[Samba] FW: Domain member seems to work, wbinfo -u not (update4)
L.P.H. van Belle
belle at bazuin.nl
Mon Apr 18 11:52:30 UTC 2016
Ok. I've done the following, any samba dev, please read below.
Looks to me some bug in librpc/ndr/ndr.c
But im not a coder.. so please have a look.
Environment.
Debian Jessie, samba 4.2.10 (debian)
I remove my proxy2 server from the domain, cleared up the AD.
Removed all content from /var/(lib/cache)/samba
Removed all other unnneeded services for this test.
Removed all samba kerberos (squid) etc packages.
Removed the /etc/krb5.keytab
In short, now a clean server only ssh installed.
I installed only winbind again.
With this line.
apt-get install -y --no-install-recommends winbind smbclient krb5-user libpam-winbind libnss-winbind ssh-krb5 libpam-krb5 samba-vfs-modules
tested kinit, works fine.
Joined the domain, works.
Tested and works.
wbinfo --domain-info=NTDOMAIN
wbinfo -p
wbinfo -g
and again a fail on wbinfo –u
id username works.
getent passwd username works fine
username:*:10002:10000:M. Username:/home/users/username:/bin/bash
getent passwd, has a “slow down” so something happens, but not putout.
Also wbinfo –u has a “slow down” on screen but no output.
All other checks are ok, sofar i can see.
few snaps from the debug log lvl 10 of the wbinfo –u
in the log.winbind i notice the following. ( see log below )
snap of few messages.
Domain NTDOMAIN returned 74 groups
Domain NTDOMAIN returned 0 users
List_users for domain NTDOMAIN failed
wb_request_done[14198:LIST_USERS]: NT_STATUS_OK
winbind_client_response_written[14198:LIST_USERS]: delivered response to client
closing socket 29, client exited
the group output:
[2016/04/18 13:25:38.723377, 1, pid=14148, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
wbint_QueryGroupList: struct wbint_QueryGroupList
out: struct wbint_QueryGroupList
groups : *
groups: struct wbint_Principals
num_principals : 74
principals: ARRAY(74)
principals: struct wbint_Principal
sid : S-1-5-21-2934682428-2610421433-476865461-571
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Allowed RODC Password Replication Group'
.. etc etc. 74 groups shown.
[2016/04/18 13:25:41.051831, 1, pid=14148, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
wbint_QueryUserList: struct wbint_QueryUserList
out: struct wbint_QueryUserList
users : *
users: struct wbint_userinfos
num_userinfos : 0x00000000 (0)
userinfos: ARRAY(0)
result : NT_STATUS_IO_TIMEOUT
The debug log lvl 10 of the wbinfo –g and -u ( -g are only the first 3 lines, result is ok )
I have also logs of the domain join if needed.
[2016/04/18 13:25:38.725251, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_groups.c:128(winbindd_list_groups_done)
Domain NTDOMAIN returned 74 groups
[2016/04/18 13:25:38.725330, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:787(wb_request_done)
wb_request_done[14197:LIST_GROUPS]: NT_STATUS_OK
[2016/04/18 13:25:38.725373, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14197:LIST_GROUPS]: delivered response to client
[2016/04/18 13:25:38.725593, 6, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:957(winbind_client_request_read)
closing socket 29, client exited
[2016/04/18 13:25:41.050988, 6, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:906(new_connection)
accepted socket 27
[2016/04/18 13:25:41.051060, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:752(process_request)
process_request: request fn INTERFACE_VERSION
[2016/04/18 13:25:41.051073, 3, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[14198]: request interface version (version = 27)
[2016/04/18 13:25:41.051108, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14198:INTERFACE_VERSION]: delivered response to client
[2016/04/18 13:25:41.051185, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:752(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2016/04/18 13:25:41.051196, 3, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[14198]: request location of privileged pipe
[2016/04/18 13:25:41.051228, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14198:WINBINDD_PRIV_PIPE_DIR]: delivered response to client
[2016/04/18 13:25:41.051297, 6, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:906(new_connection)
accepted socket 29
[2016/04/18 13:25:41.051315, 6, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:957(winbind_client_request_read)
closing socket 27, client exited
[2016/04/18 13:25:41.051342, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:752(process_request)
process_request: request fn INTERFACE_VERSION
[2016/04/18 13:25:41.051353, 3, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[14198]: request interface version (version = 27)
[2016/04/18 13:25:41.051376, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14198:INTERFACE_VERSION]: delivered response to client
[2016/04/18 13:25:41.051422, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:752(process_request)
process_request: request fn INFO
[2016/04/18 13:25:41.051434, 3, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:383(winbindd_info)
[14198]: request misc info
[2016/04/18 13:25:41.051458, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14198:INFO]: delivered response to client
[2016/04/18 13:25:41.051503, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:752(process_request)
process_request: request fn NETBIOS_NAME
[2016/04/18 13:25:41.051514, 3, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:416(winbindd_netbios_name)
