Univention Bugzilla – Bug 33129
network browsing (nmbd) not working with UCS 3.2
Last modified: 2021-05-11 11:20:34 CEST
Join a windows 8.1 client in a samba4 domain (single-master). Logged in as Domain Administrator and open network environment but the master wasn't listed there (going to the master by opening \\master in the explorer works). On a windows7 the master is visible in the network environment.
In fact, the windows network is empty on ALL windows clients (win7, win8, win2003r2, winxp) In winxp and win2003r2 i get the following error message when trying to open the "domain" in microsoft windows network: Auf "Fff" kann nicht zugegriffen werden. Sie haben eventuell keine Berechtigung diese Netzwerkressource zu verwenden. Wenden Sie sich an den Administrator des Servers, um herauszufinden, ob Sie über Berechtigungen verfügen. Die Struktur der Sicherheitskennung ist unzulässig.
In the samba4 domain of this bug report windows/wins-server is not set on the backup, slave and member: ====================================================================== windows/wins-server: <empty> windows/wins-support: no ====================================================================== From the perspective of the master only the master is listed for all netbios categories: ====================================================================== root@master:~# eval "$(ucr shell windows/domain)"; for t in 1b 1c 1d 1e; do \ nmblookup "$windows_domain#$t"; done 10.200.7.150 FFF<1b> 10.200.7.150 FFF<1c> 10.200.7.150 FFF<1d> 10.200.7.150 FFF<1e> ====================================================================== I would have guessed that broadcast lookups should work anyway, but it doesn't: ====================================================================== nmblookup 'FFF#1c' -B $(ucr get interfaces/eth0/broadcast) -S querying FFF on 10.200.7.255 10.200.7.150 FFF<1d> Looking up status of 10.200.7.150 MASTER <00> - H <ACTIVE> MASTER <03> - H <ACTIVE> MASTER <20> - H <ACTIVE> ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> FFF <00> - <GROUP> H <ACTIVE> FFF <1b> - H <ACTIVE> FFF <1c> - <GROUP> H <ACTIVE> FFF <1d> - H <ACTIVE> FFF <1e> - <GROUP> H <ACTIVE> MAC Address = 00-00-00-00-00-00 ====================================================================== log.nmbd also shows that the master assumed the role of the "domain master browser" for the domain. From the backup the situation looks like this: ====================================================================== root@backup:~# eval "$(ucr shell windows/domain)"; for t in 1b 1c 1d 1e; do \ nmblookup "$windows_domain#$t"; done name_query failed to find name FFF#1b 10.200.7.151 FFF<1c> name_query failed to find name FFF#1d 10.200.7.151 FFF<1e> ====================================================================== On the Memberserver things look ok: ====================================================================== root@member:~# eval "$(ucr shell windows/domain)"; for t in 1b 1c 1d 1e; do nmblookup "$windows_domain#$t"; done 10.200.7.150 FFF<1b> 10.200.7.154 FFF<1c> 10.200.7.150 FFF<1c> 10.200.7.152 FFF<1c> 10.200.7.151 FFF<1c> 10.200.7.150 FFF<1d> 10.200.7.153 FFF<1e> 10.200.7.151 FFF<1e> 10.200.7.154 FFF<1e> 10.200.7.152 FFF<1e> 10.200.7.150 FFF<1e> 10.200.7.23 FFF<1e> 10.200.7.22 FFF<1e> 10.200.7.60 FFF<1e> 10.200.7.61 FFF<1e> ====================================================================== So I think this is related to Bug 30815
Broadcasts look ok from the UCS Memberserver as well, so it looks like the nmbd on samba4 DCs does not work properly. As a workaround, one can pick a single UCS memberserver and adjust the nmbd configuration via /etc/samba/local.conf like this: ======================== [global] local master = yes preferred master = yes domain master = yes os level = 20 ======================== On the Samba4-DCs the same parameters need to be disabled, which can be done via UCR: ucr set samba/local/master=no samba/preferred/master=no samba/domain/master=no
with UCS 3.1-1, it worked "out of the box"
Interestingly, in UCS 3.1-1 the nmblookup results look pretty much the same, i.e. the Samba4 DCs do not seem to "see" each other on the netbios level. But for the Windows clients the network browsing works just fine. so this might be unrelated.
After a while you learn to love exact error messages.. The english translation of the XP error message seems to be: ============================================= "Ar311r1" is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The security ID structure is invalid. ============================================= Now that shines some light on this issue.. triggered the XP error message again and logged the samba server a level 10: ================================================================================ [2013/10/23 14:05:10.216558, 5, pid=12283, effective(0, 0), real(0, 0)] ../source4/libcli/wbclient/wbclient.c:72(wbc_sids_to_xids_send) wbc_sids_to_xids called [2013/10/23 14:05:10.218514, 5, pid=12283, effective(0, 0), real(0, 0)] ../source4/libcli/wbclient/wbclient.c:118(wbc_sids_to_xids_recv) wbc_sids_to_xids_recv called [2013/10/23 14:05:10.218575, 0, pid=12283, effective(0, 0), real(0, 0)] ../source4/auth/unix_token.c:83(security_token_to_unix_token) Unable to convert first SID (S-1-5-7) in user token to a UID. Conversion was returned as type 2, full token: [2013/10/23 14:05:10.218614, 0, pid=12283, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (3): SID[ 0]: S-1-5-7 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 Privileges (0x 0): Rights (0x 0): [2013/10/23 14:05:10.218760, 1, pid=12283, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_INVALID_SID ================================================================================ Oops. Winbind cannot lookup S-1-5-7, which corresponds to the builtin group "Anonymous Logon". So winbind cannot find a "user token" in the idmap. Incidentally, since Bug 29000 we create these Builtin groups in UCS LDAP, and thus the samba4-idmap listener creates an idmap entry with "XID_TYPE_GID". In UCS 3.1-1 on the other hand Samba4 had written XID_TYPE_BOTH entries. After manually changing the S-1-5-7 record in idmap to XID_TYPE_BOTH, the network browsing worked again. My first idea is, that we should/could change the samba4-idmap listener to generate XID_TYPE_BOTH records for the Builtin S-1-5* SIDs.
Ok, samba4-idmap.py is adjusted in univention-samba4 3.0.34-1. Changelog adjusted. For a quick check in the affected test domain update the package and run /usr/lib/univention-directory-listener/system/samba4-idmap.py --direct-resync once. After that network browsing should work again, no samba restart required.
OK
A small post-verifed observation about this: Actually Samba4 on itself creates the idmap record for S-1-5-7 as ID_TYPE_UID and not ID_TYPE_BOTH. No clue why or how this decision comes about in the code. Most of the other builtin "foreignSecurtiyPrincipal" objects are treated as ID_TYPE_BOTH. Doesn't matter right now.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".