[Samba] winbindd instability, inconsistent handling of Domain name

Alexander List alexlist at sbox.tu-graz.ac.at
Mon Sep 22 13:25:34 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 20 Sep 2003, Gerald (Jerry) Carter wrote:

> | After restarting winbindd, it works again for a while. What's the proper
> | way to produce useful debugging information for the developers?
>
> I think this has already been fixed in our CVS tree.  The bedian
> packaging script should be fine for RC4 so you might just want to build
> your own package from that tree and see if things work better for you.

That's fixed, thanks, and AFAIR I posted that fact to the list on
Wed, 10 Sep 2003 21:11:11 +0200 (CEST).

> | user::rwx
> | user:DOMAIN+username:rwx
> |
> | When I create the ACL with setfacl -m u:INTERNAL.DOMAIN.COM:username:rwx,
> | only DOMAIN+username (the short NETBIOS name of the domain) is listed in
> | the ACL.
>
> Haven't we already talked about this one?  I'm having serious
> deja vu here.  winbindd mostly operates on the short name of the do9main.

Yep, this is also a non-issue because INTERNAL.DOMAIN.COM is correctly
mapped to DOMAIN by winbindd.

> | [admin]
> |     browsable = no
> |     path = /mnt/admin
> |     public = no
> |     write list = DOMAIN+username
> |
> | This won't work. Windows domain user "username" gets "Access denied" when
> | trying to create a file on the share.
> |
> | However, this works:
> |
> |     write list = INTERNAL.DOMAIN.COM+username
> |
> | Is this a bug or a configuration problem on my side?
>
> did you define the workgroup and realm in smb.conf?

Yes, I did. Just compiled the latest CVS HEAD branch stuff and tested it
again. The problem won't occur if I set writable to yes, it will only
occur if writable is set to no and there's a write list statement.

Here's what I get from the logs when I try to create a directory on a
share configured as explained above:

/* First, username.c returns  username at realm instead of username at domain:
*/

[2003/09/22 14:32:04, 3] smbd/sesssetup.c:reply_spnego_kerberos(178)
  Ticket name is [user at INTERNAL.DOMAIN.COM]
[2003/09/22 14:32:04, 5] lib/username.c:Get_Pwnam(288)
  Finding user INTERNAL.DOMAIN.COM+user
[2003/09/22 14:32:04, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is internal.domain.com+user
[2003/09/22 14:32:04, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals did find user [INTERNAL.DOMAIN.COM+user]!

[...]

/* here, the realm+username is used again */

[2003/09/22 14:32:04, 10] passdb/pdb_get_set.c:pdb_set_username(593)
  pdb_set_username: setting username INTERNAL.DOMAIN.COM+username, was
[2003/09/22 14:32:04, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
  element 11 -> now SET

[...]

/* finally, the create directory call fails */

[2003/09/22 14:32:04, 5] smbd/filename.c:unix_convert(323)
  New file test1
[2003/09/22 14:32:04, 3] smbd/dosmode.c:unix_mode(110)
  unix_mode(test1) returning 0744
[2003/09/22 14:32:04, 5] smbd/files.c:file_new(122)
  allocated file structure 9230, fnum = 13326 (1 used)
[2003/09/22 14:32:04, 2] smbd/open.c:open_directory(1303)
  open_directory: failing create on read-only share
[2003/09/22 14:32:04, 5] smbd/files.c:file_free(385)
  freed files structure 13326 (0 used)
[2003/09/22 14:32:04, 10] smbd/trans2.c:set_bad_path_error(1785)
  set_bad_path_error: err = 13 bad_path = 0
[2003/09/22 14:32:04, 3] smbd/error.c:error_packet(94)
  error string = Permission denied
[2003/09/22 14:32:04, 3] smbd/error.c:error_packet(113)
  error packet at smbd/trans2.c(1797) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED

Hope this helps to find the problem... if not, I'll send you the whole log
directly.

Thanks again for your help hunting down this problem...

Alex

- -- 
"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty not safety."
		--Benjamin Franklin, 1759

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/bvhfNf7NP+s4C+YRAopGAKCJXKHsWtcakml+RuCavTI7jb0oOACdFFv6
hn//IBiqSeNFEaTyjDao7do=
=ByDR
-----END PGP SIGNATURE-----





More information about the samba mailing list