[14198]: request netbios name
[2016/04/18 13:25:41.051537, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14198:NETBIOS_NAME]: delivered response to client
[2016/04/18 13:25:41.051583, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:752(process_request)
process_request: request fn DOMAIN_NAME
[2016/04/18 13:25:41.051606, 3, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name)
[14198]: request domain name
[2016/04/18 13:25:41.051630, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14198:DOMAIN_NAME]: delivered response to client
[2016/04/18 13:25:41.051674, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:752(process_request)
process_request: request fn DOMAIN_INFO
[2016/04/18 13:25:41.051685, 3, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info)
[14198]: domain_info [NTDOMAIN]
[2016/04/18 13:25:41.051714, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14198:DOMAIN_INFO]: delivered response to client
[2016/04/18 13:25:41.051755, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:725(process_request)
process_request: Handling async request 14198:LIST_USERS
[2016/04/18 13:25:41.051767, 3, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:58(winbindd_list_users_send)
list_users NTDOMAIN
[2016/04/18 13:25:41.051785, 1, pid=14148, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
wbint_QueryUserList: struct wbint_QueryUserList
in: struct wbint_QueryUserList
[2016/04/18 13:25:41.051831, 1, pid=14148, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
wbint_QueryUserList: struct wbint_QueryUserList
out: struct wbint_QueryUserList
users : *
users: struct wbint_userinfos
num_userinfos : 0x00000000 (0)
userinfos: ARRAY(0)
result : NT_STATUS_IO_TIMEOUT
[2016/04/18 13:25:41.051875, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:128(winbindd_list_users_done)
Domain NTDOMAIN returned 0 users
[2016/04/18 13:25:41.051886, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:134(winbindd_list_users_done)
List_users for domain NTDOMAIN failed
[2016/04/18 13:25:41.051898, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:787(wb_request_done)
wb_request_done[14198:LIST_USERS]: NT_STATUS_OK
[2016/04/18 13:25:41.051922, 10, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:851(winbind_client_response_written)
winbind_client_response_written[14198:LIST_USERS]: delivered response to client
[2016/04/18 13:25:41.051995, 6, pid=14148, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:957(winbind_client_request_read)
closing socket 29, client exited
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: L.P.H. van Belle [mailto:belle at bazuin.nl]
> Verzonden: zondag 17 april 2016 18:05
> Aan: 'samba at lists.samba.org'
> Onderwerp: RE: [Samba] Domain member seems to work, wbinfo -u not
> (update3)
>
> Hai Rowland,
>
> Yes its weird, did some more testing and only the printer driver upload
> didnt work, but everything else on my servers work.
> I checked so many logs today, and no errors found.
> I'll up the loglevels of a few servers tomorrow.
>
> > Have you tried leaving the domain, deleting the keytab and then
> > re-joining the domain ?
> Yes, i did, i tested some things also on with the kerberos and this works
> all fine. So must rule out kerberos again.
>
> > If I remember correctly, you use your own certificates, I don't, I
> > wonder if this could be a problem ?
> No, i checked that to, that was the first i checked.
>
> And strangly
> wbinfo --user-info username , works also fine.
> Maybe its a "cosmatic" bug since everything works but like a bug in how
> the out is done,.. now im just bit guessing.. its really strange.
>
> .. I'm done for today...
> I'll make a good log tomorror for debugging and post it, maybe someone
> will see something..
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> > Verzonden: zondag 17 april 2016 17:45
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not
> > (update3)
> >
> > On 17/04/16 14:51, L.P.H. van Belle wrote:
> > > Ok some new info.
> > >
> > > Yesterday file server worked, print server not.
> > > Today, both dont work.
> > >
> > > Same test today, proxy1 and proxy2.
> > > Proxy1 didnt work, proxy2 did ( at that time 4.3.6)
> > >
> > > I upgraded (to 4.3.8) proxy2, tested again, still working.
> > > Ok, now this proxy 2 is an vm ( a copy of proxy1 ), so lets try
> > something..
> > >
> > > I remove proxy2 from the ad domain (proxy1 is our main proxy) so this
> > one is to test with.
> > > Cleared up /var/(lib/cache)/samba folders
> > > Re-added the server to the domain, started samba and winbind, and..
> > > Same problem here now.
> >
> > This is getting weird.
> >
> > >
> > > Im thinking its something related to the kerberos keytab file.
> > > I checked also the (yesterday) working file server, and i did see that
> > > Only the keytab file was refreshed.
> > > Since there where no changed on that server, why did it work yesterday
> > and not today.. so keytab related is my guess.
> > > And i noticed some mount where not automounting on bootup and these
> use
> > kerberos also.
> > > Re-creating the keytab file didnt help.
> >
> > Have you tried leaving the domain, deleting the keytab and then
> > re-joining the domain ?
> >
> > If I remember correctly, you use your own certificates, I don't, I
> > wonder if this could be a problem ?
> >
> > Rowland
> >
> > >
> > > Tomorrow more testing..
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list