[BUGS] winbindd maintainer? (was: Re: winbindd: local unix users vs. NTdomain users)
vda
vda at port.imtp.ilyichevsk.odessa.ua
Tue Dec 18 03:40:03 GMT 2001
On Monday 17 December 2001 17:41, Gerald (Jerry) Carter wrote:
>
> > It really looks like winbindd is useful thing but it's buggy at the
> > moment. I also observed two more bugs:
> >
> > 1. Inability to connect to shares on server which have winbindd running
>
> this sounds like a configuration error. can ou provide more specific
> details?
Of course, any bloody details you want. Server smb.conf is at the end.
Note: I don't have 'test' in smbpasswd, only in /etc/passwd as required by
domain level security.
This is what happens when I try to connect to \\pegasus\test from two test
boxes: vda is an NT bot and manta is Linux one. This is from samba.%m logs:
NT box
------
winbindd is running, getent passwd does show PORT.test
Trying to open \\pegasus\test: failure
[2001/12/18 11:26:18, 1] ../lib/util_sock.c:get_socket_name(1003)
Gethostbyaddr failed for 172.16.42.59
[2001/12/18 11:26:18, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
[2001/12/18 11:26:18, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
[2001/12/18 11:26:18, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
[2001/12/18 11:26:19, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
[2001/12/18 11:26:19, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
[2001/12/18 11:26:19, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
[2001/12/18 11:26:24, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
winbindd killed
Trying to open \\pegasus\test: successful
(checked: it does _not_ turn into guest: ok)
[2001/12/18 11:41:38, 1] ../lib/util_sock.c:get_socket_name(1003)
Gethostbyaddr failed for 172.16.42.59
[2001/12/18 11:41:38, 1] ../smbd/service.c:make_connection(610)
vda (172.16.42.59) connect to service test as user test (uid=999, gid=100)
(pid 2024)
[2001/12/18 11:41:38, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
Linux box:
----------
winbindd is running, getent passwd does show PORT.test
Trying:
smbclient //pegasus/test testtest -U test: failure
[2001/12/18 11:40:27, 1] ../lib/util_sock.c:get_socket_name(1003)
Gethostbyaddr failed for 172.16.241.2
[2001/12/18 11:40:27, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
winbindd killed
Trying:
smbclient //pegasus/test testtest -U test: successful
[2001/12/18 11:40:27, 1] ../lib/util_sock.c:get_socket_name(1003)
Gethostbyaddr failed for 172.16.241.2
[2001/12/18 11:40:27, 1] ../smbd/password.c:pass_check_smb(546)
Couldn't find user 'test' in passdb.
[2001/12/18 11:44:07, 1] ../lib/util_sock.c:get_socket_name(1003)
Gethostbyaddr failed for 172.16.241.2
[2001/12/18 11:44:07, 1] ../smbd/service.c:make_connection(610)
manta (172.16.241.2) connect to service test as user test (uid=999,
gid=100) (pid 2035)
One more try, winbindd -i -d3 >wddlog,
smbclient //pegasus/test testtest -U test: failure, wddlog contents:
INFO: Debug class all level = 1 (pid 2097 from pid 2097)
added interface ip=172.16.241.1 bcast=172.16.241.255 nmask=255.255.255.0
added interface ip=172.16.42.75 bcast=172.16.42.255 nmask=255.255.255.0
establishing connections
server: dc=, pwdb_init=0, lsa_hnd=0
resolve_wins: Attempting wins lookup for name PORT<0x1c>
resolve_wins: WINS server == <172.16.42.102>
bind succeeded on port 0
Got a positive name query response from 172.16.42.102 ( 172.16.42.102
172.16.42.102 )
bind succeeded on port 0
resolve_wins: Attempting wins lookup for name PORT_PDC<0x20>
resolve_wins: WINS server == <172.16.42.102>
bind succeeded on port 0
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 )
Connecting to 172.16.42.102 at port 139
getting trusted domain list
adding trusted domain PORT
server: dc=PORT_PDC, pwdb_init=1, lsa_hnd=1
PORT: dc=, got_sid=0, sam_hnd=0 sam_dom_hnd=0
[ 2098]: getpwnam PORT.TEST
Getting domain info for domain PORT
looking up sid for domain PORT
resolve_wins: Attempting wins lookup for name PORT<0x1c>
resolve_wins: WINS server == <172.16.42.102>
bind succeeded on port 0
Got a positive name query response from 172.16.42.102 ( 172.16.42.102
172.16.42.102 )
bind succeeded on port 0
found sid S-1-5-21-1145453651-1398827628-1235820382 for domain PORT
checking domain handles for domain PORT
server: dc=PORT_PDC, pwdb_init=1, lsa_hnd=1
PORT: dc=PORT_PDC, got_sid=1, sam_hnd=0 sam_dom_hnd=0
opening sam handles
resolve_wins: Attempting wins lookup for name PORT_PDC<0x20>
resolve_wins: WINS server == <172.16.42.102>
bind succeeded on port 0
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 )
Connecting to 172.16.42.102 at port 139
CACHESEQ PORT/USR/TEST is 4294967295
seq 4294967295 for PORT has expired
cached sequence number for PORT is 7214
[ 2098]: getpwnam port.test
CACHESEQ PORT/USR/test is 4294967295
cached sequence number for PORT is 7214
seq 4294967295 for PORT has expired
cached sequence number for PORT is 7214
[ 2098]: getgroups port.test
[ 2098]: uid to sid 10199
[ 2098]: gid to sid 10001
(why winbindd shows any activity, it should kick in only when local users are
trying to login?)
