Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1012240: winbind does not return AD groups a user is a member of AT ALL, or only one
909 views
Skip to first unread message
Matthew Grant
Jun 2, 2022, 1:00:03 AM6/2/22
to
Package: winbind
Version: 2:4.16.1+mag-1
Severity: important
Dear Maintainer,
I have rebuilt samba 4.16.1 packages as I am including a samba INTERNAL DNS
patch, bt I have not altered the packaging significantly other than this, and
have not touched winbind
I have been finding that when I login to the machine using a user from samba AD,with groups from samba AD, none of those AD groups that user is a member of
show up in the output from the 'groups' command.
Further more:
shalom: -root- [/home/admin]
# wbinfo -r grantma
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user grantma
And in the samba logs:
[2022/06/02 16:30:45.687576, 0] ../../source3/winbindd/winbindd_samr.c:71(open_internal_samr_conn)
open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_ACCESS_DENIED
The above works fine when the samba package is installed along with winbind.
After the call find that the following programs are running:
shalom: -root- [/home/admin]
# ps -ef | grep samba
root 139564 1 0 16:29 ? 00:00:00 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=40 --np-helper --debuglevel=0
root 139574 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=5 --debuglevel=0
root 139576 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=6 --debuglevel=0
root 139578 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=7 --debuglevel=0
root 139580 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=8 --debuglevel=0
root 139583 136857 0 16:29 pts/5 00:00:00 grep samba
When the above binaries permisions are set by:
shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
the following happens:
shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
It appears that wind bind needs samba-dcerpcd and rpcd_lsad to function
correctly. Could these binaries and dependent libraries be moved to the
winbind package please?
Thank you!
Matt Grant
-- Package-specific info:
* /etc/samba/smb.conf present, and attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.40-amd64-mag-lts (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages winbind depends on:
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u3
ii libgnutls30 3.7.1-5
ii libldap-2.4-2 2.4.57+dfsg-3+deb11u1
ii libpopt0 1.18-2
ii libtalloc2 2.3.3+mag-1~0mag0
ii libtdb1 1.4.6+mag-1
ii libtevent0 0.11.0+mag-1~0mag0
ii libwbclient0 2:4.16.1+mag-1
ii lsb-base 11.1.0
ii samba-common 2:4.16.1+mag-1
ii samba-common-bin 2:4.16.1+mag-1
ii samba-libs 2:4.16.1+mag-1
winbind recommends no packages.
Versions of packages winbind suggests:
ii libnss-winbind 2:4.16.1+mag-1
ii libpam-winbind 2:4.16.1+mag-1
-- no debconf information
Version: 2:4.16.1+mag-1
Severity: important
Dear Maintainer,
I have rebuilt samba 4.16.1 packages as I am including a samba INTERNAL DNS
patch, bt I have not altered the packaging significantly other than this, and
have not touched winbind
I have been finding that when I login to the machine using a user from samba AD,with groups from samba AD, none of those AD groups that user is a member of
show up in the output from the 'groups' command.
Further more:
shalom: -root- [/home/admin]
# wbinfo -r grantma
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user grantma
And in the samba logs:
[2022/06/02 16:30:45.687576, 0] ../../source3/winbindd/winbindd_samr.c:71(open_internal_samr_conn)
open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_ACCESS_DENIED
The above works fine when the samba package is installed along with winbind.
After the call find that the following programs are running:
shalom: -root- [/home/admin]
# ps -ef | grep samba
root 139564 1 0 16:29 ? 00:00:00 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=40 --np-helper --debuglevel=0
root 139574 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=5 --debuglevel=0
root 139576 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=6 --debuglevel=0
root 139578 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=7 --debuglevel=0
root 139580 139564 0 16:29 ? 00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=8 --debuglevel=0
root 139583 136857 0 16:29 pts/5 00:00:00 grep samba
When the above binaries permisions are set by:
shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
the following happens:
shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
It appears that wind bind needs samba-dcerpcd and rpcd_lsad to function
correctly. Could these binaries and dependent libraries be moved to the
winbind package please?
