wbinfo -u, wbinfo -g, and getent group stop working after upgrade to winbind 4.3.8

Bug #1573526 reported by Peter Parzer on 2016-04-22
40
This bug affects 6 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Undecided
Ubuntu Security Team

Bug Description

"wbinfo -u" and "wbinfo -g" should list domain users and groups, but report nothing.
"getent group <domain-group>" returns only the first 3 fields of the group database, but not the group members.

Firefox SSO with ntlm_auth is not working as it used to. Most of the time the access to servers that use ntlm_auth is rejected, but somtimes it is granted.

In the winbind log-file log.wb-<DOMAIN> are error messages like the following (when running winbindd with debuglevel 4):

[2016/04/22 12:41:20.439812, 3] ../source3/libads/ldap.c:980(ads_do_paged_search_args)
  ads_do_paged_search_args: ldap_search_with_timeout((&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1))))) -> Time limit exceeded
[2016/04/22 12:41:20.439850, 1] ../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal)
  ads reopen failed after error Time limit exceeded
[2016/04/22 12:41:20.439857, 1] ../source3/winbindd/winbindd_ads.c:480(enum_dom_groups)
  enum_dom_groups ads_search: Time limit exceeded

Befor the update to winbind 4.3.8, my setup has been working for several years without any problems.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: winbind 2:4.3.8+dfsg-0ubuntu0.14.04.2
ProcVersionSignature: Ubuntu 3.16.0-70.90~14.04.1-generic 3.16.7-ckt25
Uname: Linux 3.16.0-70-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.19
Architecture: amd64
Date: Fri Apr 22 12:28:40 2016
ExecutablePath: /usr/sbin/winbindd
InstallationDate: Installed on 2015-07-14 (283 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
ProcEnviron:
 TERM=linux
 PATH=(custom, no user)
SambaClientRegression: Yes
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.init.winbind.conf: [modified]
mtime.conffile..etc.init.winbind.conf: 2016-04-21T09:26:48.806327

Peter Parzer (peter-parzer) wrote :
Changed in samba (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)

Same problema here.

wbinfo -u return no user -g some groups
-t and -a works fine.

getent returns nothing on users.

Was working fine in version 4.1.x before dist-upgrade.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
urusha (urusha) wrote :

Empty 'wbinfo -u' seems to be regression after fixing badlock vulnerability. There are patches available. See https://bugzilla.samba.org/show_bug.cgi?id=11872

While empty "getent group <domain-group>" can be fixed in smb.conf by adding this:
  winbind expand groups = 1
Default value has been changed to 0 in samba 4.2, see man smb.conf. I have to add this line to make CUPS work (see https://github.com/apple/cups/issues/4611 ). But normally you should not change it, since 'groups <domain-user>' works fine and most software use user's group list instead of group's members list.

Peter Parzer (peter-parzer) wrote :

By adding the line

         client ldap sasl wrapping = plain

to smb.conf I could fix winbind -u and winbind -g

ntlm_auth still does not work reliable with firefox.

Marc Deslauriers (mdeslaur) wrote :

Today's Samba update should contain the fix for this issue:

http://www.ubuntu.com/usn/usn-2950-2/

Could the original bug reporter please test the update and comment here? Thanks!

urusha (urusha) wrote :

Yes, it seems that update to 4.3.9+dfsg-0ubuntu0* has fixed the issue for me on both trusty and xenial.

Eric Delaet (eric-delaet) wrote :

Thanks, working for me as well on Trusty.

Peter Parzer (peter-parzer) wrote :

The update solves the problems with winbind -u and winbind -g.
ntlm_auth with firefox still does not work as it did before winbind 4.3.8.

Marc Deslauriers (mdeslaur) wrote :

@Peter:

Did you install the libsoup update also? What's the output of "apt-cache policy libsoup2.4-1"?

Peter Parzer (peter-parzer) wrote :

$ apt-cache policy libsoup2.4.1
libsoup2.4-1:
  Installiert: 2.44.2-1ubuntu2.1
  Installationskandidat: 2.44.2-1ubuntu2.1
  Versionstabelle:
 *** 2.44.2-1ubuntu2.1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.44.2-1ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Marc Deslauriers (mdeslaur) wrote :

Hi Peter,

I have uploaded a samba package for trusty to the following PPA:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing

Could you please give it a try? I believe it may fix this issue, and if tested successfully, I will release it as a regression update.

Thanks!

Peter Parzer (peter-parzer) wrote :

Sorry, no success. ntlm_auth with firefox still doesn’t work.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.