[Samba] Re: Winbind broken after 2.2.8 upgrade

Andrew Bartlett abartlet at samba.org
Thu Mar 27 01:27:26 GMT 2003 

On Wed, Mar 26, 2003 at 04:11:13PM -0800, Shawn Wright wrote:
> Ok, stupid me. Somehow I missed updating /lib/libnss_winbind.so on both 
> these machines. Presumably this would have also caused corruption of the 
> winbind idmap?

I doubt it, actually.  

> Since winbind is now installed with a "make install", would it not be a good 
> idea to also install libnss_winbind.so also? Or at least provide some version 
> checking in winbind so that it will fail to start and report an error if it 
> encounters the wrong version of libnss_winbind.so?

Winbind doens't *require* libnss_winbind - there are actually situations where
it is used without it.  That said, I've implemented some extensive version
checks from the client side - we certainly won't connect to a winbind with
a different protocol version any more.

> It seems that the idmap file is a very weak link in samba right now, so every 
> effort should be made to prevent corruption during upgrades, etc.
> In our case, I was able to re-apply acls for 400 users, but quota information 
> for a large shared file volume was lost, as I could not re-map the ids, and 
> had to reset file ownerships to avoid users having incorrect quota 
> assignments.

Yes, we need to work on that - the outsource of this into LDAP is one example
of these efforts - and we did have a project to dump/import the tdb to a text
file, but I'm not sure what happened to it...

Andrew Bartlett

> On 25 Mar 2003 at 10:32, samba at lists.samba.org wrote:
> 
> > I have just upgraded two of our samba boxes to 2.2.8 and ended up with 
> > partially broken winbind after the upgrade. The machines are slightly 
> > different, and so are the symptoms, so here goes:
> > 
> > System 1: Was at 2.2.3 compiled from source Feb4/02, using options: 
> > "./configure  --with-winbind --with-acl-support --with-quotas". Running on 
> > RedHat 7.2, installed from SGI's XFS installer to enable ACLs and quotas 
> > with samba on XFS filesystems. System running fine in production for ~500 
> > NT domain users for the past 8 months. All users are on NT domain, using 
> > winbind from user lookups.
> > After upgrade to 2.2.8, I see the following:
> > 
> > getent passwd shows only local users, no domain users
> > wbinfo -u and -g report domain users & groups normally
> > users connecting to smb shares appear as "root" in smbstatus (!)
> > a nobody share appears browsing the system from an NT box.
> > As this is  a production system, I've had to revert to 2.2.3 so further testing 
> > may be difficult at this time.
> > 
> > System #2 is a fresh install of RedHat 8 using the SGI XFS installer v1.2, 
> > and had the stock samba 2.2.5 rpm installed, over which I compiled and 
> > installed 2.2.8. Config is essentially the same as system #1 otherwise. 
> > (smb.conf shown at end of message)
> > 
> > This time, wbinfo -t, -u, -g all work as expected.
> > getent passwd shows local users, then a list of domain user IDs in the 
> > format: (where 106xx is the id)
> > 
> > ::0:10646:'::
> > ::0:10647:'::
> > ::0:10648:'::
> > 
> > getent group shows a corrupted group listing as follows, "webalizer" is the 
> > last entry in /etc/group, and the correct domain name is "SHAWNIGAN - 
> > notice it is mangled in various places:
> > 
> > webalizer:x:67:
> > hHAWNIGAN+AP French:aminx:1280532334:À«
> > ::1852728681:WNIGAN+abehennah,SHAWNIGAN+adeane,SHAWNIGAN+
> > dew,SHAWNIGAN+gperry,SH
> > AWNIGAN+jrc,SHAWNIGAN+rfilgate,SHAWNIGAN+jcs
> > 
> > ============
> > Here is what the above should look like (and does on the other box running 
> > 2.2.3):
> > 
> > SHAWNIGAN+AP French:x:10023:
> > SHAWNIGAN+Dept-
> > English:x:10024:SHAWNIGAN+abehennah,SHAWNIGAN+adeane,SHAWN
> > IGAN+dew,SH
> > AWNIGAN+gperry,SHAWNIGAN+jrc,SHAWNIGAN+rfilgate,SHAWNIGAN+j
> > cs
> > 
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Shawn Wright, Systems Manager
> Shawnigan Lake School
> http://www.sls.bc.ca
> swright at sls.bc.ca
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list