[Samba] Re: Winbind syslog errors and Domain Local Groups
(private) HKS
hks.private at gmail.com
Tue Jul 15 22:12:41 GMT 2008
I was finally able to correct these errors by enabling Kerberos
and changing the security model from domain to ads, but now
I've run into the same problem reported here:
http://www.usenet-forums.com/samba/394092-re-samba-accessing-member-server-prompts-credentials.html
After about 5 minutes of uptime the winbind service throws
several errors into syslog and nothing referencing it will work
correctly until I restart it. The processes are still running.
Jul 15 17:57:26 testbox winbindd[994]: [2008/07/15 17:57:26, 0]
nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]:
[2008/07/15 17:57:26, 0]
nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
Jul 15 17:57:26 testbox winbindd[994]:
async_request_timeout_handler: child pid 992 is not responding.
Closing connection to it.
Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]:
async_request_timeout_handler: child pid 992 is not responding.
Closing connection to it.
This is Samba 3.0.30 and Kerberos 5 running on FreeBSD 7.0.
Can anyone help me out here?
-HKS
On Fri, Jul 11, 2008 at 3:56 PM, (private) HKS <hks.private at gmail.com> wrote:
> A few more tidbits...
>
> My winbind logs have this complaint for each of the domain local groups:
> [2008/07/11 14:40:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(365)
> could not lookup membership for group sid <munged-sid> in domain
> DOMAIN (error: NT_STATUS_NO_SUCH_GROUP)
> [2008/07/11 14:40:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> could not lookup domain group dnsadmins
>
> wbinfo doesn't have any difficulty with converting name -> SID -> gid
> -> SID, but if I run wbinfo -r on a user that's a member of one of the
> groups, that group doesn't show up.
>
> So, at the moment, it appears that winbind just can't grab membership
> for these domain local groups. I found this reported a few other
> places on the 'net, but it doesn't seem that a resolution has ever
> been reached.
>
> -HKS
>
>
> On Fri, Jul 11, 2008 at 1:13 PM, (private) HKS <hks.private at gmail.com> wrote:
>> Any ideas?
>> -HKS
>>
>> On Mon, Jul 7, 2008 at 5:01 PM, (private) HKS <hks.private at gmail.com> wrote:
>>> Hello all.
>>>
>>> I'm relatively new to Samba, and haven't been able to track down a
>>> solution to this particular problem.
>>>
>>> I use Samba/Winbind to authenticate FreeBSD machines against a
>>> Windows 2003 Active Directory. That all works fine. The problem is
>>> that groups in the AD of type "Security Group - Domain Local" are
>>> causing winbindd a lot of grief. Every time the winbindd daemon is
>>> accessed, it spews syslog messages like these for every Domain
>>> Local group in the AD:
>>>
>>> --------------------
>>> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>>> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
>>> group dhcp users
>>> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>>> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
>>> group dhcp administrators
>>> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>>> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
>>> group dnsadmins
>>> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>>> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
>>> group debugger users
>>> ---------------------
>>>
>>> All non-local groups show up just fine in the BSD system. Local
>>> groups do not show up in a getent group.
>>>
>>> All groups, including the local ones, show up when I run wbinfo -g.
>>> Running wbinfo -n <localgroup> comes back with a SID:
>>> $ wbinfo -n dnsadmins
>>> <munged-SID> Local Group (4)
>>>
>>> This SID is trackable back to a gid:
>>> $ sudo wbinfo --sid-to-gid <munged-SID>
>>> 11105
>>>
>>> Why, then, are these groups not actually getting populated? Can anyone
>>> shed some light on this?
>>>
>>> -HKS
>>>
>>
>
More information about the samba
mailing list