[BUGS] winbindd maintainer? (was: Re: winbindd: local unix users vs. NTdomain users)

vda vda at port.imtp.ilyichevsk.odessa.ua
Tue Dec 18 03:40:03 GMT 2001 

On Monday 17 December 2001 17:41, Gerald (Jerry) Carter wrote:
>
> > It really looks like winbindd is useful thing but it's buggy at the
> > moment. I also observed two more bugs:
> >
> > 1. Inability to connect to shares on server which have winbindd running
>
> this sounds like a configuration error.  can ou provide more specific
> details?

Of course, any bloody details you want. Server smb.conf is at the end.

Note: I don't have 'test' in smbpasswd, only in /etc/passwd as required by 
domain level security.

This is what happens when I try to connect to \\pegasus\test from two test 
boxes: vda is an NT bot and manta is Linux one. This is from samba.%m logs:

NT box
------
winbindd is running, getent passwd does show PORT.test
Trying to open \\pegasus\test: failure

[2001/12/18 11:26:18, 1] ../lib/util_sock.c:get_socket_name(1003)
  Gethostbyaddr failed for 172.16.42.59
[2001/12/18 11:26:18, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.
[2001/12/18 11:26:18, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.
[2001/12/18 11:26:18, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.
[2001/12/18 11:26:19, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.
[2001/12/18 11:26:19, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.
[2001/12/18 11:26:19, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.
[2001/12/18 11:26:24, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.

winbindd killed
Trying to open \\pegasus\test: successful
(checked: it does _not_ turn into guest: ok)

[2001/12/18 11:41:38, 1] ../lib/util_sock.c:get_socket_name(1003)
  Gethostbyaddr failed for 172.16.42.59
[2001/12/18 11:41:38, 1] ../smbd/service.c:make_connection(610)
  vda (172.16.42.59) connect to service test as user test (uid=999, gid=100) 
(pid 2024)
[2001/12/18 11:41:38, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.

Linux box:
----------
winbindd is running, getent passwd does show PORT.test
Trying:
smbclient //pegasus/test testtest -U test: failure

[2001/12/18 11:40:27, 1] ../lib/util_sock.c:get_socket_name(1003)
  Gethostbyaddr failed for 172.16.241.2
[2001/12/18 11:40:27, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.

winbindd killed
Trying:
smbclient //pegasus/test testtest -U test: successful

[2001/12/18 11:40:27, 1] ../lib/util_sock.c:get_socket_name(1003)
  Gethostbyaddr failed for 172.16.241.2
[2001/12/18 11:40:27, 1] ../smbd/password.c:pass_check_smb(546)
  Couldn't find user 'test' in passdb.
[2001/12/18 11:44:07, 1] ../lib/util_sock.c:get_socket_name(1003)
  Gethostbyaddr failed for 172.16.241.2
[2001/12/18 11:44:07, 1] ../smbd/service.c:make_connection(610)
  manta (172.16.241.2) connect to service test as user test (uid=999, 
gid=100) (pid 2035)

One more try, winbindd -i -d3 >wddlog,
smbclient //pegasus/test testtest -U test: failure, wddlog contents:

INFO: Debug class all level = 1   (pid 2097 from pid 2097)
added interface ip=172.16.241.1 bcast=172.16.241.255 nmask=255.255.255.0
added interface ip=172.16.42.75 bcast=172.16.42.255 nmask=255.255.255.0
establishing connections
server: dc=, pwdb_init=0, lsa_hnd=0
resolve_wins: Attempting wins lookup for name PORT<0x1c>
resolve_wins: WINS server == <172.16.42.102>
bind succeeded on port 0
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 
172.16.42.102 )
bind succeeded on port 0
resolve_wins: Attempting wins lookup for name PORT_PDC<0x20>
resolve_wins: WINS server == <172.16.42.102>
bind succeeded on port 0
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 )
Connecting to 172.16.42.102 at port 139
getting trusted domain list
adding trusted domain PORT
server: dc=PORT_PDC, pwdb_init=1, lsa_hnd=1
PORT: dc=, got_sid=0, sam_hnd=0 sam_dom_hnd=0
[ 2098]: getpwnam PORT.TEST
Getting domain info for domain PORT
looking up sid for domain PORT
resolve_wins: Attempting wins lookup for name PORT<0x1c>
resolve_wins: WINS server == <172.16.42.102>
bind succeeded on port 0
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 
172.16.42.102 )
bind succeeded on port 0
found sid S-1-5-21-1145453651-1398827628-1235820382 for domain PORT
checking domain handles for domain PORT
server: dc=PORT_PDC, pwdb_init=1, lsa_hnd=1
PORT: dc=PORT_PDC, got_sid=1, sam_hnd=0 sam_dom_hnd=0
opening sam handles
resolve_wins: Attempting wins lookup for name PORT_PDC<0x20>
resolve_wins: WINS server == <172.16.42.102>
bind succeeded on port 0
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 )
Connecting to 172.16.42.102 at port 139
CACHESEQ PORT/USR/TEST is 4294967295
seq 4294967295 for PORT has expired
cached sequence number for PORT is 7214
[ 2098]: getpwnam port.test
CACHESEQ PORT/USR/test is 4294967295
cached sequence number for PORT is 7214
seq 4294967295 for PORT has expired
cached sequence number for PORT is 7214
[ 2098]: getgroups port.test
[ 2098]: uid to sid 10199
[ 2098]: gid to sid 10001

(why winbindd shows any activity, it should kick in only when local users are 
trying to login?)

