Your message dated Mon, 13 Jun 2022 16:36:53 +0000
with message-id <[email protected]>
and subject line Bug#1012240: fixed in samba 2:4.16.2+dfsg-1
has caused the Debian Bug report #1012240,
regarding winbind does not return AD groups a user is a member of AT ALL, or
only one
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1012240: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012240
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: winbind
Version: 2:4.16.1+mag-1
Severity: important
Dear Maintainer,
I have rebuilt samba 4.16.1 packages as I am including a samba INTERNAL DNS
patch, bt I have not altered the packaging significantly other than this, and
have not touched winbind
I have been finding that when I login to the machine using a user from samba
AD,with groups from samba AD, none of those AD groups that user is a member of
show up in the output from the 'groups' command.
Further more:
shalom: -root- [/home/admin]
# wbinfo -r grantma
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user grantma
And in the samba logs:
[2022/06/02 16:30:45.687576, 0]
../../source3/winbindd/winbindd_samr.c:71(open_internal_samr_conn)
open_internal_samr_conn: Could not connect to samr pipe:
NT_STATUS_ACCESS_DENIED
The above works fine when the samba package is installed along with winbind.
After the call find that the following programs are running:
shalom: -root- [/home/admin]
# ps -ef | grep samba
root 139564 1 0 16:29 ? 00:00:00
/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=40
--np-helper --debuglevel=0
root 139574 139564 0 16:29 ? 00:00:00
/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4
--worker-index=5 --debuglevel=0
root 139576 139564 0 16:29 ? 00:00:00
/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4
--worker-index=6 --debuglevel=0
root 139578 139564 0 16:29 ? 00:00:00
/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4
--worker-index=7 --debuglevel=0
root 139580 139564 0 16:29 ? 00:00:00
/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4
--worker-index=8 --debuglevel=0
root 139583 136857 0 16:29 pts/5 00:00:00 grep samba
When the above binaries permisions are set by:
shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
the following happens:
shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad
It appears that wind bind needs samba-dcerpcd and rpcd_lsad to function
correctly. Could these binaries and dependent libraries be moved to the
winbind package please?
Thank you!
Matt Grant
-- Package-specific info:
* /etc/samba/smb.conf present, and attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.40-amd64-mag-lts (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8),
LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages winbind depends on:
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u3
ii libgnutls30 3.7.1-5
ii libldap-2.4-2 2.4.57+dfsg-3+deb11u1
ii libpopt0 1.18-2
ii libtalloc2 2.3.3+mag-1~0mag0
ii libtdb1 1.4.6+mag-1
ii libtevent0 0.11.0+mag-1~0mag0
ii libwbclient0 2:4.16.1+mag-1
ii lsb-base 11.1.0
ii samba-common 2:4.16.1+mag-1
ii samba-common-bin 2:4.16.1+mag-1
ii samba-libs 2:4.16.1+mag-1
winbind recommends no packages.
Versions of packages winbind suggests:
ii libnss-winbind 2:4.16.1+mag-1
ii libpam-winbind 2:4.16.1+mag-1
-- no debconf information
[Global]
netbios name = SHALOM
realm = AD.ANATHOTH.NET
workgroup = AD
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
server string = %h DebianLinux Host
security = ads
client signing = auto
server signing = auto
# TLS setup
tls certfile = /etc/ipsec.d/certs/anathoth_shalom.ad.anathoth.net.crt
tls keyfile = /etc/ipsec.d/private/anathoth_shalom.ad.anathoth.net.key
tls cafile = /etc/ipsec.d/cacerts/anathoth_vpn_ca.crt
# Winbind settings
#
# Winbind idmap setup
idmap config * : backend = autorid
idmap config * : range = 200000-2000200000
idmap config * : rangesize = 200000
idmap config AD : backend = ad
idmap config AD : range = 10000-59999
idmap config AD : unix_primary_group = yes
idmap config AD : unix_nss_info = yes
# Winbind offline logon
winbind offline logon = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind refresh tickets = yes
