Wbinfo -r ad-user ==> group missing & duplicates

Gregor · January 4, 2020, 11:36pm

I installed samba and winbind on ubuntu 18 and the os is joined to the domain.
when I do a wbinfo -r ad-user I see there is a group missing. Very persistently.

I tried:
net flush
deleted the tdb files
restarted winbind & smb
rebooted

with a centos 7 machine I see the group.

when I do a “wbinfo -r ad-user |wc -l” I get 70 lines on both OS!

only the two last group is’s differ:
Ubuntu (wrong):
121361
232554
232494
3004
3001

centos (correct):
121361
232554
232494
236337
16777217

Both machines have no sssd installed or running.

CENTOS & UBUNTU
shadow: files winbind
group: files winbind
[global]
interfaces = ens192
ldap suffix = dc=saszl,dc=local
load printers = No
log file = /var/log/samba/log.%m
max log size = 50
password server = SRV00214.saszl.local
realm = saszl.LOCAL
security = ADS
server string = Samba Server Version %v
template homedir = /net/lfs.saszl.local/home/%U
template shell = /bin/bash
winbind offline logon = Yes
winbind separator = +
winbind use default domain = Yes
workgroup = saszl
idmap config saszl:base_rid = 0
idmap config saszl: range = 100000-89999999
idmap config saszl: backend = rid
idmap config * : range = 3000-9999
idmap config * : backend = tdb
username map = /etc/samba/usermap
username map script = /etc/samba/usermap.sh
log level = 0

UBUNTU:
wbinfo -r user1 |while read xx; do getent group $xx; done|awk -F: ‘{print $1}’|sort -u|wc -l
69
wbinfo -r user1 |while read xx; do getent group $xx; done|awk -F: ‘{print $1}’|wc -l
70
One duplicate

wbinfo -r user2 |while read xx; do getent group $xx; done|awk -F: ‘{print $1}’|sort -u|wc -l
94
wbinfo -r user2 |while read xx; do getent group $xx; done|awk -F: ‘{print $1}’|wc -l
139
45 duplicates

CENTOS:
wbinfo -r user1 |while read xx; do getent group $xx; done|awk -F: ‘{print $1}’|sort -u|wc -l
70
wbinfo -r user1 |while read xx; do getent group $xx; done|awk -F: ‘{print $1}’|wc -l
70
No duplicates

wbinfo -r user2 |while read xx; do getent group $xx; done|awk -F: ‘{print $1}’|sort -u|wc -l
92
wbinfo -r user2 |while read xx; do getent group $xx; done|awk -F: ‘{print $1}’|wc -l
92
No duplicates

is this a bug?

fabek · January 6, 2020, 10:03am

Hello Gregor,
can you show the content of the file /etc/nsswitch.conf
In Ubuntu 18?

Thank you.

fabek · January 6, 2020, 10:28am

I also recommend to change the samba log level to a more verbose one

for instance

log level = 3
(The value can be increased to 10 )

Then run
testparm
to verify no config errors or warnings
Then restart samba

Gregor · January 6, 2020, 11:09am

Set debug to 3.
No warnings, errors or out of place messages.

nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind

testparm
only warning on:
map untrusted to domain = Yes ==> deprecated
password server = SRV00214.spzl.local ==> not in combination with security is ads

The lines make no difference however. Tested that.

Gregor · January 7, 2020, 9:16am

When I do a “wbinfo -a user%passwd” then I get the missing group.
Still duplicates however.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454670

fabek · January 7, 2020, 6:51pm

Hello Gregor,
It seems a “by design issue” as the relative man page mentions the command “wbinfo -r” cmdline might return cached/outdated values.

Can you check if the winbind daemon has been started with the -n option
(no cache); also is there any domain user currently logged into this system which belongs to these groups?

P.S.: please create another post linking to this ( I cannot reply anymore to this) and with the exact version of your Samba and Winbind. Also what kind of domain u have? One forest or more than one, any trust? Thanks.
Kind Regards.

Gregor · January 8, 2020, 8:37am

since I did the “wbinfo -a” I don’t have the missing group any more.
Whatever I do.

Still duplicate groups however also with the -n option.
some groups in the saszl are also in the * range.

No users logged in.