winbindd on PDC

John H Terpstra jht at samba.org
Sun May 25 18:50:21 GMT 2008 

On Sunday 25 May 2008 11:46:48 am Alexander Bokovoy wrote:
> I'm reading through winbindd code. When we are PDC and want to run
> winbindd on the same machine to be able, for example, to run Squid
> with ntlm_auth helper, how to setup winbindd so that it actually
> works?
>
> >From the code in winbindd_misc.c and winbindd_cm.c I see that we
>
> intentionally mark our own (internal) domain as offline so that
> winbind's child wouldn't get into loop with main winbindd. However,
> this means that it is unable to serve any requests that rely to this
> child's domain (our own domain)  that require connection to netlogon
> share and  wbinfo -t, wbinfo -a don't work, reporting
> NT_STATUS_NO_LOGON_SERVERS from init_dc_connection() (because
> domain->online is false there).
>
> What am I missing here? Is it at all possible to have samba/squid on
> one box that serves as PDC?

Alexander,

Thanks for asking these questions.  I've been trying to help someone who has 
complained that winbind  is broken because of the behavior you have pointed 
out.  

When I tried the commands he claims are not working I can reproduce this on my 
system too.  At a very minimum we must document this behavior to avoid 
further confusion.

The following is executed on my PDC:

#  wbinfo -t
checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret


# wbinfo -i joeuser
Could not get info for user joeuser


# wbinfo -u
Error looking up domain users


# wbinfo -g
Error looking up domain groups


Note: Immediately following restarting of winbindd I get:

# wbinfo -g
BUILTIN\administrators
BUILTIN\users
BUILTIN\power users
BUILTIN\print operators
BUILTIN\guests


# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret


Asking what is our domain name works:

# wbinfo --own-domain
MIDEARTH


So this means that initially winbind behaves differently from when it has been 
running for a few hours, and some commands can be used to querry the PDC from 
itself, yet other commands fail..  Why do we have this inconsistency?


What do we have the following command line arguments for:

	--allocate-uid
	--allocate-gid

When and how do we expect to use them?  It is not obvious from the man page, 
nor from the help messages.

Winbind appears to be SID centric, but then executing "wbinfo -r joeuser" 
yeilds:
513
20
6
512
1009

This appears to be the GIDs the joeuser belongs to in the POSIX subsystem, not 
the SIDs of the groups he belongs to.

Can someone help me to understand what winbind is designed to do so I can 
document it better.  If winbind's behavior is not as it should be, what can I 
do to help so we can fix it?

- John T.

More information about the samba-technical mailing list