[Samba] 3.6.0 winbind issues

Linda Walsh samba at tlinx.org
Tue Aug 16 04:11:00 MDT 2011 



` Michael Wood wrote:
> Hi Linda
>   
>> Yeah...reported this a month ago... as well as other TDB/SID backend probs:
>> http://lists.samba.org/archive/samba-technical/2011-July/078663.html
>> http://lists.samba.org/archive/samba-technical/2011-July/078826.html
>>
>> ---
>> I wasn't sure if it was a 3.6 problem or some type of cockpit error, but
>> both emails
>> were ignored.
>>     
>
> If you find something that looks like a bug and nobody responds to
> your e-mail, perhaps you should report it via Bugzilla so that it
> won't get lost.
>   
----
   I don't feel that's something many developers want -- and I know some 
don't.
If you don't have firm evidence that it's the SW that is broken, they'll 
just close
out the bug with "Works for Me", and I've wasted my time.  Too many 
times -- even
with repeatable test cases on too many different projects.    This is 
especially true with
something like samba where when I asked for any help in tracking down 
this, I was asked to submit a 15-25MB samba log with debug set to 10 to 
the samba list -- NOT to upload
it to a bug, but dump huge amounts of data to the list.  I didn't feel 
comfortable doing that.  For all I know, unencrypted passwords might be 
buried in that logfile and I'd never catch them -- not to mention the 
flack I'd get for posting something so large to the list.
"What were you thinking?  Well so and so told me, ...you gonna jump off 
a cliff if he
tells you to do that...etc..."...

Even now, I'm not sure why setup is broken.

I can do a UID -> SID translation and SID->UID translation on my userid,
BUT, when windows tries to lookup my userid in winbind, the log spits out:

[2011/08/15 08:30:02,  6, class=winbind] 
winbindd/winbindd.c:768(new_connection)
  accepted socket 28
[2011/08/15 08:30:02,  3, class=winbind] 
winbindd/winbindd_misc.c:352(winbindd_interface_version)
  [17439]: request interface version
[2011/08/15 08:30:02,  3, class=winbind] 
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
  [17439]: request location of privileged pipe
[2011/08/15 08:30:02,  6, class=winbind] 
winbindd/winbindd.c:768(new_connection)
  accepted socket 29
[2011/08/15 08:30:02,  6, class=winbind] 
winbindd/winbindd.c:816(winbind_client_request_read)
  closing socket 28, client exited
[2011/08/15 08:30:02,  3, class=winbind] 
winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
  getgroups lindaw
[2011/08/15 08:30:02,  7, class=winbind] 
winbindd/wb_gettoken.c:65(wb_gettoken_send)
  wb_gettoken: My domain -- rejecting getgroups() for 
S-1-5-21-33333-77777-33333-80026.
[2011/08/15 08:30:02,  5, class=winbind] 
winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
  Could not convert sid S-1-5-21-33333-77777-33333-80026: 
NT_STATUS_NO_SUCH_USER
[2011/08/15 08:30:02,  3, class=winbind] 
winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
  getgroups lindaw
[2011/08/15 08:30:02,  7, class=winbind] 
winbindd/wb_gettoken.c:65(wb_gettoken_send)
  wb_gettoken: My domain -- rejecting getgroups() for 
S-1-5-21-33333-77777-33333-80026.
[2011/08/15 08:30:02,  5, class=winbind] 
winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
  Could not convert sid S-1-5-21-33333-77777-33333-80026: 
NT_STATUS_NO_SUCH_USER
[2011/08/15 08:30:02,  3, class=winbind] 
winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
  getgroups law
[2011/08/15 08:30:02,  7, class=winbind] 
winbindd/wb_gettoken.c:65(wb_gettoken_send)
  wb_gettoken: My domain -- rejecting getgroups() for 
S-1-5-21-33333-77777-33333-80026.
[2011/08/15 08:30:02,  5, class=winbind] 
winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
  Could not convert sid S-1-5-21-33333-77777-33333-80026: 
NT_STATUS_NO_SUCH_USER
[2011/08/15 08:30:02,  3, class=winbind] 
winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
  getgroups lindaw
[2011/08/15 08:30:02,  7, class=winbind] 
winbindd/wb_gettoken.c:65(wb_gettoken_send)
  wb_gettoken: My domain -- rejecting getgroups() for 
S-1-5-21-33333-77777-33333-80026.
[2011/08/15 08:30:02,  5, class=winbind] 
winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv)
  Could not convert sid S-1-5-21-33333-77777-33333-80026: 
NT_STATUS_NO_SUCH_USER
---------

