Samba 3.0.30: Still some winbindd issue?

Thu Jun 5 11:43:03 GMT 2008

Dear all

I strongly feel there is still an open issue with winbindd and trusted domains (3.0.30).
What I have tried (in sequence) is the following:

(1)Access a share from domain DOSIM000 : OK 
(2)Access a share from domain EUROPE : OK 
(3)Access a share from domain DOSIM000 : NOK

Between steps 2 and 3, the AIX syslog shows the following:

Jun  5 09:41:46 sv104u daemon:err|error winbindd[708640]: [2008/06/05 09:41:46, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
Jun  5 09:41:46 sv104u daemon:err|error winbindd[708640]:   async_request_timeout_handler: child pid 593940 is not responding. Closing connection to it.
Jun  5 09:41:46 sv104u daemon:err|error winbindd[405724]: [2008/06/05 09:41:46, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
Jun  5 09:41:46 sv104u daemon:err|error winbindd[405724]:   async_request_timeout_handler: child pid 593940 is not responding. Closing connection to it.

As a result, the log.smbd shows the following when doing (3):
[2008/06/05 09:42:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username DOSIM000+WS10015559$ is invalid on this system

After restarting smbd and winbindd, everythings works just fine again.

What do you guys think?

Miguel SANDERS
ArcelorMittal Gent

UNIX System Administrator | SAP Infrastructure Group John Kennedylaan 51, B-9042 Gent

T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent

-----Oorspronkelijk bericht-----
Van: William Jojo [mailto:jojowil at hvcc.edu]
Verzonden: woensdag 4 juni 2008 14:04
Aan: SANDERS Miguel
Onderwerp: Re: FW: Samba 3.0.29

---- Original message ----
>Date: Wed, 4 Jun 2008 08:18:40 +0200
>From: miguel.sanders at arcelormittal.com
>Subject: FW: Samba 3.0.29
>To: jojowil at hvcc.edu
>
> 
>Argh
>
>I forget to adapt the /usr/lib/security/methods.cfg file for the WINBIND LAM...
>Sorry, problem is fixed now :-)
>

I was *just* about to ask that! Ha!

Congrats!