Thank you!
Matt Grant
-- Package-specific info:
* /etc/samba/smb.conf present, and attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.40-amd64-mag-lts (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages winbind depends on:
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u3
ii libgnutls30 3.7.1-5
ii libldap-2.4-2 2.4.57+dfsg-3+deb11u1
ii libpopt0 1.18-2
ii libtalloc2 2.3.3+mag-1~0mag0
ii libtdb1 1.4.6+mag-1
ii libtevent0 0.11.0+mag-1~0mag0
ii libwbclient0 2:4.16.1+mag-1
ii lsb-base 11.1.0
ii samba-common 2:4.16.1+mag-1
ii samba-common-bin 2:4.16.1+mag-1
ii samba-libs 2:4.16.1+mag-1
winbind recommends no packages.
Versions of packages winbind suggests:
ii libnss-winbind 2:4.16.1+mag-1
ii libpam-winbind 2:4.16.1+mag-1
-- no debconf information
Andrew Bartlett
Jun 2, 2022, 4:00:04 AM6/2/22
to
Just make sure we don't get the opposite problem if smbd is installed
without winbindd.
(I've not checked the deps, but upstream you can still run smbd that
without winbindd for a standalone fileserver)
without winbindd.
(I've not checked the deps, but upstream you can still run smbd that
without winbindd for a standalone fileserver)
Michael Tokarev
Jun 2, 2022, 11:40:07 AM6/2/22
to
how they're being used and by what?
For quite some time I had a standalone machine with smbd & nmbd running
(this is my primary work machine where I build samba and usually experiment
with the newly built binaries). Usually, systemctl restart smbd nmbd has
been enough. But a few times already I've seen other binaries, something
from /usr/libexec/samba/ - like mentioned in this bugreport before. I don't
know who started these and why, and why they're left running.
Thanks,
/mjt
Andrew Bartlett
Jun 2, 2022, 12:10:03 PM6/2/22
to
On Thu, 2022-06-02 at 18:37 +0300, Michael Tokarev wrote:
> 02.06.2022 10:38, Andrew Bartlett wrote:
>
> > Just make sure we don't get the opposite problem if smbd is
> > installed
> > without winbindd.
> > (I've not checked the deps, but upstream you can still run smbd
> > that
> > without winbindd for a standalone fileserver)
>
>
> Where does one can find some information about these new binaries,
>
> how they're being used and by what?
Ask us really, particularly if there isn't a manpage. This new DCE/RPC
> 02.06.2022 10:38, Andrew Bartlett wrote:
>
> > Just make sure we don't get the opposite problem if smbd is
> > installed
> > without winbindd.
> > (I've not checked the deps, but upstream you can still run smbd
> > that
> > without winbindd for a standalone fileserver)
>
>
> Where does one can find some information about these new binaries,
>
> how they're being used and by what?
server approach was mentioned in the WHATSNEW, but perhaps not to the
detail you need.
Andrew,
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
Michael Tokarev
Jun 2, 2022, 12:50:03 PM6/2/22
to
02.06.2022 19:06, Andrew Bartlett wrote:
> On Thu, 2022-06-02 at 18:37 +0300, Michael Tokarev wrote:
..
> On Thu, 2022-06-02 at 18:37 +0300, Michael Tokarev wrote:
>> Where does one can find some information about these new binaries,
>>
>> how they're being used and by what?
>
> Ask us really, particularly if there isn't a manpage. This new DCE/RPC
Andrew, what's this new dce/rpc server processes, where/when they're being
>>
>> how they're being used and by what?
>
> Ask us really, particularly if there isn't a manpage. This new DCE/RPC
used? In particular, in context of this bug report, should we split out
some of the new servers into samba-common-bin package for example, so
that winbindd can run them too? (Probably not a good idea for smbclient
which depends on samba-common-bin too). Also, should these processes
be now killed/restarted together with smbd/nmbd/winbindd?