@ note, it maps the correct (historically -- what windows has seen), SID 
to my username,
but then "My Domain -- rejecting getgroups, so 'NT_STATUS_NO_SUCH_USER'.

Things were 'worse.

Like root couldnt' use 'net' rpc user because 'root's ID, apparently, 
was broken, so it got
invalid password .. and a normal user -- even admin, can't do 
diddly...it's not governed
by filed permissions, as far as I can tell, but literally a hard-coded 
check for 'root' (from
observation -- and making all the necessary files r/w by 'group root', 
which put my
login in.  i.e. I had r/w access to all the data files, but it refused 
to allow me to make
any changes, even though I was in the admin and dom-admin groups.

Most of the builtin groups were missing....etc...
Hand added those back using groupmap -- but I couldn't point firmly to 
what caused
it -- since part of the problem I knew was the inability to specify 
separate ranges for
groups and users.  -- I had separate ranges (though I dup UID-> GID 
groups w/same name, -- I wanted to keep the users separate from the 
groups.  

The ability to do that was removed -- and my separate UID/GID spaces 
collapsed -- that's when I first noticed problems in that I suddenly had 
a different "SID" -- something I
considered 'bad', as windows doesn't see you the same if you change your 
SID...


I mentioned that in one of the notes -- first posted on samba list, and 
later on samba tech
list -- about how they really needed to consider publishing caveat, and 
warnings about
3.6's DB changes and how they could corrupt/destroy user DB's...as that 
*seemed* to be
what happened to me...but "seemed" and 1$ will get you a cup of coffee 
-- hard evidence, or they don't have the  time to waste -- they don't 
want to be just helping users with
'cockpit' errors, and since I wasn't sure -- was my not knowing about 
the DB change
the only thing that cause problems?  (I don't think so, but it sure 
didn't help)...not sure
why my db got mostly zeroed/corrupted --- it just started re-allocating 
new ID's for any user/computer it saw -- out of its new default range -- 
which was incompat w/my old --
and, I guess, (?? don't know solidly enough to file the details for a 
bug report , really),

I DO file lots of bugs -- more than the average user...against a wide 
range of products
(perl, samba, squid, lkml, novell/opensuse, mozilla Tbird * FFox, 
Songbird -- and just
too many to count.  But I prefer to have a fairly reasonable level of 
confidence before I commit to a bug report -- so when not sure, I ask 
about the problem on list first.

and...well...nada.

I figured if it wasn't important to them and it really was the problem I 
thought it was, they'd eventually get around to dealing with it.    Too 
many times, I'm one of the first to report a bug / problem sometimes 
months or years before others hit it (I'm a computer
science grad and I push software in odd ways to try out new things)...

Given the same circumstances, all I feel I can do at that confidence 
level is say something -- that I think there's a problem and need help 
finding out.  If I'm ignored, I assume they are too busy doing other 
things (like getting ready for a major release!)

Some people perceive me as too pushy, too often, anyway, so I certainly 
don't need to
push when others aren't wanting to listen, especially when I know that 
either I'll find
I'm the only one w/ the problem. OR I was just the first.


make sense?   Do you really think I shoud have handled it differently?  
I dont' feel that doing so is really desired considering where  my 
certainty levels were....

More information about the samba mailing list