Background:
On an isolated network. Multiple RHEL6 Linux systems connected to a Windows 2012R2 DC. Systems joined to domain and authenticating with DC. Using IDMAP_RID. No known changes to windows or linux configuration files. Everything has worked for several years and only recently stopped. There have been changes in the windows side in terms of security configuration but those changes are not well tracked. I would have to ask those admins something specific to look at. RH support has not been very useful.
ISSUE:
Some time in the past month most users no longer show the correct group information. All users are automatically a member of "Domain Users" as this is the default windows group. Nearly all users are in a AD security group named "Program Users" that I created. When I execute "id" or "groups" for all accounts only shows membership in "Domain Users" and none of the other groups. For the "id" command, sometimes it shows the group more than once.
id returns:
uid=###(username) gid=###(domain user) groups=###(domain user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
wbinfo -u and wbinfo -g returns the correct listing of all users and groups
getent group Program\ Users (and wbinfo --group-info) returns:
Program users:*:GID#:comma separated list of users
the list of users is correct and includes the users with missing data.
wbinfo -r does not return the correct list.
I've tried clearing /var/lib/samba/*.tdb but that does not help.
Some configuration data:
SMB.CONF:
[global]
workgroup = DOMAIN0
password server = server0.DOMAIN0.LOCAL
realm = DOMAIN0.LOCAL
security = ads
idmap config * : backend = tdb
idmap config * : range = 300000-399999
idmap config DOMAIN0:backend = rid
idmap config DOMAIN0:range = 100000-199999
idmap config DOMAIN0:base_rid = 0
template shell = /bin/bash
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = yes
winbind offline logon = false
kerberos method = secrets and keytab
client signing = mandatory
server signing = mandatory
NSSWITCH.CONF:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
SYSTEM-AUTH:
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4 remember=24 maxrepeat=3
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_lastlog.so showfailed
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
REQUEST-KEY.CONF
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create user debug:* negate /bin/keyctl negate %k 30 %S
create user debug:loop:* * |/bin/cat
create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S
negate * * * /bin/keyctl negate %k 30 %S
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create cifs.idmap * * /usr/sbin/cifs.idmap %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
KRB5.CONF
[libdefaults]
default_realm = DOMAIN0.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN0.LOCAL = {
kdc = server0.DOMAIN0.LOCAL
}
Did you get a solution? The solution seems to be
Don't ask me why.
https://bugs.debian.org/cgi-bin/bugr...cgi?bug=454670