> server approach was mentioned in the WHATSNEW, but perhaps not to the
> detail you need.
Thank you!
/mjt
Matt Grant
Jun 2, 2022, 9:10:04 PM6/2/22
to
Hi!
May be best to move the contents of /usr/libexec/samba to samba-libs.
shalom: -admin- [/usr/libexec/samba]
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '` |cut -f 1 -d ':' | sort |uniq
libwbclient0
samba-libs
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '` |cut -f 1 -d ':' | sort |uniq
libwbclient0
samba-libs
If you remove the uniq:
shalom: -admin- [/usr/libexec/samba]
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '` |cut -f 1 -d ':' | sort | grep samba-libs | wc -l
64
shalom: -admin- [/usr/libexec/samba]
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '` |cut -f 1 -d ':' | sort | grep libwbclient0 | wc -l
9
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '` |cut -f 1 -d ':' | sort | grep samba-libs | wc -l
64
shalom: -admin- [/usr/libexec/samba]
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '` |cut -f 1 -d ':' | sort | grep libwbclient0 | wc -l
9
Probably the same for the rest of /usr/libexec/samba
Hope this helps.
Matt Grant
Debian Developer
PS: Have a good set up here at home for testing and development. 2 smbd servers, witn 2 samba AD server kvm virtuals, and client kerberos workstations, all mostly configured using ansible. Also extensively uses ZFS. Mostly use all of this at my employer.
Matt Grant
Jun 2, 2022, 9:20:03 PM6/2/22
to
Or maybe even a new package to untangle dependencies on libwbclient0, named 'samba-libexec', moving the contents of /usr/libexec/samba to samba-libexec?
Otherwise, libwbclient0 ends up being installed when samba-lbs is installed due to depending on samba-libs?
Or far simpler, combine libwbclient0 into samba-libs, and add contents of /usr/libexec/samba.
Michael, you will have to see what works.
Regards,
Matt Grant
Debian Developer
Andrew Bartlett
Jun 2, 2022, 10:40:04 PM6/2/22
to
On Fri, 2022-06-03 at 13:08 +1200, Matt Grant wrote:
>
> Otherwise, libwbclient0 ends up being installed when samba-lbs is
> installed due to depending on samba-libs?
libwbclient0 should not depend on anything else in Samba (due to
>
> Otherwise, libwbclient0 ends up being installed when samba-lbs is
> installed due to depending on samba-libs?
licence requirements) so if there is a linking reason for this we
should check into this.
There have been regressions in the past, so if only expressed in
packaging this might be historical.
Michael Tokarev
Jun 3, 2022, 4:20:04 AM6/3/22
to
03.06.2022 04:00, Matt Grant wrote:
> Hi!
>
> May be best to move the contents of /usr/libexec/samba to samba-libs.
No, definitely not. A library is a library, it is multiarch and different
> Hi!
>
> May be best to move the contents of /usr/libexec/samba to samba-libs.
arch must be co-installable.
It might be more appropriate to move these executables to samba-common-bin
as I already mentioned.
But before that I need to understand how/when they're used. Maybe some day
I will find a time to dig into the code to understand this...
/mjt
Michael Tokarev
Jun 3, 2022, 4:20:04 AM6/3/22
to
03.06.2022 05:31, Andrew Bartlett wrote:
> On Fri, 2022-06-03 at 13:08 +1200, Matt Grant wrote:
>>
>> Otherwise, libwbclient0 ends up being installed when samba-lbs is
>> installed due to depending on samba-libs?
I read this like samba-libs uses libwbclient, not like libwbclient
> On Fri, 2022-06-03 at 13:08 +1200, Matt Grant wrote:
>>
>> Otherwise, libwbclient0 ends up being installed when samba-lbs is
>> installed due to depending on samba-libs?
uses samba-libs (would be wrong).
> libwbclient0 should not depend on anything else in Samba (due to
> licence requirements) so if there is a linking reason for this we
> should check into this.
packaging 4.16 on debian.
