[Samba] Cannot retrieve user/group information

[Ryan Hardy]

Hi all,

I have done a fair bit of searching of the mailing list archives,  
google and the manual, but have not had any luck as yet.  I apologize  
for the length of this e-mail, but I thought it was better to provide  
what I could right off the bat instead of waiting to be asked for it.

I am having the following oddity with a new samba server:  I have it  
configured to talk to an rfc2307-enabled AD using the ad idmap  
backend.  The 'net ads join' command appears to have worked  
successfully, as an object was created in the appropriate OU.  The  
'net ads testjoin' reports success.  However, the service is  
unreliable at best.  There appears to be significant delays during  
some procedures, especially establishing the initial connection.  I  
believe this may be because it is timing out trying to retrieve user  
information.  I am leaning in this direction because while 'wbinfo -n  
<user>' returns a SID successfully, 'wbinfo -i <user>' fails to work:

# wbinfo -n joeuser
S-1-5-21-3013314750-1269944620-1508481130-93739 User (1)
# wbinfo -i joeuser
Could not get info for user joeuser

When this happens, I see the following messages in the logs -- debug  
level 2 (irrelevant-looking messages stripped for clarity):

==> log.winbindd-idmap <==
[2009/11/19 14:50:33,  2] lib/module.c:64(do_smb_load_module)
   Module '/usr/lib64/samba/idmap/ad.so' loaded
[2009/11/19 14:50:33,  1] winbindd/idmap.c:580(idmap_alloc_init)
   could not find idmap alloc module ad
[2009/11/19 15:00:34,  1] winbindd/idmap_ad.c:143 
(ad_idmap_cached_connection_internal)
   ad_idmap_init: failed to connect to AD
[2009/11/19 15:00:34,  1] winbindd/idmap_ad.c:543 
(idmap_ad_sids_to_unixids)
   ADS uninitialized: No logon servers

This seems to indicate that the module may have trouble loading for  
some reason, or perhaps that is a spurious error message.  However, I  
don't see idmap_ad in the list of modules, either (perhaps these are  
only modules that aren't loaded on demand?):

# smbd -b
<snip>
Builtin modules:
     pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam rpc_lsarpc  
rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl  
rpc_ntsvcs rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog  
rpc_samr idmap_ldap idmap_tdb idmap_passdb idmap_nss nss_info_template  
auth_sam auth_unix auth_winbind auth_wbc auth_server auth_domain  
auth_builtin auth_netlogond vfs_default vfs_posixacl

Are those messages expected?

This installation was from an RPM I built using the packaging scripts  
in the source tarball, specifically the RHEL script using GCC 4.1.2.   
The /usr/lib64/samba/idmap/ad.so file does appear to be there and  
looks healthy (no missing libraries or anything).

Other relevant system details:

OS: CentOS 5.4
Kernel: 2.6.18
Arch: x86_64
Samba version: 3.4.3

Relevent bits of smb.conf:

workgroup     = FOO
security           = ads
realm              = FOO.BAR.BAZ
idmap backend      = ad
idmap range = 1000-999999
password server    = foo.bar.baz
winbind nss info           = rfc2307
winbind separator          = /
winbind use default domain = yes
winbind nested groups      = yes

I should also mention that kinit works successfully on the machine,  
and getent paswd/group works as well (using pam_ldap against the AD).

Finally, I have a machine with very similar configuration already on  
the network which works.  The primary difference is that it is running  
a much older version of samba (3.0.22).

Thoughts?

Please let me know if I can include more information.  I tried to keep  
it as short as possible for this initial request.

Thanks,

--
Ryan Hardy <ryan.hardy at duke.edu>