samba - Jun 2017 - wbinfo --group-info not listed users inside the group

Hello colleagues,

After upgrading Debian 8 to the latest version 9 (stretch).
Command
wbinfo --group-info LOCAL\\db_g  -  doesn't return list of all users inside
the group, I have only:
LOCAL\db_g:x:1000:
and before it was:
LOCAL\db_g:x:1000:user1, user2, user3, user4, ........

smb.conf:
----------------------------------------------------------
# Global parameters
[global]
        realm = LOCAL.COM
        workgroup = LOCAL
        security = ADS
        idmap config LOCAL : backend = rid
        idmap config LOCAL : range = 10000-1999999
        idmap config * : range = 10000-1999999
----------------------------------------------------------

krb5.conf
----------------------------------------------------------
[realms]
LOCAL.COM = {
                      kdc = DC1.LOCAL.COM
                      admin_server = DC1.LOCAL.COM
                      default_domain = LOCAL.COM
}


[domain_realm]
.local.com = LOCAL.COM
local.com = LOCAL.COM


[login]
krb4_convert = true
krb4_get_tickets = false
----------------------------------------------------------

smbd -V
Version 4.5.8-Debian

winbindd -V
Version 4.5.8-Debian

Do you have any suggestions about this?

Thanks in advance!

Best regards,
Dmitriy

On Thu, 22 Jun 2017 14:16:04 +0300
Dmitriy Merzlov via samba <samba at lists.samba.org> wrote:
> Hello colleagues,
> 
> After upgrading Debian 8 to the latest version 9 (stretch).
> Command
> wbinfo --group-info LOCAL\\db_g  -  doesn't return list of all users
> inside the group, I have only:
> LOCAL\db_g:x:1000:
> and before it was:
> LOCAL\db_g:x:1000:user1, user2, user3, user4, ........
I seem to remember a change being made in this area, it was just a guess
before.
> 
> smb.conf:
> ----------------------------------------------------------
> # Global parameters
> [global]
>         realm = LOCAL.COM
>         workgroup = LOCAL
>         security = ADS
>         idmap config LOCAL : backend = rid
>         idmap config LOCAL : range = 10000-1999999
>         idmap config * : range = 10000-1999999
The two ranges must not overlap, yours are identical.
Is this the entire smb.conf ?
> ----------------------------------------------------------
> 
> krb5.conf
> ----------------------------------------------------------
> [realms]
> LOCAL.COM = {
>                       kdc = DC1.LOCAL.COM
>                       admin_server = DC1.LOCAL.COM
>                       default_domain = LOCAL.COM
> }
> 
> 
> [domain_realm]
> .local.com = LOCAL.COM
> local.com = LOCAL.COM
> 
> 
> [login]
> krb4_convert = true
> krb4_get_tickets = false
I would expect it to look like this:

[libdefaults]
	default_realm = LOCAL.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true
 
Rowland

On Thu, 22 Jun 2017 15:26:29 +0300
Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:
> Hello Rowland,
> 
> Thanks for the fast response!
> 
> I changed configuration, like you proposed, but output is the same:
> 
> LOCAL\db_g:x:1000:
Where is the group 'db_g' stored, is it in /etc/group or in AD ?
Or even worse, have you somehow managed to get it into both ?

I ask this because you are using the winbind 'rid' backend, and the ID
will calculated with this:

ID = RID - BASE_RID + LOW_RANGE_ID

BASE_RID is '0', so this becomes

ID = RID + LOW_RANGE_ID

So, as the LOW_RANGE_ID = 10000 and the lowest RID is usually
'1000' (excluding 'Well Known SIDs), this becomes:

ID = 1000 + 10000

ID = 11000

So how does 'db_g' get '1000' ?
> 
> idmap configuration I took from this bug12284
> https://bugzilla.samba.org/show_bug.cgi?id=12284
Please don't take things like this from a bugreport, try reading the
Samba wiki instead:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