> > 2. Memory leaks (winbindd grows, was OOM killed on a box wit 32m ram+96m
> > swap)
>
> already fixed in the latest SAMBA_2_2 cvs code in preparation for 2.2.3.
Good news.
--
vda
smb.conf
--------
# VDA
# This setup allows to connect as guest
# (invalid username -> you are guest)
# Attempt to connect to \\server\username
# will ask for password _for that username_
# even on braindamaged clients which don't
# let user specify username (Win9x).
#
# Set passwords for users via smbpasswd!
#
# Note! To connect under different username, you may need
# to log off and on again on the client machine.
# Yes, M$ is terminally broken.
#======================= Global Settings =====================================
[global]
# Logging
#0..3 - ERR,WARN,NOTICE,INFO
log file = /var/log/samba.%m
max log size = 256
debug level = 1
syslog = 1
syslog only = No
# makes ping <netbios name> work
# Note:
# /etc/nsswitch: "hosts: files dns wins"
# /lib: libnss_wins.so, libnss_wins.so[.1|2 (glibc 1/2)]
#name resolve order = lmhosts host wins bcast
name resolve order = wins
wins server = 172.16.42.102
# winbindd allows you to have user UID/GID be derived from NT PDC
# and domain users can log in your linux box (shell login, not just SMB
connect!)
# without twiddling with /etc/passwd|shadow|group!
# PAM usage:
# auth sufficient pam_winbind.so
# account required pam_winbind.so
# Note: have to join domain, have to be in domain security mode
# user syntax: DOMAIN.user
winbind separator = .
# Allocate uid/gid range for NT users
winbind uid = 10000-20000
winbind gid = 10000-20000
# Recheck user/group id every N secs
winbind cache time = 300
# Home dir: %D:domain %U:user
template homedir = /home/%D.%U
template shell = /bin/bash
# Browser elections
local master = yes
preferred master = yes
;domain master = depands on security model, see below
# Username/passwd handling
# If username is invalid, treat him as guest
map to guest = Bad user
# Allow users with null passwords to connect
null passwords = yes
# Allow logins from Win311/95/98 (weaker security)
lanman auth = yes
encrypt passwords = yes
;# Authenticate users using given WinNT box
;# - VDA: ok
; workgroup = PORT
; encrypt passwords = yes
; security = server
; password server = PORT_PDC
; domain master = no
# Authenticate users using given WinNT domain
# - VDA: ok, but you'll need to create UNIX users for each connecting Win one
# (same username as found on PDC)
# Update: [2001/12/07] can't make it accept domain users
# when winbindd is running even if local user exists in /etc/passwd
#
workgroup = PORT
encrypt passwords = yes
security = domain
password server = *
domain master = no
;# Authenticate users using local Samba
;# (we are part of a workgroup)
;# - VDA: ok.
;# Set passwords for users via smbpasswd!
; workgroup = LINUX
; os level = 33
; security = share
; domain logons = no
;# We are PDC for our domain (domain name set by 'workgroup')
;# Have to have [netlogon]
;# TODO: check:maybe we need [profiles] too?
; workgroup = LINUX
; os level = 34
; security = user
; domain logons = yes
; domain master = yes # affects browser elections
; ;# To be executed each time user logs in. Stored in [netlogon]
; ;logon script = %u.bat
; # Home dir and drive to map it to
; # (%L: our server netbios name, %u: final user name)
; logon home = \\%L\%u\home\%u
; logon drive = w:
; # Profiles dir for roaming profiles
; logon path = \\%L\%u\home\%u\profiles
# Guess what is this?
client code page = 866
code page directory = /usr/lib/samba/lib/codepages
# ???
socket options = TCP_NODELAY
; TODO: try is this useful
;[global]
; default service = pub
;
;[pub]
; path = /%S
;
;!!!
; preexec = ...
; postexec = ...
#============================ Default share parameters =======================
# Map guests to which UNIX user?
guest account = guest
# Share is visible by default?
browseable = yes
guest ok = yes
# ???
#browse list = yes
read only = yes
follow symlinks = yes
create mode = 0644
force create mode = 0600
directory mode = 0755
force directory mode = 0111
# ???
deadtime = 10
#============================ Share Definitions ==============================
[-pub]
path = /pub
read only = yes
guest ok = yes
guest only = yes
[-in]
path = /pub/in
read only = no
guest ok = yes
guest only = yes
# Special share - replaced by username
# Check that this path is actually accessible by users!!!
[homes]
;path = /home/%S
path = /.share
only user = yes
user = %S
guest ok = no
read only = no
# This stops [homes] to be visible itself
# User shares inherit global setting and hence are visible
browseable = no
;# Special share - replaced by printer name(s)
;[printers]
; comment = All Printers
; path = /var/spool/samba
; browseable = no
;# Set public = yes to allow user 'guest account' to print
; guest ok = no
; writable = no
; printable = yes
# Special share: used for logons if we are PDC
# It stores logon scripts, ??? what else ???
[netlogon]
path = /var/app/samba-2.2.2/netlogon
public = no
writable = no
browsable = no
# ???
[profiles]
path = /var/app/samba-2.2.2/profiles
browseable = no
guest ok = yes
More information about the samba
mailing list