Ubuntu
samba package

wbinfo -u, wbinfo -g, and getent group stop working after upgrade to winbind 4.3.8

Bug #1573526 reported by Peter Parzer
40
This bug affects 6 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Confirmed
Undecided
Ubuntu Security Team

Bug Description

"wbinfo -u" and "wbinfo -g" should list domain users and groups, but report nothing.
"getent group <domain-group>" returns only the first 3 fields of the group database, but not the group members.

Firefox SSO with ntlm_auth is not working as it used to. Most of the time the access to servers that use ntlm_auth is rejected, but somtimes it is granted.

In the winbind log-file log.wb-<DOMAIN> are error messages like the following (when running winbindd with debuglevel 4):

[2016/04/22 12:41:20.439812, 3] ../source3/libads/ldap.c:980(ads_do_paged_search_args)
  ads_do_paged_search_args: ldap_search_with_timeout((&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1))))) -> Time limit exceeded
[2016/04/22 12:41:20.439850, 1] ../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal)
  ads reopen failed after error Time limit exceeded
[2016/04/22 12:41:20.439857, 1] ../source3/winbindd/winbindd_ads.c:480(enum_dom_groups)
  enum_dom_groups ads_search: Time limit exceeded

Befor the update to winbind 4.3.8, my setup has been working for several years without any problems.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: winbind 2:4.3.8+dfsg-0ubuntu0.14.04.2
ProcVersionSignature: Ubuntu 3.16.0-70.90~14.04.1-generic 3.16.7-ckt25
Uname: Linux 3.16.0-70-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.19
Architecture: amd64
Date: Fri Apr 22 12:28:40 2016
ExecutablePath: /usr/sbin/winbindd
InstallationDate: Installed on 2015-07-14 (283 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
ProcEnviron:
 TERM=linux
 PATH=(custom, no user)
SambaClientRegression: Yes
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.init.winbind.conf: [modified]
mtime.conffile..etc.init.winbind.conf: 2016-04-21T09:26:48.806327

Revision history for this message
Peter Parzer (peter-parzer) wrote :
Sebastien Bacher (seb128)
Changed in samba (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
André Peres Ramos (andreperesnl) wrote :

Same problema here.

wbinfo -u return no user -g some groups
-t and -a works fine.

getent returns nothing on users.

Was working fine in version 4.1.x before dist-upgrade.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Revision history for this message
urusha (urusha) wrote :

Empty 'wbinfo -u' seems to be regression after fixing badlock vulnerability. There are patches available. See https://bugzilla.samba.org/show_bug.cgi?id=11872

While empty "getent group <domain-group>" can be fixed in smb.conf by adding this:
  winbind expand groups = 1
Default value has been changed to 0 in samba 4.2, see man smb.conf. I have to add this line to make CUPS work (see https://github.com/apple/cups/issues/4611 ). But normally you should not change it, since 'groups <domain-user>' works fine and most software use user's group list instead of group's members list.

Revision history for this message
Peter Parzer (peter-parzer) wrote :

By adding the line

         client ldap sasl wrapping = plain

to smb.conf I could fix winbind -u and winbind -g

ntlm_auth still does not work reliable with firefox.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Today's Samba update should contain the fix for this issue:

http://www.ubuntu.com/usn/usn-2950-2/

Could the original bug reporter please test the update and comment here? Thanks!

Revision history for this message
urusha (urusha) wrote :

Yes, it seems that update to 4.3.9+dfsg-0ubuntu0* has fixed the issue for me on both trusty and xenial.

Revision history for this message
Eric Delaet (eric-delaet) wrote :

Thanks, working for me as well on Trusty.

Revision history for this message
Peter Parzer (peter-parzer) wrote :

The update solves the problems with winbind -u and winbind -g.
ntlm_auth with firefox still does not work as it did before winbind 4.3.8.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@Peter:

Did you install the libsoup update also? What's the output of "apt-cache policy libsoup2.4-1"?

Revision history for this message
Peter Parzer (peter-parzer) wrote :

$ apt-cache policy libsoup2.4.1
libsoup2.4-1:
  Installiert: 2.44.2-1ubuntu2.1
  Installationskandidat: 2.44.2-1ubuntu2.1
  Versionstabelle:
 *** 2.44.2-1ubuntu2.1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.44.2-1ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi Peter,

I have uploaded a samba package for trusty to the following PPA:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing

Could you please give it a try? I believe it may fix this issue, and if tested successfully, I will release it as a regression update.

Thanks!

Revision history for this message
Peter Parzer (peter-parzer) wrote :

Sorry, no success. ntlm_auth with firefox still doesn’t work.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.