[Samba] Member server - winbind unable to resolve users/groups

Andrey Repin anrdaemon at yandex.ru
Sat Apr 4 11:28:45 MDT 2015 

Greetings, Rowland Penny!

>> # cat /etc/resolv.conf
>> nameserver 192.168.17.4
>> search ads.ccenter.lan
>>
>> # host -t SRV _ldap._tcp.ads.ccenter.lan.
>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan.
>>
>> # nslookup dc1
>> Server:         192.168.17.4
>> Address:        192.168.17.4#53
>>
>> Name:   dc1.ads.ccenter.lan
>> Address: 192.168.17.4
>>
>> # ping dc1 -c 1
>> PING dc1.ads.ccenter.lan (192.168.17.4) 56(84) bytes of data.
>> 64 bytes from dc1.ccenter.lan (192.168.17.4): icmp_req=1 ttl=64 time=0.487 ms
>>
>> --- dc1.ads.ccenter.lan ping statistics ---
>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
>> rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms
>>
>> root at userl:~# wbinfo -t
>> checking the trust secret for domain CCENTER via RPC calls succeeded
>> root at userl:~# wbinfo -u | wc -l
>> 19
>> root at userl:~# getent passwd domainuser
>> root at userl:~# smbclient -L localhost -U domainuser
>> Enter domainuser's password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> [2015/04/04 05:20:55.239144, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:693(process_request)
>>    process_request: Handling async request 2811:GETPWNAM
>> [2015/04/04 05:20:55.239176,  3, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>>    getpwnam CCENTER\domainuser
>> [2015/04/04 05:20:55.239256, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send)
>>    SID 0: S-1-5-21-1031481445-3291699540-3997755762-61000
>> [2015/04/04 05:20:55.239303, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid)
>>    find_lookup_domain_from_sid(S-1-5-21-1031481445-3291699540-3997755762-513)
>> [2015/04/04 05:20:55.239335, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid)
>>    calling find_our_domain
>> [2015/04/04 05:20:55.239381, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send)
>>    SID 0: S-1-5-21-1031481445-3291699540-3997755762-513
>> [2015/04/04 05:20:55.239422,  5, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>>    Could not convert sid S-1-5-21-1031481445-3291699540-3997755762-61000: NT_STATUS_NONE_MAPPED
>> [2015/04/04 05:20:55.239469, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
>>    wb_request_done[2811:GETPWNAM]: NT_STATUS_NONE_MAPPED
>> [2015/04/04 05:20:55.239510, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:816(winbind_client_response_written)
>>    winbind_client_response_written[2811:GETPWNAM]: delivered response to client
>>
>>>> 127.0.0.1#35321: query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN IN SRV + (127.0.0.1)
>>>> ;; ANSWER SECTION:
>>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN. 503 IN SRV 0 100 389 dc1.ads.ccenter.lan.
>>>>
>>>> 127.0.0.1#55300: query: dc1.ads.ccenter.lan IN AAAA + (127.0.0.1)
>>>> 127.0.0.1#36282: query: dc1.ads.ccenter.lan.ccenter.lan IN AAAA + (127.0.0.1)
>>>> (no answer - IPv6 resolution disabled)
>>>>
>>>> 127.0.0.1#47102: query: dc1.ads.ccenter.lan IN A + (127.0.0.1)
>>>> ;; ANSWER SECTION:
>>>> dc1.ads.ccenter.lan.    373     IN      A       192.168.17.4
>>>>
>>>> 127.0.0.1#58461: query: _kerberos._udp.ADS.CCENTER.LAN IN SRV + (127.0.0.1)
>>>> ;; ANSWER SECTION:
>>>> _kerberos._udp.ADS.CCENTER.LAN. 324 IN  SRV     0 100 88 dc1.ads.ccenter.lan.
>>>>
>>>>> can you ping from each machine to the other, both by ip and hostname ?
>>>>> what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ?
>>>> root at dc1:~# host -t SRV _ldap._tcp.ads.ccenter.lan.
>>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan.
>>>>
>>>> root at userl:~# host -t SRV _ldap._tcp.ads.ccenter.lan.
>>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan.
>>>>
>>>>> does the 'container' have all the required ports open ?
>>>> If logs are to be trusted, it even able to list users and groups.
>>>>
>>>> log.wb-CCENTER
>>>> [2015/04/03 22:55:59.314002,  3, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list)
>>>>     get_dc_list: preferred server list: "dc1.ads.ccenter.lan, *"
>>>> [2015/04/03 22:55:59.318397,  3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:680(ads_connect)
