nss_winbind not functional anymore on NetBSD 9.99.106 and Samba 4.16.5

[Matthias Petermann <mp%petermann-it.de@localhost>]

Hello all,

I have been using NetBSD 9.99.99 with Samba 4.15.9 (from pkgsrc 2022Q2) 
as Windows Domain Controller for a while now which worked well.

Since I switched to the combination NetBSD 9.99.106 and Samba 4.16.5 
(from pkgsrc 2022Q3), the name resolution for usernames / groups via 
nss_winbind does not work anymore.

The Windows clients are not directly affected by this, since the nss 
mechanism, especially on the Unix side, ensures that the correct 
plaintext names can be displayed for the numeric user and group ids 
assigned by Samba - for example, with ls. The workaround at the moment 
is to work with the numeric IDs. This is inconvenient and error-prone.

As proof, I try to display the user information for the built-in domain 
administrator account via id command:

```
net$ id Administrator
id: Administrator: No such user
```

I have checked the following so far:

1) Basic function kerberos with kinit / klist.

```
net$ kinit Administrator
Administrator@TEST.LOCAL's Password:

net$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: Administrator@TEST.LOCAL

  Issued                Expires               Principal
Nov 14 10:42:45 2022  Nov 14 20:42:45 2022  krbtgt/TEST.LOCAL@TEST.LOCAL
```

2) Joining the Domain from a Windows 11 Prof 22H2 based host

 - works

3) Basic function winbind

```
net$ wbinfo -i Administrator
TEST\administrator:*:0:100::/home/TEST/administrator:/bin/false

net$ wbinfo -g Administrator
TEST\cert publishers
TEST\ras and ias servers
TEST\allowed rodc password replication group
TEST\denied rodc password replication group
TEST\dnsadmins
TEST\enterprise read-only domain controllers
TEST\domain admins
TEST\domain users
TEST\domain guests
TEST\domain computers
TEST\domain controllers
TEST\schema admins
TEST\enterprise admins
TEST\group policy creator owners
TEST\read-only domain controllers
TEST\dnsupdateproxy
```

4) /etc/nsswitch.conf

```
group:          files winbind
group_compat:   nis
hosts:          files dns
netgroup:       files [notfound=return] nis
networks:       files
passwd:         files winbind
passwd_compat:  nis
shells:         files
```

5) libnss winbind

```
net$ ls -la /usr/lib/nss_winbind.so.0 

lrwxr-xr-x  1 root  wheel  30 Nov 14 09:56 /usr/lib/nss_winbind.so.0 -> 
/usr/pkg/lib/libnss_winbind.so
```

