[Samba] Samba 4.6.11 member server group resolution not working

Alex Crow acrow at integrafin.co.uk
Fri Dec 15 11:57:07 UTC 2017 

Hi,

We recently upgraded some AD member file servers from 4.6.7 to 4.6.11. 
Since then, "getent group" has been failing to return groups properly 
after winbind's been running for a couple of days. We have a lot of 
entries in log.wb-<DOMAIN> like this:

[2017/12/15 11:39:47.959368,  1] 
../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem)
   lsa_lookupsids call failed with NT_STATUS_RPC_PROTOCOL_ERROR - 
retrying...
[2017/12/15 11:39:47.962929,  1] 
../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
   ../source3/rpc_client/cli_pipe.c:568: RPC fault code 
DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net!
[2017/12/15 11:39:47.972992,  1] 
../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
   ../source3/rpc_client/cli_pipe.c:568: RPC fault code 
DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net!
[2017/12/15 11:39:47.973067,  1] 
../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem)
   lsa_lookupsids call failed with NT_STATUS_RPC_PROTOCOL_ERROR - 
retrying...
[2017/12/15 11:39:47.976957,  1] 
../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
   ../source3/rpc_client/cli_pipe.c:568: RPC fault code 
DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net!
[2017/12/15 11:39:59.400024,  1] 
../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem)
   lsa_lookupsids call failed with NT_STATUS_CONNECTION_DISCONNECTED - 
retrying...
[2017/12/15 11:39:59.798388,  1] 
../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem)
   lsa_lookupsids call failed with NT_STATUS_CONNECTION_DISCONNECTED - 
retrying...
[2017/12/15 11:40:13.602515,  1] 
../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
   ../source3/rpc_client/cli_pipe.c:568: RPC fault code 
DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net!
[2017/12/15 11:40:13.602552,  1] 
../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem)
   lsa_lookupsids call failed with NT_STATUS_RPC_PROTOCOL_ERROR - 
retrying...
[2017/12/15 11:40:13.606894,  1] 
../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
   ../source3/rpc_client/cli_pipe.c:568: RPC fault code 
DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net!
[2017/12/15 11:40:13.623301,  1] 
../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
   ../source3/rpc_client/cli_pipe.c:568: RPC fault code 
DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net!
[2017/12/15 11:40:13.623329,  1] 
../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem)
   lsa_lookupsids call failed with NT_STATUS_RPC_PROTOCOL_ERROR - 
retrying...
[2017/12/15 11:40:13.627004,  1] 
../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
   ../source3/rpc_client/cli_pipe.c:568: RPC fault code 
DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net!

Interestingly, wbinfo -g returns group names but wbinfo -u has stopped 
returning user names.

Sometimes getent group <groupname> will work on certain groups but not 
others (especially ones with lots of members).

SMB.conf:

[global]

         workgroup = thedomain_NET
         realm = samba.thedomain.net
         netbios name = THECLUSTER
         security = ADS
         interfaces = enp4s0f0
         idmap_ldb:use rfc2307 = yes
         clustering = yes
         log file = /var/log/samba/%I
         log level = 1
         max log size = 102400

    idmap config *:backend = tdb
    idmap config *:range = 200000-299999
    idmap config thedomain_NET:backend = ad
    idmap config thedomain_NET:unix_nss_info = yes
    idmap config thedomain_NET:default = yes
    idmap config thedomain_NET:schema_mode = rfc2307
    idmap config thedomain_NET:range = 500-199999

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind expand groups = 1
    winbind refresh tickets = Yes

    wide links = yes
    unix extensions = no
    vfs objects = fileid
    fileid:mapping = fsname
    map acl inherit = yes
    guest account = guestfiles
    map to guest = bad user
    nt acl support = yes

nsswitch.conf:

passwd:     files winbind
shadow:     files sss
group:      files winbind

Also getting groups for users fails on some groups:

# groups xxx
xxx : groups: cannot find name for group ID 513
513 iii_group groups: cannot find name for group ID 1012
1012 groups: cannot find name for group ID 1102
1102 iii_localadmin iii_confluence iii_inf tps_fix commfonts software 
groups: cannot find name for group ID 1013
...

Any ideas?

Cheers,

Alex

-- To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

More information about the samba mailing list