Alex Crow
2017-Dec-15 11:57 UTC
[Samba] Samba 4.6.11 member server group resolution not working
Hi, We recently upgraded some AD member file servers from 4.6.7 to 4.6.11. Since then, "getent group" has been failing to return groups properly after winbind's been running for a couple of days. We have a lot of entries in log.wb-<DOMAIN> like this: [2017/12/15 11:39:47.959368, 1] ../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem) lsa_lookupsids call failed with NT_STATUS_RPC_PROTOCOL_ERROR - retrying... [2017/12/15 11:39:47.962929, 1] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net! [2017/12/15 11:39:47.972992, 1] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net! [2017/12/15 11:39:47.973067, 1] ../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem) lsa_lookupsids call failed with NT_STATUS_RPC_PROTOCOL_ERROR - retrying... [2017/12/15 11:39:47.976957, 1] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net! [2017/12/15 11:39:59.400024, 1] ../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem) lsa_lookupsids call failed with NT_STATUS_CONNECTION_DISCONNECTED - retrying... [2017/12/15 11:39:59.798388, 1] ../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem) lsa_lookupsids call failed with NT_STATUS_CONNECTION_DISCONNECTED - retrying... [2017/12/15 11:40:13.602515, 1] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net! [2017/12/15 11:40:13.602552, 1] ../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem) lsa_lookupsids call failed with NT_STATUS_RPC_PROTOCOL_ERROR - retrying... [2017/12/15 11:40:13.606894, 1] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net! [2017/12/15 11:40:13.623301, 1] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net! [2017/12/15 11:40:13.623329, 1] ../source3/winbindd/winbindd_ads.c:1236(lookup_groupmem) lsa_lookupsids call failed with NT_STATUS_RPC_PROTOCOL_ERROR - retrying... [2017/12/15 11:40:13.627004, 1] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_NCA_S_PROTO_ERROR received from host dc-04.samba.thedomain.net! Interestingly, wbinfo -g returns group names but wbinfo -u has stopped returning user names. Sometimes getent group <groupname> will work on certain groups but not others (especially ones with lots of members). SMB.conf: [global] workgroup = thedomain_NET realm = samba.thedomain.net netbios name = THECLUSTER security = ADS interfaces = enp4s0f0 idmap_ldb:use rfc2307 = yes clustering = yes log file = /var/log/samba/%I log level = 1 max log size = 102400 idmap config *:backend = tdb idmap config *:range = 200000-299999 idmap config thedomain_NET:backend = ad idmap config thedomain_NET:unix_nss_info = yes idmap config thedomain_NET:default = yes idmap config thedomain_NET:schema_mode = rfc2307 idmap config thedomain_NET:range = 500-199999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind expand groups = 1 winbind refresh tickets = Yes wide links = yes unix extensions = no vfs objects = fileid fileid:mapping = fsname map acl inherit = yes guest account = guestfiles map to guest = bad user nt acl support = yes nsswitch.conf: passwd: files winbind shadow: files sss group: files winbind Also getting groups for users fails on some groups: # groups xxx xxx : groups: cannot find name for group ID 513 513 iii_group groups: cannot find name for group ID 1012 1012 groups: cannot find name for group ID 1102 1102 iii_localadmin iii_confluence iii_inf tps_fix commfonts software groups: cannot find name for group ID 1013 ... Any ideas? Cheers, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
Alex Crow
2017-Dec-15 12:19 UTC
[Samba] Samba 4.6.11 member server group resolution not working
On 15/12/17 11:57, Alex Crow wrote:> Hi, > > We recently upgraded some AD member file servers from 4.6.7 to 4.6.11. > Since then, "getent group" has been failing to return groups properly > after winbind's been running for a couple of days. We have a lot of > entries in log.wb-<DOMAIN> like this: >PS DCs are on 4.5.2. -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).