winbind cache time = 300
template shell = /bin/bash
template homedir = /home/%D/%U
#
# File server settings
#
# Listen on
bind interfaces only = yes
interfaces = lo fd14:828:ba69:1::9/64
# Samba logging
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
# Samba user share
usershare path = /var/lib/samba/usershares
usershare max shares = 100
usershare allow guests = yes
# Completely disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Various default share settings for below
# Global stuff to help with Unix clients...
unix extensions = yes
case sensitive = auto
delete readonly = yes
ea support = yes
browseable = no
read only = yes
force group = "domain users"
create mask = 0664
directory mask = 0775
[Documents]
comment = Documents
read only = no
browseable = yes
path = /srv/docs
force group = staff-gr
[Music]
comment = Music
read only = no
browseable = yes
path = /srv/media/music
[Pictures]
comment = Pictures
read only = no
browseable = yes
path = /srv/media/pictures
force group = "private-gr"
[Videos]
comment = Videos
read only = no
browseable = yes
path = /srv/media/videos
[scratch]
comment = Scratch
read only = no
browseable = yes
path = /srv/scratch
create mask = 0775
directory mask = 0775
force directory mode = 0775
# force create mode = 0664
--- End Message ---
--- Begin Message ---
Source: samba
Source-Version: 2:4.16.2+dfsg-1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated samba package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 13 Jun 2022 19:08:44 +0300
Source: samba
Architecture: source
Version: 2:4.16.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Samba Maintainers <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1012240
Changes:
samba (2:4.16.2+dfsg-1) unstable; urgency=medium
.
* new upstream minor/bugfix release.
* removed waf-add-support-for-GNU-kFreeBSD.patch (applied upstream)
* new minor version of libldb
(no code changes, just the build system update to support python 3.11)
* move samba-dcerpcd from samba package to samba-common-bin due to winbind
New in 4.16 samba-dcerpcd binary is used by smbd and winbind, so putting
it to samba package makes winbind unable to run it without samba.
For now, in order to fix this issue, move this binary from samba to
samba-common-bin package. It might be worth creating its own package
for this binary (or maybe some more binaries), once it is clear where
upstream is going to. Making this binary a part of samba-common-bin
adds some more files to smbclient-only setup.
(Closes: #1012240)
* remove mksmbpasswd script and manpage: we have smbpasswd whcih can add
entries to smbpasswd file if needed, and can handle other passwod storage
formats too
Checksums-Sha1:
4e3056181930c26bb4a26b9f6aeef9c5d8ea3402 4225 samba_4.16.2+dfsg-1.dsc
dd63e81d77b138c2c422f7e6bc9c2a7ad3070823 18127992 samba_4.16.2+dfsg.orig.tar.xz
927212574475e4e3981c0634bb26fcf0c5a4ba6c 263624
samba_4.16.2+dfsg-1.debian.tar.xz
0edc98b74029f9ff5ad961ab4ae9e686ca843020 6046
samba_4.16.2+dfsg-1_source.buildinfo
Checksums-Sha256:
d4932d187db8dfc94ea62b80d6e23f936971157f5d2c20b643badd9e26696dbb 4225
samba_4.16.2+dfsg-1.dsc
102928de50a85107f174e18b3f6fffad96cbeb1b94896a66d9343fc8bf443861 18127992
samba_4.16.2+dfsg.orig.tar.xz
6356cf93d5fddd68995b1a8bdd83d4b76d76a02bc93e07161cb85659265ff12a 263624
samba_4.16.2+dfsg-1.debian.tar.xz
a4d5743a81ad4d7b59ddb712e631526ae3f25b46a10dff4df7e5bdd8e7d0abff 6046
samba_4.16.2+dfsg-1_source.buildinfo
Files:
339b6899eb8df3a6b2041354f90ea908 4225 net optional samba_4.16.2+dfsg-1.dsc
1ea495e129711482d20ec9829b494744 18127992 net optional
samba_4.16.2+dfsg.orig.tar.xz
9d13e31edbc06523cb415d5b87771936 263624 net optional
samba_4.16.2+dfsg-1.debian.tar.xz
5655286a09b12d4e2bdb08b04b6469f3 6046 net optional
samba_4.16.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmKnYVYPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZmhkH/R2KeMYns8VqfMd/HHmxld4p4yv14tzKvuZ4
gsTfG5V724Vwcg74OfSAubWeYVUL7x5QmtuXFV9B7HO+xa8Q9iBNWHDFTZ7hpdRY
QVGyfAKUwPrgnODq5WieWxUTfk7w24ww+EbC7hSM8C/FIjEVqBzkg1wxfb5Ydnup
ir8kfAJx38HthlhNOkj6a6fLNd7OD4Ho0y4QKUkSq1uwrQxSifoDQRHos92Qcy0C
IRrtGQxemiyYHeez8gYBPE9fiISuZj+9ksf/bA4siTrG6+LKk+/pFwyoVwwtAo13
xCh5AKIzQ7FeBc9C0PkZ5Y/GWAS7f+/MhfGfgyWZ/lgQXZOIuGM=
=avq7
-----END PGP SIGNATURE-----
--- End Message ---
