[Samba] [3.0.23d] winbind: ads_connect for domain X failed: Operations error

Cédric Delfosse cedric.delfosse at linbox.com
Thu Nov 16 16:47:48 GMT 2006 

SAMBA 3.0.23d (netbios name is PDC01, domain is LINBOXTEST)
Windows 2000 server SP4 in mixed mode (netbios name is MAFIA-L6FFST3UP,
domain is ADTEST / adtest.linbox.com)

Hello,

So I've successfully established a two ways interdomain trust
relationship between a SAMBA PDC and a Windows domain. It was working
fine: for example a windows user was able to connect on a share on the
SAMBA server.

But now that I restarted samba and winbind, windows user can no more
connect to the SAMBA share.

Looking at SAMBA logs, It looks like winbind can't interrogate the
Windows LDAP server. For example, if I try:

# wbinfo --sequence
ADTEST : DISCONNECTED
BUILTIN : 137330168
LINBOXTEST : 137328088

I get this in /var/log/samba/log.wb-ADTEST: 

  ads_try_connect: sending CLDAP request to 192.168.0.247 (realm: adtest.linbox.com)
[2006/11/16 17:21:50, 10] libsmb/namequery.c:saf_store(71)
  saf_store: domain = [ADTEST], server = [192.168.0.247], expire = [1163695010]
[2006/11/16 17:21:50, 10] lib/gencache.c:gencache_set(140)
  Adding cache entry with key = SAF/DOMAIN/ADTEST; value = 192.168.0.247 and timeout = Thu Nov 16 17:36:50 2006
   (900 seconds ahead)
[2006/11/16 17:21:50, 3] libads/ldap.c:ads_connect(287)
  Connected to LDAP server 192.168.0.247
[2006/11/16 17:21:50, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain ADTEST failed: Operations error
[2006/11/16 17:21:50, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(447)
  refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL
[2006/11/16 17:21:50, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(400)
  store_cache_seqnum: success [ADTEST][4294967295 @ 1163694110]
[2006/11/16 17:21:50, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(459)
  refresh_sequence_number: ADTEST seq number is now -1
[2006/11/16 17:21:50, 10] nsswitch/winbindd_cache.c:cache_store_response(1966)
  Storing response for pid 18303, len 3240

Notice the "Operations error" message !

wbinfo -u/-g no more works too.

Here is the network trace of the CLDAP connection: 

17:23:25.901055 IP 172.20.0.221.33128 > 192.168.0.247.389: UDP, length: 100
        0x0000:  4500 0080 ebea 4000 4011 dff1 ac14 00dd  E..... at .@.......
        0x0010:  c0a8 00f7 8168 0185 006c fd72 3062 0201  .....h...l.r0b..
        0x0020:  0463 5d04 000a 0100 0a01 0002 0100 0201  .c].............
        0x0030:  0001 0100 a03e a31e 0409 446e 7344 6f6d  .....>....DnsDom
        0x0040:  6169 6e04 1161 6474 6573 742e 6c69 6e62  ain..adtest.linb
        0x0050:  6f78 2e63 6f6d a30d 0404 486f 7374 0405  ox.com....Host..
        0x0060:  5044 4330 31a3 0d04 054e 7456 6572 0404  PDC01....NtVer..
        0x0070:  0600 0000 300a 0408 4e65 744c 6f67 6f6e  ....0...NetLogon
17:23:25.902620 IP 192.168.0.247.389 > 172.20.0.221.33128: UDP, length: 193
        0x0000:  4500 00dd 5324 0000 7f11 795b c0a8 00f7  E...S$....y[....
        0x0010:  ac14 00dd 0185 8168 00c9 afb3 3084 0000  .......h....0...
        0x0020:  00a5 0201 0464 8400 0000 9c04 0030 8400  .....d.......0..
        0x0030:  0000 9430 8400 0000 8e04 086e 6574 6c6f  ...0.......netlo
        0x0040:  676f 6e31 8400 0000 7e04 7c17 0000 00fd  gon1....~.|.....
        0x0050:  0100 00c5 d185 2978 a6e5 4fa6 4a2d c06a  ......)x..O.J-.j
        0x0060:  b0e3 e006 6164 7465 7374 066c 696e 626f  ....adtest.linbo
        0x0070:  7803 636f 6d00 c018 0f6d 6166 6961 2d6c  x.com....mafia-l
        0x0080:  3666 6673 7433 7570 c018 0641 4454 4553  6ffst3up...ADTES
        0x0090:  5400 0f4d 4146 4941 2d4c 3646 4653 5433  T..MAFIA-L6FFST3
        0x00a0:  5550 0000 1750 7265 6d69 6572 2d53 6974  UP...Premier-Sit
        0x00b0:  652d 7061 722d 6465 6661 7574 00c0 5905  e-par-defaut..Y.
        0x00c0:  0000 00ff ffff ff30 8400 0000 1002 0104  .......0........
        0x00d0:  6584 0000 0007 0a01 0004 0004 00         e............

And a chunk of the tethereal output:

SAMBA request:

Internet Protocol, Src Addr: 192.168.0.247 (192.168.0.247), Dst Addr:
172.20.0.221 (172.20.0.221)
...
    LDAP Message, Search Request
        Message Id: 4
        Message Type: Search Request (0x03)
        Message Length: 93
        Base DN: (null)
        Scope: Base (0x00)
        Dereference: Never (0x00)
        Size Limit: 0
        Time Limit: 0
        Attributes Only: False
        Filter: (&(DnsDomain=adtest.linbox.com)(Host=PDC01)(NtVer=\006)
        Attribute: NetLogon

Windows 2000 search result:

Internet Protocol, Src Addr: 192.168.0.247 (192.168.0.247), Dst Addr:
172.20.0.221 (172.20.0.221)
...
    LDAP Message, Search Result
        Message Id: 4
        Message Type: Search Result (0x05)
        Message Length: 7
        Response To: 11
        Time: 0.001484000 seconds
        Result Code: success (0x00)
        Matched DN: (null)
        Error Message: (null)


Should I file a bug report ?

Regards,

-- 
Cedric Delfosse                             Linbox / Free&ALter Soft
152, rue de Grigy - Technopole Metz              57070 METZ - FRANCE
tel: +33 (0)3 87 50 87 98                          http://linbox.com

More information about the samba mailing list