>>>>     Successfully contacted LDAP server 192.168.17.4
>>>> [2015/04/03 22:55:59.320717,  3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:723(ads_connect)
>>>>     Connected to LDAP server dc1.ads.ccenter.lan
>>>> [2015/04/03 22:55:59.325436,  3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
>>>>     ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>>>> [2015/04/03 22:55:59.325466,  3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
>>>>     ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>>>> [2015/04/03 22:55:59.325498,  3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
>>>>     ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>>>> [2015/04/03 22:55:59.325527,  3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind)
>>>>     ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore
>>>> [2015/04/03 22:55:59.325655,  3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)
>>>>     ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
>>>> [2015/04/03 22:55:59.333493,  3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>     ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Sat, 04 Apr 2015 08:55:59 MSK
>>>> [2015/04/03 22:55:59.373034,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:378(query_user_list)
>>>>     ads query_user_list gave 19 entries
>>>>
>>>> This is about right.
>>>> root at dc1:~# wbinfo -u | wc -l
>>>> 19
>>>>
>>>> [2015/04/03 22:55:59.374070,  3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send)
>>>>     Connecting to 192.168.17.4 at port 135
>>>> [2015/04/03 22:55:59.375923,  3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send)
>>>>     Connecting to 192.168.17.4 at port 1024
>>>> [2015/04/03 22:55:59.516885,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name)
>>>>     msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-513 for domain CCENTER
>>>> [2015/04/03 22:56:13.713563,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:403(enum_dom_groups)
>>>>     ads: enum_dom_groups
>>>> [2015/04/03 22:56:13.763644,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:501(enum_dom_groups)
>>>>     ads enum_dom_groups gave 216 entries
>>>>
>>>> This is a bit off, but still close.
>>>> root at dc1:~# wbinfo -g | wc -l
>>>> 211
>>>>
>>>> [2015/04/03 22:56:13.765824,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name)
>>>>     msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-571 for domain CCENTER
>>>> [2015/04/03 22:59:42.388144,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
>>>>     [13765]: list trusted domains
>>>> [2015/04/03 22:59:42.388330,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:1419(trusted_domains)
>>>>     ads: trusted_domains
>>>> [2015/04/03 23:00:59.189216,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
>>>>     msrpc_name_to_sid: name=CCENTER\DOMAINUSER
>>>> [2015/04/03 23:00:59.189271,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
>>>>     name_to_sid [rpc] CCENTER\DOMAINUSER for domain CCENTER
>>>> [2015/04/03 23:00:59.195301,  3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:597(query_user)
>>>>     ads: query_user
>>>>
>>>> But in the end, it just doesn't work. getent doesn't list anything sensible,
>>>> not from explicit request, nor from enumeration.
>>>>
>>>>
>>
>>

> OK, what does running this command on the DC show:

> ldbsearch -H /var/lib/samba/private/sam.ldb 
> '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep 
> 'uidNumber'

> This relies on ldb-tools being installed and sam.ldb being in 
> '/var/lib/samba/private' if yours is somewhere else, change the path.

I have the urge to say "nothing" before even checking first, as I have no
RID's that high. But it appears the RID's were all changed after migration.

ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber

# record 1
dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan
uidNumber: 30000

Before migration, all users had RID=uidNumber, except one.
Why they have been changed?


-- 
With best regards,
Andrey Repin
Saturday, April 4, 2015 20:19:29

Sorry for my terrible english...

More information about the samba mailing list