Overall, this is the current content of libwbclient0.deb:
/usr/lib/x86_64-linux-gnu/libwbclient.so.0.15
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0.0.1
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libiov-buf-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libreplace-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libsamba-debug-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libsocket-blocking-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libsys-rw-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libtime-basic-samba4.so.0
Some of these has been there before. Some (I think it was
just one, can't remember which) were added by me during
4.16 packaging time. One of my todo items about samba states
to review which libs are actually used by which binary and
move them between packages - somewhat similar to how I moved
files between samba-libs and python3-samba packages. When I
did 4.16 initially I didn't think much about that aspect, b/c
else we'd not have 4.16 now :)
Now when I looked at this, I don't see why libsamba-util.so is
in there at all. Maybe in 4.13 there was a reason for that,
I don't know the reason for it to be there for 4.16. The
rest (in /samba/) are ones used by libsamba-utils, it seems.
/mjt
Matt Grant
Jun 13, 2022, 4:00:04 AM6/13/22
to
FYI, Tested patch after merging Samba 2:4.16.1+dfsg-8 source build with my work, so should apply directly to your current source Michael.
On Mon, 13 Jun 2022 at 19:46, Matt Grant <ma...@mattgrant.net.nz> wrote:
Hi!Please find attached the patch I made to fix this issue.It moves the DCE RPC binaries in /usr/libexec/samba into their own package along with required libs from the samba package creating the samba-libexec-dcerpc package, and makes samba and winbind depend on it, thus solving all the issues.Michael, could you please incorporate this in the sid samba packages you have created?Kind Regards,Matt Grant
Michael Tokarev
Jun 13, 2022, 4:00:04 AM6/13/22
to
13.06.2022 10:46, Matt Grant wrote:
> Hi!
>
> Please find attached the patch I made to fix this issue.
>
> It moves the DCE RPC binaries in /usr/libexec/samba into their own package along with required libs from the samba package creating the
> samba-libexec-dcerpc package, and makes samba and winbind depend on it, thus solving all the issues.
>
> Michael, could you please incorporate this in the sid samba packages you have created?
Thank you for the work Matt!
> Hi!
>
> Please find attached the patch I made to fix this issue.
>
> It moves the DCE RPC binaries in /usr/libexec/samba into their own package along with required libs from the samba package creating the
> samba-libexec-dcerpc package, and makes samba and winbind depend on it, thus solving all the issues.
>
> Michael, could you please incorporate this in the sid samba packages you have created?
For the start I really want some comments from the samba folks about where/when these
binaries are supposed to be used. I understand creating a new package might solve
the immediate issue, based on what we observe now. But without knowledge about how
it is supposed to work, it's difficult to verify if it's done correctly.
And once again, I already suggested moving these binaries to the already existing
samba-common-bin - this will definitely fix the issue too, without we waiting for
the debian NEW queue processing (there's a separate manual procedure in debian each
new binary package have to follow). I'm not convinced a separate binary package is
needed (based on what I observe), - yes, smbclient also uses samba-common-bin, but
so far it's not a problem, it seems. I might be wrong though.
Thank you!
/mjt
Michael Tokarev
Jun 13, 2022, 4:30:03 AM6/13/22
to
13.06.2022 10:46, Matt Grant wrote:
> Hi!
>
> Please find attached the patch I made to fix this issue.
>
> It moves the DCE RPC binaries in /usr/libexec/samba into their own package along with required libs from the samba package creating the
> samba-libexec-dcerpc package, and makes samba and winbind depend on it, thus solving all the issues.
Matt, how did you find out the 2 libs -- libRPC-SERVER-LOOP-samba4.so.0 &
> Hi!
>
> Please find attached the patch I made to fix this issue.
>
> It moves the DCE RPC binaries in /usr/libexec/samba into their own package along with required libs from the samba package creating the
> samba-libexec-dcerpc package, and makes samba and winbind depend on it, thus solving all the issues.
libREG-FULL-samba4.so.0 - which can be moved to the new package too, out
of many other libraries in there?
