3.0.25pre2 winbind woes

Ed Plese ed at edplese.com
Mon Apr 16 19:45:34 GMT 2007 

On Wed, Apr 11, 2007 at 09:09:20AM -0500, Gerald (Jerry) Carter wrote:
> >> > I read the new winbind documentation and modified my smb.conf to
> >> > include the following lines:
> >> > [global]
> >> > workgroup = AMBER
> >> > netbios name = gandalf
> >> > realm = AMBER
> >> > security = ADS
> >> > allow trusted domains = no
> >> > idmap domains = AMBER
> >> > idmap config AMBER: default = yes
> >> > idmap config AMBER: backend = rid
> >> > idmap config AMBER: range = 100000-999999
> >> > idmap alloc config: range = 100000-999999
> 
> Please grab the latest SAMBA_3_0_25 svn tree, remove the
> "idmap alloc config" line and retest.  I think this should
> be fixed now.

I just pulled SAMBA_3_0_25 rev 22265 and it's still showing the same
behavior.  I'm compiling it on Solaris 10 (x86) with Sun Studio 11.
Compiling 3.0.24 the exact same way works just fine.  Configure options
are identical between the versions and the only changes to smb.conf are
the new idmap changes.

wbinfo -u and wbinfo -g both display the full lists, but some of the
other tests mentioned in this thread don't work.

# time wbinfo --group-info "domain admins"
Could not get info for group domain admins

real    0m35.081s
user    0m0.014s
sys     0m0.008s

Debug level 10 from winbind shows (with some edits):

wcache_save_name_to_sid: MYAD\DOMAIN ADMINS -> S-1-5-21-X-Y-Z-512
wcache_save_sid_to_name: S-1-5-21-X-Y-Z-512 -> domain admins
idmap_sid_to_gid: sid = [S-1-5-21-X-Y-Z-512]
Query backends to map sids->ids
SID S-1-5-21-X-Y-Z-512 is being handled by MYAD
Query ids from domain MYAD

[long pause of around 30 seconds]

Failed: to resolve SID
Unexpected error resolving a SID (S-1-5-21-X-Y-Z-512)
idmap backend for SID S-1-5-21-X-Y-Z-512 is READONLY!
Adding cache entry with key = IDMAP/SID/S-1-5-21-X-Y-Z-512; value =
  1176750110/IDMAP/NEGATIVE and timeout = Mon Apr 16 14:01:50 2007
 (120 seconds ahead)
sid [S-1-5-21-X-Y-Z-512] not mapped to an gid [2,138390596,10512]
Sid S-1-5-21-X-Y-Z-512 is neither ours, a Unix SID, nor builtin
error converting unix gid to sid
accepted socket 18
rocess_request: request fn INTERFACE_VERSION
[    0]: request interface version

During the 30 second pause, a stack trace of winbind shows:

# pstack `pgrep winbind`
6572:   ./sbin/winbindd -S -i -d 10
 fea80957 pollsys  (8043100, 1, 80431e8, 0)
 fea2ee0a pselect  (13, 8043220, feaa9868, feaa9868, 80431e8, 0) + 18e
 fea2f100 select   (13, 8043220, 0, 0, 80432a0) + 82
 08165c74 read_sock (8044008, ca8) + 104
 08165dc2 read_reply (8044008) + 52
 081660b2 winbindd_get_response (8044008) + 72
 08166195 winbindd_request_response (0, 8044cb0, 8044008) + 75
 08165890 winbind_open_pipe_sock (0, 0) + 140
 081659e3 write_sock (8046ae4, 824, 0, 0) + 43
 08165fb2 winbindd_send_request (14, 0, 8046ae4) + a2
 08166174 winbindd_request_response (14, 8046ae4, 8045e3c) + 54
 08163ad1 winbind_lookup_sid (83b3158, 804770c, 804734c, 8047348, 8047344) + a1
 fe4f11b2 idmap_rid_sid_to_id (83b3158, 83fa738, 804745c) + 72
 fe4f177c idmap_rid_sids_to_unixids (83fa590, 83b4960) + 11c
 082d2bd8 idmap_backends_sids_to_unixids (83fa858) + 5e8
 082d38c5 idmap_sids_to_unixids (8047454) + 4a5
 082d69cb idmap_sid_to_gid (804770c, 80474a8) + cb
 0808e358 winbindd_getgrnam (83fac38) + 5e8
 08086e0f process_request (83fac38) + 16f
 08087d9d request_recv (83fac38, 1) + 5d
 08087b5a request_main_recv (83fac38, 1) + 7a
 080872e0 rw_callback (83fac44, 1) + 260
 0808868d process_loop (8047ed0, 8047e44, feffa840, 8088b3b, fe9f370a, 1) + 49d
 08089350 main     (5, 8047e88, 8047ea0) + 830
 0808649a _start   (5, 8047f38, 8047f48, 8047f4b, 8047f4e, 8047f51) + 7a
6573:   ./sbin/winbindd -S -i -d 10
 fea80957 pollsys  (8045f20, 2, 0, 0)
 fea2ee0a pselect  (e, 804610c, feaa9868, feaa9868, 0, 0) + 18e
 fea2f100 select   (e, 804610c, 0, 0, 0) + 82
 0815a6d0 sys_select (e, 804610c, 0, 0, 0) + 180
 080bd50e fork_domain_child (83b41a8) + 7be
 080bb0b8 schedule_async_request (83b41a8) + 68
 080baa70 async_request (83b4888, 83b41a8, 83b72c0, 83b7b20, 8092da0, 83b4910) + 220
 08092b6f init_child_connection (83b3cd0, 80bb410, 83b4838) + 2cf
 080bb28a async_domain_request (83b4770, 83b3cd0, 83b5d80, 83b65e0, 80923e0, 83b47f8) + 15a
 080923ca add_trusted_domains (83b3cd0) + 1fa
 08092883 rescan_trusted_domains (8047ed0, 82eba84, 8370284, 8047ed0, 808820b, feaa94d0) + 63
 08088289 process_loop (8047ed0, 8047e44, feffa840, 8088b3b, fe9f370a, 1) + 99
 08089350 main     (5, 8047e88, 8047ea0) + 830
 0808649a _start   (5, 8047f38, 8047f48, 8047f4b, 8047f4e, 8047f51) + 7a

`getent group` and `getent passwd` display only the local users or groups
which is normal with 'winbind enum users = no' and 'winbind enum groups = no'.
If I set these parameters to 'yes', then these commands hang and
debuglevel 10 shows that it's hanging right after 'Query ids from domain
MYAD', the same as `wbinfo --group-info "domain admins"`.  I can't say
as I've let these commands finish since they hang for 30 seconds at
every entry.

# getent group "domain admins"; echo $?
2

During this time, winbind with debuglevel 10 shows:

accepted socket 18
request_len_recv: Invalid request size received: 1848

The behavior with a gid instead of group name is identical.

# wbinfo -D MYAD
Name              : MYAD
Alt_Name          : myad.org
SID               : S-1-5-21-X-Y-Z
Active Directory  : Yes
Native            : Yes
Primary           : Yes
Sequence          : -1

Some points of interest from smb.conf:
  workgroup = MYAD
  realm = MYAD.ORG
  security = ads
  idmap uid = 10000-100000000
  idmap gid = 10000-100000000

  idmap domains = MYAD
  idmap config MYAD: default = yes
  idmap config MYAD: backend = rid
  idmap config MYAD: range = 10000-100000000
  idmap config MYAD:read_only = yes

Is there anything I'm overlooking here?  Anything else I could try?

Thanks,

Ed Plese

More information about the samba-technical mailing list