Bug 33129 - network browsing (nmbd) not working with UCS 3.2
network browsing (nmbd) not working with UCS 3.2
Product: UCS
Classification: Unclassified
Component: Samba4
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Arvid Requate
Felix Botner
: interim-4
Depends on:
  Show dependency treegraph
Reported: 2013-11-05 14:45 CET by Felix Botner
Modified: 2013-11-19 06:44 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2013-11-05 14:45:13 CET
Join a windows 8.1 client in a samba4 domain (single-master). Logged in as Domain Administrator and open network environment but the master wasn't listed there (going to the master by opening \\master in the explorer works).

On a windows7 the master is visible in the network environment.
Comment 1 Felix Botner univentionstaff 2013-11-05 15:46:43 CET
In fact, the windows network is empty on ALL windows clients (win7, win8, win2003r2, winxp)

In winxp and win2003r2 i get the following error message when trying to open the "domain" in microsoft windows network:

Auf "Fff" kann nicht zugegriffen werden. Sie haben eventuell keine Berechtigung diese Netzwerkressource zu verwenden. Wenden Sie sich an den Administrator des Servers, um herauszufinden, ob Sie über Berechtigungen verfügen.

Die Struktur der Sicherheitskennung ist unzulässig.
Comment 2 Arvid Requate univentionstaff 2013-11-05 16:03:12 CET
In the samba4 domain of this bug report  windows/wins-server is not set on the backup, slave and member:

windows/wins-server: <empty>
windows/wins-support: no

From the perspective of the master only the master is listed for all netbios categories:
root@master:~# eval "$(ucr shell windows/domain)"; for t in 1b 1c 1d 1e; do \
               nmblookup "$windows_domain#$t"; done FFF<1b> FFF<1c> FFF<1d> FFF<1e>

I would have guessed that broadcast lookups should work anyway, but it doesn't:
nmblookup 'FFF#1c' -B $(ucr get interfaces/eth0/broadcast) -S
querying FFF on FFF<1d>
Looking up status of
        MASTER          <00> -         H <ACTIVE> 
        MASTER          <03> -         H <ACTIVE> 
        MASTER          <20> -         H <ACTIVE> 
        ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> 
        FFF             <00> - <GROUP> H <ACTIVE> 
        FFF             <1b> -         H <ACTIVE> 
        FFF             <1c> - <GROUP> H <ACTIVE> 
        FFF             <1d> -         H <ACTIVE> 
        FFF             <1e> - <GROUP> H <ACTIVE> 

        MAC Address = 00-00-00-00-00-00

log.nmbd also shows that the master assumed the role of the "domain master browser" for the domain. From the backup the situation looks like this:
root@backup:~# eval "$(ucr shell windows/domain)"; for t in 1b 1c 1d 1e; do \
               nmblookup "$windows_domain#$t"; done
name_query failed to find name FFF#1b FFF<1c>
name_query failed to find name FFF#1d FFF<1e>

On the Memberserver things look ok:
root@member:~# eval "$(ucr shell windows/domain)"; for t in 1b 1c 1d 1e; do nmblookup "$windows_domain#$t"; done FFF<1b> FFF<1c> FFF<1c> FFF<1c> FFF<1c> FFF<1d> FFF<1e> FFF<1e> FFF<1e> FFF<1e> FFF<1e> FFF<1e> FFF<1e> FFF<1e> FFF<1e>

So I think this is related to Bug 30815
Comment 3 Arvid Requate univentionstaff 2013-11-05 16:40:22 CET
Broadcasts look ok from the UCS Memberserver as well, so it looks like the nmbd on samba4 DCs does not work properly.

As a workaround, one can pick a single UCS memberserver and adjust the nmbd configuration via /etc/samba/local.conf like this:

   local master = yes
   preferred master = yes
   domain master = yes
   os level = 20

On the Samba4-DCs the same parameters need to be disabled, which can be done via UCR:

ucr set samba/local/master=no samba/preferred/master=no samba/domain/master=no
Comment 4 Felix Botner univentionstaff 2013-11-05 16:42:11 CET
with UCS 3.1-1, it worked "out of the box"
Comment 5 Arvid Requate univentionstaff 2013-11-05 19:38:49 CET
Interestingly, in UCS 3.1-1 the nmblookup results look pretty much the same, i.e. the Samba4 DCs do not seem to "see" each other on the netbios level. But for the Windows clients the network browsing works just fine. so this might be unrelated.
Comment 6 Arvid Requate univentionstaff 2013-11-05 19:53:56 CET
After a while you learn to love exact error messages.. The english translation of the XP error message seems to be:
"Ar311r1" is not accessible. You might not have permission to use this network 
resource. Contact the administrator of this server to find out if you have 
access permissions.

The security ID structure is invalid.

Now that shines some light on this issue.. triggered the XP error message again and logged the samba server a level 10:
[2013/10/23 14:05:10.216558,  5, pid=12283, effective(0, 0), real(0, 0)] ../source4/libcli/wbclient/wbclient.c:72(wbc_sids_to_xids_send)
  wbc_sids_to_xids called
[2013/10/23 14:05:10.218514,  5, pid=12283, effective(0, 0), real(0, 0)] ../source4/libcli/wbclient/wbclient.c:118(wbc_sids_to_xids_recv)
  wbc_sids_to_xids_recv called
[2013/10/23 14:05:10.218575,  0, pid=12283, effective(0, 0), real(0, 0)] ../source4/auth/unix_token.c:83(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-7) in user token to a UID.  Conversion was returned as type 2, full token:
[2013/10/23 14:05:10.218614,  0, pid=12283, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (3):
    SID[  0]: S-1-5-7
    SID[  1]: S-1-1-0
    SID[  2]: S-1-5-2
   Privileges (0x               0):
   Rights (0x               0):
[2013/10/23 14:05:10.218760,  1, pid=12283, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_INVALID_SID

Oops. Winbind cannot lookup S-1-5-7, which corresponds to the builtin group "Anonymous Logon". So winbind cannot find a "user token" in the idmap. Incidentally, since Bug 29000 we create these Builtin groups in UCS LDAP, and thus the samba4-idmap listener creates an idmap entry with "XID_TYPE_GID".
In UCS 3.1-1 on the other hand Samba4 had written XID_TYPE_BOTH entries.

After manually changing the S-1-5-7 record in idmap to XID_TYPE_BOTH, the network browsing worked again. My first idea is, that we should/could change the samba4-idmap listener to generate XID_TYPE_BOTH records for the Builtin S-1-5* SIDs.
Comment 7 Arvid Requate univentionstaff 2013-11-05 21:00:15 CET
Ok, samba4-idmap.py is adjusted in univention-samba4 3.0.34-1.
Changelog adjusted.

For a quick check in the affected test domain update the package and run

/usr/lib/univention-directory-listener/system/samba4-idmap.py --direct-resync

once. After that network browsing should work again, no samba restart required.
Comment 8 Felix Botner univentionstaff 2013-11-11 09:31:18 CET
Comment 9 Arvid Requate univentionstaff 2013-11-11 16:05:41 CET
A small post-verifed observation about this:

Actually Samba4 on itself creates the idmap record for S-1-5-7 as ID_TYPE_UID and not ID_TYPE_BOTH. No clue why or how this decision comes about in the code. Most of the other builtin "foreignSecurtiyPrincipal" objects are treated as ID_TYPE_BOTH. Doesn't matter right now.
Comment 10 Stefan Gohmann univentionstaff 2013-11-19 06:44:19 CET
UCS 3.2 has been released:

If this error occurs again, please use "Clone This Bug".