Thanks!
/mjt
Matt Grant
Jun 13, 2022, 5:20:04 AM6/13/22
to
Hi Michael!
For the libraries to move from the samba package, just used the following command on each rpcd binary in /usr/libexec/samba:
dpkg -S `ldd rpcd_epmapper | grep samba | cut -f 1 -d ' '`
You could put the contents of this new package ( ie debian/samba-libexec-dcerpc.install) into the samba-libs package, or samba-common-bin... Samba-libs was my first thought if not creating a new package.
Adding the new samba-libexec-dcerpc package to the archive in my experience is not much of a problem actually. When I have had to create a fresh package as part of an already in archive source (no licensing evaluation needed), the FTP Master team only took a few days to add the new package. You can email ftpm...@debian.org ahead of the upload to check how long it will take them to get on to it, or you can put it through experimental? Sid is 'unstable' for a reason.
Here is a good reason for the new package: samba-dcerpcd and rpcd_* are needed for support binaries for in-kernel ksmbd, though what that will need exactly will require more fleshing out no doubt. The new package is a start. Check the samba-dcerpcd man page, it helped me work out what to put in the new package, as samba-dcerpcd can call any of the /usr/libexec/samba/rpcd_* binaries
Hope that all helps.
Matt Grant
Debian Developer
Best Regards,
Matt Grant
Debian Developer
Matt Grant
Jun 13, 2022, 5:20:04 AM6/13/22
to
PS: Also have tested new package and winbind now does work by itself for getgroups(3) and initgroups(3), ie kerberos logins over ssh work again!
Matt Grant
Jun 13, 2022, 5:30:04 AM6/13/22
to
After thinking about it, Puting everything which s in debian/samba-libexec-dcerpc.install into samba-common-bin would work.
Regards,
Matt Grant
Debian Developer
Michael Tokarev
Jun 13, 2022, 10:10:04 AM6/13/22
to
13.06.2022 12:12, Matt Grant wrote:
> Hi Michael!
>
> For the libraries to move from the samba package, just used the following command on each rpcd binary in /usr/libexec/samba:
>
> dpkg -S `ldd rpcd_epmapper | grep samba | cut -f 1 -d ' '`
I suspected it was something like that.
> Hi Michael!
>
> For the libraries to move from the samba package, just used the following command on each rpcd binary in /usr/libexec/samba:
>
> dpkg -S `ldd rpcd_epmapper | grep samba | cut -f 1 -d ' '`
The problem here is that the two libs you moved from
samba to the new dcerpc package, are also used by the
samba package itself. By moving stuff like this, it
is too easy to create a circular dependency, which we
had quite a few in the past. I placed libs into the
samba package (and to winbind package and some other
cases) *only* when those libs are used by those packages
and not by other packages. The rest of libraries -
the ones which are used by more than a single package -
goes to samba-libs. Again, maybe I'm wrong there.
Just thought that these libs which are used by a single
package *now*, may be used by more than a single package
in the future, and I should have a way to check for that,
maybe similar to how I check for unneeded inter-package
deps in d/rules already, but for more packages.
BTW, you forgot the manpage for samba-dcerpcd.
For now I moved the executables into samba-common-bin
and the two libs into samba-libs. Let's see how it will
be, maybe we'll create a new package for it.
Thank you for the work and for the inspiration!
/mjt
Matt Grant
Jun 13, 2022, 11:40:03 AM6/13/22
to
Hi Michael!
OK, see what you are thinking.
Was planning to do just what you did. Bins into samba-common-bin, libs into samba-libs.
My bad about samba-dcerpcd.8 man page.
Maybe ksmbd support should be started with all needed bins in samba-common-bin, and systemctl disabled ksmbd/samba-dcercpd service file(s) in samba package or elsewhere. Some smb.conf settings are specially needed for ksmbd apparently (samba-dcerpcd.8 manpage)
Regards,
Matt Grant
0 new messages