6) Ktrace of the "id" command (excerpts)

```
net$ ktrace id Administrator
id: Administrator: No such user
net$ kdump
....
592    592 id       CALL  open(0x785c601b43b8,0x400000,0x1b6)
   592    592 id       NAMI  "/etc/nsswitch.conf"
   592    592 id       RET   open 3
   592    592 id       CALL 
mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
   592    592 id       RET   mmap 132338150055936/0x785c606ca000
   592    592 id       CALL 
mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
   592    592 id       RET   mmap 132338150027264/0x785c606c3000
   592    592 id       CALL 
mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
   592    592 id       RET   mmap 132338150006784/0x785c606be000
   592    592 id       CALL 
mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
   592    592 id       RET   mmap 132338149986304/0x785c606b9000
   592    592 id       CALL  __fstat50(3,0x7f7fff082110)
   592    592 id       RET   __fstat50 0
   592    592 id       CALL 
mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
   592    592 id       RET   mmap 132338149965824/0x785c606b4000
   592    592 id       CALL  read(3,0x785c606b4740,0x4000)
   592    592 id       GIO   fd 3 read 667 bytes
       "#       $NetBSD: nsswitch.conf,v 1.6 2009/10/25 00:17:06 tsarna 
Exp $\n#\n# nsswitch.conf(5) -\n#       name service switch configurat\
        ion file\n#\n\n\n# These are the defaults in libc\n#\n#group: 
        compat\ngroup:          files winbind\ngroup_compat:    nis\nh\
        osts:           files dns\nnetgroup:    files [notfound=return] 
nis\nnetworks:  files\n#passwd: compat\npasswd:         files winbind\
        \npasswd_compat:        nis\nshells:            files\n\n\n# 
List of supported sources for each database\n#\n# group:           compat\
        , dns, files, nis\n# group_compat:              dns, nis\n# 
hosts:              dns, files, nis, mdnsd, multicast_dns\n# netgroup:\
                        files, nis\n# networks:         dns, files, 
nis\n# passwd:              compat, dns, files, nis\n# passwd_compat:\
                dns, nis\n# shells:             dns, files, nis\n"
   592    592 id       RET   read 667/0x29b
   592    592 id       CALL  read(3,0x785c606b4740,0x4000)
   592    592 id       GIO   fd 3 read 0 bytes
       ""
....
 592    592 id       CALL  open(0x7f7fff0817b8,0,7)
   592    592 id       NAMI  "/usr/lib/nss_files.so.0"
   592    592 id       RET   open -1 errno 2 No such file or directory
   592    592 id       CALL  __sigprocmask14(3,0x7f7fff081e60,0)
   592    592 id       RET   __sigprocmask14 0
   592    592 id       CALL 
mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
   592    592 id       RET   mmap 132338149941248/0x785c606ae000
   592    592 id       CALL  _lwp_self
   592    592 id       RET   _lwp_self 592/0x250
   592    592 id       CALL 
__sigprocmask14(1,0x7f7fff081e20,0x7f7fff081e60)
   592    592 id       RET   __sigprocmask14 0
   592    592 id       CALL  open(0x7f7fff0817b8,0,1)
   592    592 id       NAMI  "/usr/lib/nss_winbind.so.0"
   592    592 id       RET   open 4
   592    592 id       CALL  __fstat50(4,0x7f7fff0816b8)
   592    592 id       RET   __fstat50 0
   592    592 id       CALL 
mmap(0,0x1000,PROT_READ,0x1<SHARED,FILE,ALIGN=NONE>,4,0,0)
   592    592 id       RET   mmap 132338149937152/0x785c606ad000
   592    592 id       CALL  munmap(0x785c606ad000,0x1000)
   592    592 id       RET   munmap 0
   592    592 id       CALL 
mmap(0,0x21b000,PROT_READ|PROT_EXEC,0x15000002<PRIVATE,FILE,ALIGN=2MB>,4,0,0)
   592    592 id       RET   mmap 132338132451328/0x785c5f600000
   592    592 id       CALL 
mmap(0x785c5f810000,0x2000,PROT_READ|PROT_WRITE,0x12<PRIVATE,FIXED,FILE,ALIGN=NONE>,4,0,0x10000)
   592    592 id       RET   mmap 132338134614016/0x785c5f810000
   592    592 id       CALL 
mmap(0x785c5f812000,0x9000,PROT_READ|PROT_WRITE,0x1012<PRIVATE,FIXED,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
   592    592 id       RET   mmap 132338134622208/0x785c5f812000
   592    592 id       CALL  mprotect(0x785c5f611000,0x1ff000,PROT_NONE)
   592    592 id       RET   mprotect 0
   592    592 id       CALL  close(4)
   592    592 id       RET   close 0
   592    592 id       CALL  open(0x7f7fff081728,0,4)
   592    592 id       NAMI  "/usr/pkg/lib/libpthread.so.1"
   592    592 id       RET   open -1 errno 2 No such file or directory
   592    592 id       CALL  open(0x7f7fff081728,0,2)
   592    592 id       NAMI  "/usr/pkg/lib/samba/private/libpthread.so.1"
   592    592 id       RET   open -1 errno 2 No such file or directory
   592    592 id       CALL  open(0x7f7fff081728,0,0)
   592    592 id       NAMI  "/usr/lib/libpthread.so.1"
   592    592 id       RET   open 4
   592    592 id       CALL  __fstat50(4,0x7f7fff081628)
```

There are no peculiarities in the logfiles of Samba or Winbindd, not 
even in the usual syslog logfiles.

Is there a way to view nsdispatch or the name service switch mechanism 
in more detail or to enable additional logging?

Has anyone observed the same problem and might have an idea what the 
problem is?

Kind regards
Matthias

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature