Public bug reported: Our setup: - MAINDOMAIN: domain controller is Windows server (version unknown) - SUBDOMAIN: domain controller is Windows server 2016 - Our PC is running ubuntu 20.04 with samba+winbind 2:4.15.13+dfsg-0ubuntu0.20.04.8 and has joined the SUBDOMAIN.
Problem: 1) FIrst we make sure that the samlogon cache is emty 2) wbinfo --user-groups SUBDOMAIN+user1: works fine. 3) wbinfo --user-groups MAINDOMAIN+user2: returns only two groups: 'MAINDOMA+Domain users' and 'MAINDOMAIN+user2' although user2 is member of 10+ groups defined in MAINDOMAIN. We cannot retrieve the groups of users which are part of the MAINDOMAIN, but we can for users in SUBDOMAIN. (Note that our ubunutu PC has joined the SUBDOMAIN.) Further, if the same user logs on to our Ubuntu 20 PC using the MAINDOMAIN+user2 user via SSH, login succeed, command 'groups' shows all the 10+ groups, and we see that the samlogon cache contains the SID of user2. With other words: group membership is retrieved from MAINDOMAIN during SSH login correctly. But if we query the same group membership on the Ubuntu PC as root user (empty samlogon cache), then retrieving the groups fails (returns only two trivial groups). Similar question can be found here: https://unix.stackexchange.com/questions/790257/samba-winbind-in-trusted-forest-cant-enumerate-group-membership Thank you for your help in advance, Andreas Zolnay In the log.winbind, we see no answer at all for the call wbint_LookupUserGroups: [2025/09/02 16:10:21.351111, 3, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_util.c:1877(lookup_usergroups_cached) : lookup_usergroups_cached [2025/09/02 16:10:21.351122, 10, pid=3705410, effective(0, 0), real(0, 0)] ../../source3/libsmb/samlogon_cache.c:252(netsamlogon_cache_get) netsamlogon_cache_get: SID [S-1-5-21-932686498-1610486119-1155464205-60382] [2025/09/02 16:10:21.351138, 1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug) wbint_LookupUserGroups: struct wbint_LookupUserGroups in: struct wbint_LookupUserGroups sid : * sid : S-1-5-21-932686498-1610486119-1155464205-60382 [2025/09/02 16:10:21.351165, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x560f0879b4a0 [2025/09/02 16:10:21.351177, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug) samba_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x560f0879b4a0 [2025/09/02 16:10:21.351196, 1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug) wbint_DsGetDcName: struct wbint_DsGetDcName in: struct wbint_DsGetDcName domain_name : * domain_name : 'MAINDOMAIN' domain_guid : NULL site_name : NULL flags : 0x40000000 (1073741824) [2025/09/02 16:10:21.351230, 10, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cache.c:3487(get_global_winbindd_state_offline) get_global_winbindd_state_offline: Offline state not set. [2025/09/02 16:10:21.351243, 10, pid=3705410, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual_ndr.c:111(wbint_bh_raw_call_send) wbint_bh_raw_call_send: Got opnum 15 for domain SUBDOMAIN from cache [2025/09/02 16:10:21.351253, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug) samba_tevent: Schedule immediate event "tevent_req_trigger": 0x560f087a6d00 [2025/09/02 16:10:21.351263, 50, pid=3705410, effective(0, 0), real(0, 0), class=tevent] ../../lib/util/tevent_debug.c:66(samba_tevent_debug) samba_tevent: Run immediate event "tevent_req_trigger": 0x560f087a6d00 [2025/09/02 16:10:21.351274, 1, pid=3705410, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug) wbint_DsGetDcName: struct wbint_DsGetDcName out: struct wbint_DsGetDcName dc_info : * dc_info : NULL result : NT_STATUS_ACCESS_DENIED smb.conf [global] server role = standalone server obey pam restrictions = no unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes security = ADS realm = SUBDOMAIN.MAINDOMAIN.NL workgroup = SUBDOMAIN winbind separator = + winbind refresh tickets = yes allow trusted domains = yes kerberos method = secrets and keytab idmap config * : backend = tdb idmap config * : range = 3000000 - 3999999 idmap config SUBDOMAIN : backend = rid idmap config SUBDOMAIN : range = 2000000 - 2999999 idmap config MAINDOMAIN : backend = rid idmap config MAINDOMAIN : range = 1000000 - 1999999 winbind scan trusted domains = yes winbind use krb5 enterprise principals = yes winbind enum users = yes winbind enum groups = yes winbind expand groups = 0 template homedir = /home/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes lock directory = /var/cache/samba winbind use default domain = no restrict anonymous = 2 strict locking = no wide links = yes unix extensions = no hide dot files = no wide links = yes unix extensions = no hide dot files = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes store dos attributes = no ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2121874 Title: Samba Winbind cannot enumerate groups of users in main domain To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2121874/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
