[Samba] winbind -r not showing any groups

Andrew Bartlett abartlet at samba.org
Tue Jun 21 08:02:44 UTC 2022 

On Tue, 2022-06-21 at 09:22 +0200, Andreas Hauffe via samba wrote:
> 	Error verifying signature: parse error
> Dear list,
> 
> I'm using SAMBA 4.16.2 on a openSUSE Leap 15.4 platform as a domain 
> member, but I'm unable to get "winbind -r" to work. Also the linux 
> "groups" command show local groups only (as a result?).
> 
> When running "winbind -r DOM+username" I'm getting the following
> error 
> in the logs:
> 
> Jun 21 09:02:23 lftworkli06 winbindd[12376]: [2022/06/21 
> 09:02:23.768314,  0] 
> ../../source3/winbindd/winbindd_samr.c:72(open_internal_samr_conn)
> Jun 21 09:02:23 lftworkli06 winbindd[12376]:
>   open_internal_samr_conn: 
> Could not connect to samr pipe: NT_STATUS_CONNECTION_DISCONNECTED

Samba 4.16 moved the internal SAMR implementation from a shared library
to a internally execuated binary.  Your packaging (debian was caught
likewise) may not have caught up with this, and may not have it as a
strict dependency. 

Check if installing more bits of samba fixes your issue.

> smb.conf
> 
> [global]
> 
>     netbios name = lftworkli06
>     security = ADS
>     workgroup = ILRW
>     realm = ILRW.ING.DOM.TU-DRESDEN.DE
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
> 
>     #rpc start on demand helpers = false
> 
>     template homedir = /home/home_ilrw/%U
>     template shell = /bin/bash
> 
>     winbind refresh tickets = yes
>     winbind separator = +
> 
>     idmap config * : backend = tdb
>     idmap config * : range = 2000-2999
>     idmap config ILRW : backend = rid
>     idmap config ILRW : range = 3000-9999 # UID aus RID fuer ILRW
>     idmap config DOM : backend = rid
>     idmap config DOM : range = 10000-9999999 # UID aus RID fuer DOM
> 
> krb.conf
> 
> [libdefaults]
>         default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         ticket_lifetime = 24h
>         renew_lifetime = 7d
>         forwardable = true
> 
> [realms]
>    ILRW.ING.DOM.TU-DRESDEN.DE = {
>         auth_to_local = 
> RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-
> DRESDEN\.DE@/+/
>         auth_to_local = 
> RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
>         auth_to_local = DEFAULT
>    }
>    DOM.TU-DRESDEN.DE = {
>         auth_to_local = 
> RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-
> DRESDEN\.DE@/+/
>         auth_to_local = 
> RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
>         auth_to_local = DEFAULT
>    }
> 

I would warn you to look at the first few slides of:

https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf

https://www.youtube.com/watch?v=1BnraIAcybg

Name-based authorization in AD can be very dangerous, if domain users
are mapping the local users without any DOM\ prefix.  Accounts can be
created in the domain via machineAccountQuota that match sensitive
local users, like root.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list