap config SUBDOMAIN : range = 2000000 - 2999999
idmap config MAINDOMAIN : backend = rid
idmap config MAINDOMAIN : range = 1000000 - 1999999
winbind scan trusted domains = yes
winbind use krb5 enterprise principals = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 0
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
lock directory = /var/cache/samba
winbind use default domain = no
restrict anonymous = 2
strict locking = no
wide links = yes
unix extensions = no
hide dot files = no
wide links = yes
unix extensions = no
hide dot files = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
store dos attributes = no
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2121874
Title:
Samba Winbind cannot enumerate groups of users in main domain
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2121874/+subscriptions