> > 2. Memory leaks (winbindd grows, was OOM killed on a box wit 32m ram+96m
> > swap)
>
> already fixed in the latest SAMBA_2_2 cvs code in preparation for 2.2.3.

Good news.
--
vda

smb.conf
--------
# VDA
# This setup allows to connect as guest
# (invalid username -> you are guest)
# Attempt to connect to \\server\username
# will ask for password _for that username_
# even on braindamaged clients which don't
# let user specify username (Win9x).
#
# Set passwords for users via smbpasswd!
#
# Note! To connect under different username, you may need
# to log off and on again on the client machine.
# Yes, M$ is terminally broken.

#======================= Global Settings =====================================
[global]

# Logging
#0..3 - ERR,WARN,NOTICE,INFO
  log file = /var/log/samba.%m
  max log size = 256
  debug level = 1
  syslog = 1
  syslog only = No

# makes ping <netbios name> work
# Note:
# /etc/nsswitch: "hosts: files dns wins"
# /lib: libnss_wins.so, libnss_wins.so[.1|2 (glibc 1/2)]
  #name resolve order = lmhosts host wins bcast
  name resolve order = wins
  wins server = 172.16.42.102

# winbindd allows you to have user UID/GID be derived from NT PDC
# and domain users can log in your linux box (shell login, not just SMB 
connect!)
# without twiddling with /etc/passwd|shadow|group!
# PAM usage:
#   auth sufficient pam_winbind.so
#   account required pam_winbind.so
# Note: have to join domain, have to be in domain security mode
  # user syntax: DOMAIN.user
  winbind separator = .
  # Allocate uid/gid range for NT users
  winbind uid = 10000-20000
  winbind gid = 10000-20000
  # Recheck user/group id every N secs
  winbind cache time = 300
  # Home dir: %D:domain %U:user
  template homedir = /home/%D.%U
  template shell = /bin/bash

# Browser elections
  local master = yes
  preferred master = yes
  ;domain master = depands on security model, see below

# Username/passwd handling
  # If username is invalid, treat him as guest
  map to guest = Bad user
  # Allow users with null passwords to connect
  null passwords = yes
  # Allow logins from Win311/95/98 (weaker security)
  lanman auth = yes
  encrypt passwords = yes

;# Authenticate users using given WinNT box
;# - VDA: ok
;  workgroup = PORT
;  encrypt passwords = yes
;  security = server
;  password server = PORT_PDC
;  domain master = no

# Authenticate users using given WinNT domain
# - VDA: ok, but you'll need to create UNIX users for each connecting Win one
# (same username as found on PDC)
# Update: [2001/12/07] can't make it accept domain users
#         when winbindd is running even if local user exists in /etc/passwd
#
  workgroup = PORT
  encrypt passwords = yes
  security = domain
  password server = *
  domain master = no

;# Authenticate users using local Samba
;# (we are part of a workgroup)
;# - VDA: ok.
;# Set passwords for users via smbpasswd!
;  workgroup = LINUX
;  os level = 33
;  security = share
;  domain logons = no

;# We are PDC for our domain (domain name set by 'workgroup')
;# Have to have [netlogon]
;# TODO: check:maybe we need [profiles] too?
;  workgroup = LINUX
;  os level = 34
;  security = user
;  domain logons = yes
;  domain master = yes # affects browser elections
;  ;# To be executed each time user logs in. Stored in [netlogon]
;  ;logon script = %u.bat
;  # Home dir and drive to map it to
;  # (%L: our server netbios name, %u: final user name)
;  logon home = \\%L\%u\home\%u
;  logon drive = w:
;  # Profiles dir for roaming profiles
;  logon path = \\%L\%u\home\%u\profiles

# Guess what is this?
  client code page = 866
  code page directory = /usr/lib/samba/lib/codepages

# ???
  socket options = TCP_NODELAY

; TODO: try is this useful
;[global]
;  default service = pub
;
;[pub]
;  path = /%S
;
;!!!
;  preexec = ...
;  postexec = ...

#============================ Default share parameters =======================
  # Map guests to which UNIX user?
  guest account = guest
  # Share is visible by default?
  browseable = yes
  guest ok = yes
  # ???
  #browse list = yes
  read only = yes
  follow symlinks = yes
  create mode = 0644
  force create mode = 0600
  directory mode = 0755
  force directory mode = 0111
  # ???
  deadtime = 10

#============================ Share Definitions ==============================
[-pub]
  path = /pub
  read only = yes
  guest ok = yes
  guest only = yes

[-in]
  path = /pub/in
  read only = no
  guest ok = yes
  guest only = yes

# Special share - replaced by username
# Check that this path is actually accessible by users!!!
[homes]
  ;path = /home/%S
  path = /.share
  only user = yes
  user = %S
  guest ok = no
  read only = no
  # This stops [homes] to be visible itself
  # User shares inherit global setting and hence are visible
  browseable = no

;# Special share - replaced by printer name(s)
;[printers]
;  comment = All Printers
;  path = /var/spool/samba
;  browseable = no
;# Set public = yes to allow user 'guest account' to print
;  guest ok = no
;  writable = no
;  printable = yes

# Special share: used for logons if we are PDC
# It stores logon scripts, ??? what else ???
[netlogon]
  path = /var/app/samba-2.2.2/netlogon
  public = no
  writable = no
  browsable = no

# ???
[profiles]
  path = /var/app/samba-2.2.2/profiles
  browseable = no
  guest ok = yes

More information about the samba mailing list