samba - Oct 2020 - Is Samba unable to resolve secodary group membership?

Hello,

I have a somewhat complicated problem and so far I have not been able to 
find any hints that have brought me further towards a solution:

I run a CIFS cluster with two nodes using ctdb and samba. This cluster 
is connected to an Active Directory. The share contains directories 
which belong to the user root and a certain group. The users who are to 
use the CIFS gateway are given access to those directories on the Unix 
group. If the directory belongs to the current user or the other rights 
are set accordingly, the user also receives access via Samba. However, 
if the user gets rights to this directory solely on the basis of his 
group membership (secondary group), Samba will deny access. If I give 
the directory to the user's primary group, access will also work.

The tested directory is named "pc2-mitarbeiter" (for a deeper look in 
the attached logfile) and the accessing user is <USER2>.

drwxrws--- 24 root     pc2-mitarbeiter   4096  2. Okt 13:21 pc2-mitarbeiter

<USER2> is member of the "pc2-mitarbeiter" group and has set a
primary
group "users".

This leads me to the conclusion that the mapping AD-User -> Unix-User 
and the primary group works. But Samba does not get the apparently group 
membership in the secondary group resolved.

The environment:
There are two more or less separate worlds: One is the Windows world and 
the other the Linux world. In the Linux world an OpenLDAP server and a 
Kerberos service is used to authenticate users. For the Windows world a 
conventional AD is available. These are two independent islands with 
technically different users but matching user names and group names. The 
only connection between the two worlds is the user name itself. So one 
account in the Linux world and the corresponding account identified by 
the username in the Windows world are the same person. The two servers 
on which the Samba Cluster runs receive the system users from the LDAP. 
In addition, the Samba server is a member of the AD domain. Winbind is 
not configured for nss / pam. It's only intended to be used for the 
authenticating against the samba server. The two servers also serve the 
directory via nfs4 (not managed by ctdb) which works perfectly with 
correct permissions.

Operating system is CentOS 7.8, Samba 4.10.4 (RPM version 
samba-4.10.4-11.el7_8.x86_64)

A few debug outputs:

[root at lus-gw-1 samba]# net ads testjoin
Join is OK
[root at lus-gw-1 samba]# wbinfo -u | wc -l
32397
[root at lus-gw-1 samba]# wbinfo -g | wc -l
2864
[root at lus-gw-1 samba]# wbinfo -n <USER2>
S-1-5-21-3542048200-3079820972-537594794-55128 SID_USER (1)
[root at lus-gw-1 samba]# wbinfo -s 
S-1-5-21-3542048200-3079820972-537594794-55128
AD\<USER2> 1
[root at lus-gw-1 samba]# wbinfo -i "AD\<USER2>"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user AD\<USER2>
[root at lus-gw-1 samba]# wbinfo -S 
S-1-5-21-3542048200-3079820972-537594794-55128
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-3542048200-3079820972-537594794-55128 to uid

The WBC_ERR_DOMAIN_NOT_FOUND is a little bit wired. The winbind logfile 
reports "NO_SUCH_USER" in this case.

Samba configuration:
[root at lus-gw-1 samba]# net conf list
[global]
         workgroup = AD
         netbios name = lus-gw
         security = ads
         realm = AD.UNI-PADERBORN.DE
         load printers = no
         winbind use default domain = yes
         winbind scan trusted domains = no
         idmap config * : backend = tdb
         idmap config * : range = 100-999
         idmap config ad : range = 1000-99999999
         idmap config ad : backend = ad
         kerberos method = secrets and keytab
         name resolve order = host bcast
         winbind cache time = 5
         winbind expand groups = 3
         log level = 5
         fileid:algorithm = fsname
         vfs objects = fileid acl_xattr

[scratch]
         path = /scratch
         comment = Lustre re-export
         read only = no
         inherit acls = yes
         inherit permissions = yes
         create mask = 700
         directory mask = 700
         kernel oplocks = yes
         valid users = @meta_pc2_acc_cr2018

DNS configuration:
The two nodes of the cluster are available under the same DNS-Name and 
both ips get resolved to this name.

I have also set up a stand alone samba server (with the same user 
configuration) on a Debian stretch system which shows the same behavior. 
So this issue seems independent from the cluster mode and samba version 
(4.5.16-Debian vs 4.10.4). I have attached some logfiles. Which further 
information could be helpful?