On Thu, 22 Jun 2017 17:44:52 +0300
Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:
> Hi Rowland,
> 
> I already crosschecked all configuration, according samba wiki,
> recently. This server connected to AD as domain member.
> 
> LOCAL\db_g -- group and other groups are stored in AD
> 
> For example:
> 
> wbinfo --group-info "LOCAL\Field_G"
> LOCAL\field_g:x:1080:
> 
> I checked on another server, which still not updated:
> 
> wbinfo --group-info "LOCAL\Field_G"
>
LOCAL\field_g:*:11845:LOCAL\temp.writter1,LOCAL\user1,LOCAL\user2,LOCAL\user3,
> LOCAL\user4
> 
> It's very strange - that now on updated server gid is 1080 instead of
> 11846
> 
> I tried to delete this server from AD and rejoin back with command:
> net ads join -U administrator
> 
> But have the same output.
> 
> Best regards,
> Dmitriy
> 
> 
You posted this was your smb.conf on a Unix domain member:

[global]
        realm = LOCAL.COM
        workgroup = LOCAL
        security = ADS
        idmap config LOCAL : backend = rid
        idmap config LOCAL : range = 10000-1999999
        idmap config * : range = 10000-1999999

Try changing it to this:

[global]
   realm = LOCAL.COM
   workgroup = LOCAL
   security = ADS

   winbind use default domain = yes

   idmap config *:backend = tdb
   idmap config *:range = 2000-9999
   idmap config LOCAL : backend = rid
   idmap config LOCAL : range = 10000-1999999

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

Run 'net cache flush' and then restart smbd, nmbd and winbind

finally run 'getent group db_g'

Rowland

On Fri, 23 Jun 2017 10:35:00 +0300
Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:
> Hello Rowland,
> 
> I changed configuration as you suggested, reloaded/restarted all
> services, but the problem still persist.
> 
> 'getent group db_g' - seems not working, I have empty output.
> 
> But I can do retrieve all groups which have user:
> 
>  wbinfo --user-groups "LOCAL\user.1"
> 229933
> 276858
> 11466
> 11112
> 841669
> 290668
> 340058
> 1024
> *290664*
> 10513
> 10001
> 
>  wbinfo --group-info "LOCAL\db_g"
> db_g:x:*290664*:
> 
> 
Can you post the AD record for the group 'db_g'

I know you are sure that 'db_g' isn't in /etc/group, but can you
please
try running this command in a terminal:

cat /etc/group | grep db_g

Rowland

On Fri, 23 Jun 2017 13:01:38 +0300
Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:
> 
> With this log level I do not see any big problems.
> 
No, I don't either
> > On Fri, 23 Jun 2017 10:35:00 +0300
> > Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:
> >  
> > > Hello Rowland,
> > >
> > > I changed configuration as you suggested, reloaded/restarted all
> > > services, but the problem still persist.
> > >
> > > 'getent group db_g' - seems not working, I have empty
output.
> > >
> > > But I can do retrieve all groups which have user:
> > >
> > >  wbinfo --user-groups "LOCAL\user.1"
> > > 229933
> > > 276858
> > > 11466
> > > 11112
> > > 841669
> > > 290668
> > > 340058
> > > 1024
> > > *290664*
> > > 10513
> > > 10001
> > >
> > >  wbinfo --group-info "LOCAL\db_g"
> > > db_g:x:*290664*:
Is /etc/nsswitch.conf set up correctly ?
Are the required libnss_winbind links etc setup correctly ?

getent and wbinfo work differently, wbinfo goes straight to winbind so
always works (unless something strange happens), but getent goes via
NSS, so if this isn't set up correctly, getent doesn't work.

You initially said the group had the ID '1000', it now seems to have
the ID '290664', which if you are using '10000' as the lower
range for
the domain, means that the groups RID is '280664', if this is the case,
then wbinfo is working correctly and I would check libnss_winbind.

Rowland