First Last Prev Next    This bug is not in your last search results.
Bug 44114 - Windows 2012 fails to lookup domain group in explorer security permissions dialog
Windows 2012 fails to lookup domain group in explorer security permissions di...
Status: RESOLVED WORKSFORME
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-28 15:29 CEST by Arvid Requate
Modified: 2017-03-28 17:52 CEST (History)
0 users

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
w2k12_ucs43_group_lookup_fails.png (77.82 KB, image/png)
2017-03-28 15:29 CEST, Arvid Requate 		Details
w2k12_ucs42_group_lookup_works.png (74.27 KB, image/png)
2017-03-28 15:30 CEST, Arvid Requate 		Details
w2k12_ucs42_group_browsing_missing_group1.png (84.75 KB, image/png)
2017-03-28 15:47 CEST, Arvid Requate 		Details
w2k12_ucs42_group_browsing_finding_group1.png (84.69 KB, image/png)
2017-03-28 15:51 CEST, Arvid Requate 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-03-28 15:29:30 CEST 
Created attachment 8668 [details]
w2k12_ucs43_group_lookup_fails.png

Windows 2012 (W2k12) client joined against Samba 4.6.1 (UCS 4.2 RC):

Add a group "group1" via UMC, log in as Domain Admin (or user) to joined W2K12 client and open explorer. Choose any file and right-click on Properties. In the Properties dialog box click the Security tab and click the Add button. Enter the group name in the dialog and click on "Check Names" -> another dialog pops up, saying that the group could not be found. See attached screenshot.

By default the "From this location" field is set to the domain name. Change it by clicking on "Locations ..." and select "Entire Directory". Now, when I click "Check Names" again, the group is found.

I only saw this issue with a W2K12 client. Group resolution worked with Windows 7, 8.1, 10 and W2k8R2. My domain was a full product test domain with Master, Backup, Slave, Member and Slave-RODC. Even after stopping the Samba processes on all servers but the master and rebooting the issue was reproducible.
Comment 1 Arvid Requate univentionstaff 2017-03-28 15:30:49 CEST 
Created attachment 8669 [details]
w2k12_ucs42_group_lookup_works.png

Screenshot from working group resolution with Location set to "Entire Domain"
Comment 2 Arvid Requate univentionstaff 2017-03-28 15:47:47 CEST 
Created attachment 8670 [details]
w2k12_ucs42_group_browsing_missing_group1.png

This screenshot shows "group1" is missing in the browse result of Security Tab > Add > Advanced > Search Now
Comment 3 Arvid Requate univentionstaff 2017-03-28 15:51:08 CEST 
Created attachment 8671 [details]
w2k12_ucs42_group_browsing_finding_group1.png

This screenshot shows "group1" is shown in the browse result of Security Tab > Add > Advanced > Search Now when "From this location" is set to "Entire Domain".

Note: I guess that the lookup for "Entire Domain" runs against the global catalog (port 3268).
Comment 4 Arvid Requate univentionstaff 2017-03-28 16:07:26 CEST 
This issue doesn't happen with the UCS specific group "Backup Join".
Comment 5 Arvid Requate univentionstaff 2017-03-28 16:29:38 CEST 
Maybe it's an effect of the RODC: Apparently that system doesn't replicate properly. Neither "group1" nor additionally created user or group objects are replicated there, see Bug 44115).
Comment 6 Arvid Requate univentionstaff 2017-03-28 17:52:18 CEST 
Works again after fixing Bug 44115 locally.
First Last Prev Next    This bug is not in your last search results.