Bug 1200754 - Domain user groups not shown: "Could not connect to samr pipe"
Domain user groups not shown: "Could not connect to samr pipe"
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Samba
Leap 15.4
x86-64 openSUSE Leap 15.4
: P5 - None : Normal (vote)
: ---
Assigned To: Samuel Cabrero
The 'Opening Windows to a Wider World' guys
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-21 13:53 UTC by Andreas Hauffe
Modified: 2022-06-22 08:31 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Hauffe 2022-06-21 13:53:35 UTC
Hi,

I'm using SAMBA 4.16.2 on a openSUSE Leap 15.4 platform as a domain member, but I'm unable to get "winbind -r" to work. As a result (?) the linux "groups" command show local groups only.

When running "wbinfo -r DOM+username" I'm getting the following error in the logs:

Jun 21 09:02:23 lftworkli06 winbindd[12376]: [2022/06/21 09:02:23.768314,  0] ../../source3/winbindd/winbindd_samr.c:72(open_internal_samr_conn)
Jun 21 09:02:23 lftworkli06 winbindd[12376]:   open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_CONNECTION_DISCONNECTED 

I branched https://build.opensuse.org/package/show/network:samba:STABLE/samba and set it up for openSUSE Leap 15.4. I went this way since the official samba version for openSUSE Leap 15.4 is samba 4.15.5 and we ran into a bug that should be fixed in 4.15.6. So I wanted to try the newest stable samba version. The link to the project is. 

https://build.opensuse.org/project/show/home:AndiMb83:Samba153

I'm getting a full list of the SIDs of all domain group of the user for "wbinfo --user-domgroups=$SID_OF_DOM+USERNAME$" and also "wbinfo --sid-to-fullname=$SID_OF_A_GROUP$" returns the correct name. So perhaps there is nothing missing.

Only in case of "wbinfo -r DOM+username" I'm getting no results and the logs look, that the mapping if the groups SIDs with the rid backend is not working here.

[2022/06/21 14:32:55.235582,  3, pid=28151, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_util.c:1910(lookup_usergroups_cached)
 : lookup_usergroups_cached succeeded
[2022/06/21 14:32:55.235653,  1, pid=28151, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
      wbint_LookupUserAliases: struct wbint_LookupUserAliases
         in: struct wbint_LookupUserAliases
             sids                     : *
                 sids: struct wbint_SidArray
                     num_sids                 : 0x0000004d (77)
                     sids: ARRAY(77)

... list of SIDs ...

[2022/06/21 14:32:55.237773,  1, pid=28151, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
      wbint_LookupUserAliases: struct wbint_LookupUserAliases
         out: struct wbint_LookupUserAliases
             rids                     : *
                 rids: struct wbint_RidArray
                     num_rids                 : 0x00000000 (0)
                     rids: ARRAY(0)
             result                   : NT_STATUS_CONNECTION_DISCONNECTED
[2022/06/21 14:32:55.237825,  5, pid=28151, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
 Could not convert sid S-1-5-21-2997476295-479482163-1603050229-93321: NT_STATUS_CONNECTION_DISCONNECTED
[2022/06/21 14:32:55.237835, 10, pid=28151, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:805(process_request_done)
 process_request_done: [wbinfo(2859):GETGROUPS]: NT_STATUS_CONNECTION_DISCONNECTED
[2022/06/21 14:32:55.237856, 10, pid=28151, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:849(process_request_written)
 process_request_written: [wbinfo(2859):GETGROUPS]: delivered response to client
[2022/06/21 14:32:55.237978,  6, pid=28151, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:964(winbind_client_request_read)
 closing socket 23, client exited 

smb.conf

[global]

   netbios name = lftworkli06
   security = ADS
   workgroup = ILRW
   realm = ILRW.ING.DOM.TU-DRESDEN.DE
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   #rpc start on demand helpers = false

   template homedir = /home/home_ilrw/%U
   template shell = /bin/bash

   winbind refresh tickets = yes
   winbind separator = +

   idmap config * : backend = tdb
   idmap config * : range = 2000-2999
   idmap config ILRW : backend = rid
   idmap config ILRW : range = 3000-9999 # UID aus RID fuer ILRW
   idmap config DOM : backend = rid
   idmap config DOM : range = 10000-9999999 # UID aus RID fuer DOM

krb.conf

[libdefaults]
       default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
       dns_lookup_realm = false
       dns_lookup_kdc = true
       ticket_lifetime = 24h
       renew_lifetime = 7d
       forwardable = true

[realms]
  ILRW.ING.DOM.TU-DRESDEN.DE = {
       auth_to_local = RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE@.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
       auth_to_local = RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE@.*)s/\.TU-DRESDEN\.DE@/+/
       auth_to_local = DEFAULT
  }
  DOM.TU-DRESDEN.DE = {
       auth_to_local = RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE@.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
       auth_to_local = RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE@.*)s/\.TU-DRESDEN\.DE@/+/
       auth_to_local = DEFAULT
  }
Comment 1 Samuel Cabrero 2022-06-21 15:48:02 UTC
Hi Andreas,

please check the "samba" package is installed. After the DCE/RPC changes in 4.16.0 the samba-dcerpcd binary is necessary and it is part of the "samba" package.
Comment 2 Noel Power 2022-06-21 17:14:41 UTC
ok, I see this too,

it seems that samba-4.16 introduces a new apparmor requirement

please modify


/etc/apparmor.d/samba-dcerpcd with


  /usr/lib*/samba/samba-dcerpcd m,

/etc/apparmor.d/samba-rpcd with

  /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m,

/etc/apparmor.d/samba-rpcd-classic with

  /usr/lib*/samba/rpcd_classic m,

/etc/apparmor.d/samba-rpcd-spoolss with

  /usr/lib*/samba/rpcd_spoolss m,

and that should solve the issue
Comment 3 Andreas Hauffe 2022-06-21 18:20:02 UTC
An update of the apparmor profiles solved the problem. Thanks for your help!
Comment 4 Noel Power 2022-06-22 08:31:10 UTC
(In reply to Andreas Hauffe from comment #3)
> An update of the apparmor profiles solved the problem. Thanks for your help!

glad we could help get it sorted for you.

closing this bug as invalid as the apparmor version and profiles are correct for the supported version of samba (samba-4.15) on leap 15.4 (note tw has the appropriate apparmor profiles for samba-4.16)