Regards,
Michael Schwarz

On 07/10/2020 16:00, Michael Schwarz via samba wrote:
> Hello,
>
> I have a somewhat complicated problem and so far I have not been able 
> to find any hints that have brought me further towards a solution:
This is a bit hard to follow, but certain things stand out, your 
smb.conf file is from a Unix domain member, yet you are trying to use 
local Unix groups. You also seem to be using very low numbers for the AD 
users and groups, numbers I wouldn't recommend, you also mention CTDB, 
but you do not have 'clustering = yes' in your smb.conf.

You shouldn't be getting 'WBC_ERR_DOMAIN_NOT_FOUND'

Can you explain your set up a bit better ?

Am 07.10.20 um 17:29 schrieb Rowland penny via samba:
> On 07/10/2020 16:00, Michael Schwarz via samba wrote:
>> Hello,
>>
>> I have a somewhat complicated problem and so far I have not been able 
>> to find any hints that have brought me further towards a solution:
> This is a bit hard to follow, but certain things stand out, your 
> smb.conf file is from a Unix domain member, yet you are trying to use 
> local Unix groups. You also seem to be using very low numbers for the 
> AD users and groups, numbers I wouldn't recommend, you also mention 
> CTDB, but you do not have 'clustering = yes' in your smb.conf.
>
> You shouldn't be getting 'WBC_ERR_DOMAIN_NOT_FOUND'
>
> Can you explain your set up a bit better ?
>
>
Hi Rowland,

thanks for your reply. I have postet the output from "net conf list"
as
the /etc/samba/smb.conf is rather short:

[root at lus-gw-1 ~]# cat /etc/samba/smb.conf
[global]
 ? clustering = yes
 ? include = registry
[root at lus-gw-1 ~]# net conf list
[global]
 ??????? workgroup = AD
 ??????? netbios name = lus-gw
 ??????? security = ads
 ??????? realm = AD.UNI-PADERBORN.DE
 ??????? load printers = no
 ??????? winbind use default domain = yes
 ??????? winbind scan trusted domains = no
 ??????? idmap config * : backend = tdb
 ??????? idmap config * : range = 100-999
 ??????? idmap config ad : range = 1000-99999999
 ??????? idmap config ad : backend = ad
 ??????? kerberos method = secrets and keytab
 ??????? name resolve order = host bcast
 ??????? winbind cache time = 5
 ??????? winbind expand groups = 3
 ??????? log level = 5
 ??????? fileid:algorithm = fsname
 ??????? vfs objects = fileid acl_xattr

[scratch]
 ??????? path = /scratch
 ??????? comment = Lustre re-export
 ??????? read only = no
 ??????? inherit acls = yes
 ??????? inherit permissions = yes
 ??????? create mask = 700
 ??????? directory mask = 700
 ??????? kernel oplocks = yes
 ??????? valid users = @meta_pc2_acc_cr2018

The setup at our university is not quite trivial. I can understand that. 
I'll try to explain it again in a different way:

The university computer centre runs a central identity service 
consisting of an LDAP server and its own Kerberos REALM 
(UNI-PADERBORN.DE). All Linux computers and web services etc. are 
connected to this service. For the Windows computers there is a separate 
Active Directory domain (AD.UNI-PADERBORN.DE) served by a windows domain 
conroller. The users are created in both LDAP and ADS, but are not fully 
synchronised. The only reliable key to assign a user in LDAP to a user 
in AD is the user name. The AD knows neither the Unix UIDs nor a home 
directory or the like. Otherwise, the LDAP doesn't know for example the 
SID of an AD-User. The AD can therefore not be taken as the sole source 
for user data on Linux systems. That's why we didn't configure winbind 
as a source in /etc/nsswitch.conf. In order for users on Windows 
computers (member of AD.UNI-PADERBORN.DE) to be able to log on to the 
CIFS cluster by single signon, this cifs cluster is a member of the 
domain. I have created a diagram on 
http://homepages.uni-paderborn.de/mschwar2/LDAP-AD-UPB.jpg. The NFS 
daemon and the CIFS daemon run on the same system.

The directory to be exported via CIFS is located on a Lustre file 
system. This is natively mounted by many Linux computers in our 
computing cluster and rights on this FS are correspondingly bound to the 
Linux UIDs and GIDs.

Samba is obviously able to map an AD user correctly by name to a 
corresponding LDAP user/Linux user. Otherwise I would not be able to 
access data that belongs to my user himself. What does not work is to 
access data belonging to another user and a group of which I am a member 
but which is not my primary group.

I hope this helps a little bit, to understand the setup here.

Thanks,
Michael