winbindd & nscd on Solaris 2.7

[Matthew McCowan]

Andrew,

Killing nscd fixed the problem. thanks for the pointer

Matt McC

> Matthew McCowan wrote:
>>
>> running samba 2.2.5 on a solaris 2.7 with winbindd pointing to an NT4
>> PDC.
>>
>> Occasionally winbindd will hand out the wrong uid to a user trying to
>> attach to the solaris box thru any PAM enabled service (telnet, smbd,
>> ssh, etc). For example Alice will login to a shell using her normal
>> credentials and winbindd will give her Bob's uid, even though "getent
>> passwd" clearly shows Bob(uid)!=Alice(uid).
>>
>> The quick (not the track down bug and bludgeon it to death!) fix is to
>> kill winbindd, stop the nscd (name service cache daemon) remove the
>> winbindd_cache.tdb and restart winbindd (and optionally restart nscd).
>
> Some ideas in tracking it down:
>
> When it's 'broken', is is 'always broken'?  That is, is it consistant?
> In a different environment (ldap server with not so good indexes) I

It's definitely cactus for any user trying to set up a new session. When
I'm told it's gone toes up I usually test it by trying to ssh to it (PAM
enabled sshd on the solaris box). I've got the keys setup so I should
immediately get a bash shell, so if it asks for a password its a good
indicator that its 'broke'

> found problems with a user being there in an enumeration, but not for a
> getpwnam().  In this vain, what does 'id Alice' and 'id Bob' give you,
> and how do they compare to getent passwd.

will test next time it happens

>
> Also, can you try and kill ncsd?  After that, I would look into the

as above

> static cache in nss_winbind - depending on the desing of your ncsd,
> there could be corruption of that structure.

Cheers
Matt McC