[Samba] winbind -r not showing any groups

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Jun 21 12:39:33 UTC 2022 

Hi,

I tried to find missing libraries and dependencies but haven't found any.

I'm getting a full list of the SIDs of all domain group of the user for 
"wbinfo --user-domgroups=$SID_OF_DOM+USERNAME$" and also "wbinfo 
--sid-to-fullname=$SID_OF_A_GROUP$" returns the correct name. So perhaps 
there is nothing missing.

Only in case of "wbinfo -r DOM+username" I'm getting no results and the 
logs look, that the mapping if the groups SIDs with the rid backend is 
not working here.

[2022/06/21 14:32:55.235582,  3, pid=28151, effective(0, 0), real(0, 0), 
class=winbind] 
../../source3/winbindd/winbindd_util.c:1910(lookup_usergroups_cached)
  : lookup_usergroups_cached succeeded
[2022/06/21 14:32:55.235653,  1, pid=28151, effective(0, 0), real(0, 0), 
class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
       wbint_LookupUserAliases: struct wbint_LookupUserAliases
          in: struct wbint_LookupUserAliases
              sids                     : *
                  sids: struct wbint_SidArray
                      num_sids                 : 0x0000004d (77)
                      sids: ARRAY(77)

... list of SIDs ...

[2022/06/21 14:32:55.237773,  1, pid=28151, effective(0, 0), real(0, 0), 
class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
       wbint_LookupUserAliases: struct wbint_LookupUserAliases
          out: struct wbint_LookupUserAliases
              rids                     : *
                  rids: struct wbint_RidArray
                      num_rids                 : 0x00000000 (0)
                      rids: ARRAY(0)
              result                   : NT_STATUS_CONNECTION_DISCONNECTED
[2022/06/21 14:32:55.237825,  5, pid=28151, effective(0, 0), real(0, 0), 
class=winbind] 
../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
  Could not convert sid S-1-5-21-2997476295-479482163-1603050229-93321: 
NT_STATUS_CONNECTION_DISCONNECTED
[2022/06/21 14:32:55.237835, 10, pid=28151, effective(0, 0), real(0, 0), 
class=winbind] ../../source3/winbindd/winbindd.c:805(process_request_done)
  process_request_done: [wbinfo(2859):GETGROUPS]: 
NT_STATUS_CONNECTION_DISCONNECTED
[2022/06/21 14:32:55.237856, 10, pid=28151, effective(0, 0), real(0, 0), 
class=winbind] 
../../source3/winbindd/winbindd.c:849(process_request_written)
  process_request_written: [wbinfo(2859):GETGROUPS]: delivered response 
to client
[2022/06/21 14:32:55.237978,  6, pid=28151, effective(0, 0), real(0, 0), 
class=winbind] 
../../source3/winbindd/winbindd.c:964(winbind_client_request_read)
  closing socket 23, client exited

Regards,

-- 
Andreas Hauffe
Am 21.06.22 um 10:02 schrieb Andrew Bartlett:
> On Tue, 2022-06-21 at 09:22 +0200, Andreas Hauffe via samba wrote:
>> 	Error verifying signature: parse error
>> Dear list,
>>
>> I'm using SAMBA 4.16.2 on a openSUSE Leap 15.4 platform as a domain
>> member, but I'm unable to get "winbind -r" to work. Also the linux
>> "groups" command show local groups only (as a result?).
>>
>> When running "winbind -r DOM+username" I'm getting the following
>> error
>> in the logs:
>>
>> Jun 21 09:02:23 lftworkli06 winbindd[12376]: [2022/06/21
>> 09:02:23.768314,  0]
>> ../../source3/winbindd/winbindd_samr.c:72(open_internal_samr_conn)
>> Jun 21 09:02:23 lftworkli06 winbindd[12376]:
>>    open_internal_samr_conn:
>> Could not connect to samr pipe: NT_STATUS_CONNECTION_DISCONNECTED
> Samba 4.16 moved the internal SAMR implementation from a shared library
> to a internally execuated binary.  Your packaging (debian was caught
> likewise) may not have caught up with this, and may not have it as a
> strict dependency.
>
> Check if installing more bits of samba fixes your issue.
>
>> smb.conf
>>
>> [global]
>>
>>      netbios name = lftworkli06
>>      security = ADS
>>      workgroup = ILRW
>>      realm = ILRW.ING.DOM.TU-DRESDEN.DE
>>      dedicated keytab file = /etc/krb5.keytab
>>      kerberos method = secrets and keytab
>>
>>      #rpc start on demand helpers = false
>>
>>      template homedir = /home/home_ilrw/%U
>>      template shell = /bin/bash
>>
>>      winbind refresh tickets = yes
>>      winbind separator = +
>>
>>      idmap config * : backend = tdb
>>      idmap config * : range = 2000-2999
>>      idmap config ILRW : backend = rid
>>      idmap config ILRW : range = 3000-9999 # UID aus RID fuer ILRW
>>      idmap config DOM : backend = rid
>>      idmap config DOM : range = 10000-9999999 # UID aus RID fuer DOM
>>
>> krb.conf
>>
>> [libdefaults]
>>          default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
>>          dns_lookup_realm = false
>>          dns_lookup_kdc = true
>>          ticket_lifetime = 24h
>>          renew_lifetime = 7d
>>          forwardable = true
>>
>> [realms]
>>     ILRW.ING.DOM.TU-DRESDEN.DE = {
>>          auth_to_local =
>> RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-
>> DRESDEN\.DE@/+/
>>          auth_to_local =
>> RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
>>          auth_to_local = DEFAULT
>>     }
>>     DOM.TU-DRESDEN.DE = {
>>          auth_to_local =
>> RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-
>> DRESDEN\.DE@/+/
>>          auth_to_local =
>> RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
>>          auth_to_local = DEFAULT
>>     }
>>
> I would warn you to look at the first few slides of:
>
> https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf
>
> https://www.youtube.com/watch?v=1BnraIAcybg
>
> Name-based authorization in AD can be very dangerous, if domain users
> are mapping the local users without any DOM\ prefix.  Accounts can be
> created in the domain via machineAccountQuota that match sensitive
> local users, like root.
>
> Andrew Bartlett
>

More information about the samba mailing list