Cheers,
Bill

>Miguel SANDERS
>ArcelorMittal Gent
>
>UNIX System Administrator | SAP Infrastructure Group John Kennedylaan 
>51, B-9042 Gent
>
>T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E 
>miguel.sanders at arcelormittal.com www.arcelormittal.com/gent
>
>
>-----Oorspronkelijk bericht-----
>Van: SANDERS Miguel
>Verzonden: woensdag 4 juni 2008 7:53
>Aan: 'William Jojo'
>Onderwerp: RE: Samba 3.0.29
>
>Hi Bill
>
>Do you have any idea?
>
>Thnx! 
>
>
>Miguel SANDERS
>ArcelorMittal Gent
>
>UNIX System Administrator | SAP Infrastructure Group John Kennedylaan 
>51, B-9042 Gent
>
>T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E 
>miguel.sanders at arcelormittal.com www.arcelormittal.com/gent
>
>
>-----Oorspronkelijk bericht-----
>Van: SANDERS Miguel
>Verzonden: maandag 2 juni 2008 8:03
>Aan: 'William Jojo'
>Onderwerp: RE: Samba 3.0.29
>
>Hi Bill
>
>I have been looking at this issue more thoroughly.
>( I installed 3.0.30 on a fresh box so no upgrading issues for the TDB files).
>Whenever I want to connect to a share, I get the following error in log.smbd even though everything works fine.
>
>[2008/06/02 07:58:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
>  Username DOSIM000+WS10015559$ is invalid on this system
>[2008/06/02 07:58:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
>  Username DOSIM000+WS10015559$ is invalid on this system
>[2008/06/02 07:58:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
>
>Where DOSIM000 is the Pre Windows 2000 name of our Active Directory domain and WS10015559$ is my local Windows XP client machine, trying to access the share.
>
>Smb.conf
>
>[global]
>        workgroup = DOSIM000
>        realm = SIDMAR.BE
>        server string = AIX Samba %v
>        security = ADS
>        ldap ssl = no
>        idmap uid = 500-10000
>        idmap gid = 500-10000
>        winbind separator = +
>
>I didn't have these issues with 3.0.24.
>
>Miguel SANDERS
>ArcelorMittal Gent
>
>UNIX System Administrator | SAP Infrastructure Group John Kennedylaan 
>51, B-9042 Gent
>
>T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E 
>miguel.sanders at arcelormittal.com www.arcelormittal.com/gent
>
>
>-----Oorspronkelijk bericht-----
>Van: William Jojo [mailto:jojowil at hvcc.edu]
>Verzonden: zaterdag 31 mei 2008 21:43
>Aan: SANDERS Miguel
>Onderwerp: RE: Samba 3.0.29
>
>
>
>---- Original message ----
>>Date: Sat, 31 May 2008 20:20:07 +0200
>>From: miguel.sanders at arcelormittal.com
>>Subject: RE: Samba 3.0.29
>>To: jojowil at hvcc.edu
>>
>>Actually I copied no tdb files from 24 to 29.
>>Could that be causing the Username DOSIM000+COMPUTERNAME$ is invalid on this system when I do the upgrade?
>>(Even though I did rejoin the domain after the upgrade).
>>
>
>I would need to know more. What is this machine joined to? Which machine is the domain DOSIM000?
>
>The winbind_idmap.tdb keeps a record of mappings of remote users/groups to local uid/gid values. That may be a place to start.
>
>Did the pam fix work for you?
>
>Cheers,
>Bill
>
>
>>Thnx!
>>
>>
>>Miguel SANDERS
>>ArcelorMittal Gent
>>
>>UNIX System Administrator | SAP Infrastructure Group John Kennedylaan 
>>51, B-9042 Gent
>>
>>T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E 
>>miguel.sanders at arcelormittal.com www.arcelormittal.com/gent
>>
>>
>>-----Oorspronkelijk bericht-----
>>Van: William Jojo [mailto:jojowil at hvcc.edu]
>>Verzonden: zaterdag 31 mei 2008 18:23
>>Aan: SANDERS Miguel
>>Onderwerp: Re: Samba 3.0.29
>>
>>
>>
>>I did receive your other emails. I will forward the PAM solution.
>>
>>Also, when you upgraded to 29, did you copy the secrets.tdb and other important tdb files as stated in the Samba docs?
>>
>>http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.htm
>>l
>>#tdbpermfiledesc
>>
>>
>>Also there was an interesting patch to 3.0.30 I saw yesterday that Jeremy mentioned was from Geunter regarding trusts. Let me look closer at that patch.
>>
>>
>>Cheers,
>>Bill
>>
>>
>>---- Original message ----
>>>Date: Sat, 31 May 2008 11:19:23 +0200
>>>From: miguel.sanders at arcelormittal.com
>>>Subject: Samba 3.0.29
>>>To: jojowil at hvcc.edu
>>>
>>>   Hi Bill
>>>
>>>   There have been some issues with the mailrouting for my account (I
>>>   couldn't receive mails from outside the company WAN) so I was
>>>   wondering if you have received my previous mail and you could help me.
>>>
>>>   Thnx!
>>>
>>>   Met vriendelijke groet
>>>   Best regards
>>>   Bien à vous
>>>
>>>   Miguel SANDERS
>>>   ArcelorMittal Gent
>>>
>>>   UNIX System Administrator | SAP Infrastructure Group
>>>   John Kennedylaan 51, B-9042 Gent
>>>
>>>   T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
>>>   E miguel.sanders at arcelormittal.com
>>>   www.arcelormittal.com/gent
>>>
>>>   ********************************************************************************
>>>   This message and any attachment are confidential, intended solely for
>>>   the use of the individual or entity to whom it is addressed and may be
>>>   protected by professional secrecy or intellectual property rights.
>>>   If you have received it by mistake, or are not the named recipient(s),
>>>   please immediately notify the sender and delete the message. You are
>>>   hereby notified that any unauthorized use, copying or dissemination of
>>>   any or all information contained in this message is prohibited.
>>>   Arcelormittal shall not be liable for the message if altered,
>>>   falsified, or in case of error in the recipient.
>>>   This message does not constitute any right or commitment for
>>>   ArcelorMittal except when expressly agreed otherwise in writing in a
>>>   separate agreement.
>>>   
>>> ********************************************************************
>>> *
>>> *
>>> **********
>>
>>****
>>This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
>>If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
>>Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
>>This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
>>****
>
>****
>This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
>If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
>Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
>This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
>****

**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****  