[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1

David Roid dataroid at gmail.com
Wed Dec 21 17:33:21 MST 2011


Been there, you can try to add either "idmap config DOMAIN : default =
yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
gid = ..." to replace "idmap config * : ...", I don't know which one
actually fixed it.

2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>

> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
> >
>
> <Quote>
>
> Package: winbind
> Version: 2:3.6.1-3
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to 3.6.1 I am no longer able to login to Debian using my
> Active Directory account.
> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
> 'winbind -i user' returns
> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
> for user user'. Changing
> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
> (fork_domain_child) fork_domain_child
> called without domain.'. The previous wbint_Sid2Uid struct printout shows
> that dom_name is NULL,
> but has the correct domain SID. I believe the problem may exist around
> there. I did upgrade the
> 'idmap backend = hash' to the new format 'idmap config * : backend = hash'
> as specifed in the man
> page without any luck. Name to SID and SID to name works along with
> user-domgroups, but user-groups
> does not work. 'wbinifo --group-info=group' fails with a similar error as
> 'wbinfo -i user'. I'm
> going to try to get back to 3.5.11.
>
> -- System Information:
> Debian Release: wheezy/sid
>  APT prefers testing
>  APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages winbind depends on:
> ii  adduser           3.113
> ii  libc6             2.13-21
> ii  libcap2           1:2.22-1
> ii  libcomerr2        1.42-1
> ii  libgssapi-krb5-2  1.10+dfsg~alpha1-6
> ii  libk5crypto3      1.10+dfsg~alpha1-6
> ii  libkrb5-3         1.10+dfsg~alpha1-6
> ii  libldap-2.4-2     2.4.25-4+b1
> ii  libpam0g          1.1.3-6
> ii  libpopt0          1.16-1
> ii  libtalloc2        2.0.7-3
> ii  libtdb1           1.2.9-4+b1
> ii  libwbclient0      2:3.6.1-3
> ii  lsb-base          3.2-28
> ii  samba-common      2:3.6.1-3
> ii  zlib1g            1:1.2.3.4.dfsg-3
>
> Versions of packages winbind recommends:
> ii  libpam-winbind  2:3.6.1-3
>
> winbind suggests no packages.
>
> -- no debconf information
>
> </Quote>
>
> I also have this error, and reported as follows:
>
> Robert,
>
> Same problem here, and I have not seen anyone mention this on the Samba
> list.  Systems are fully updated and testparm does not return any
> errors.  idmap backend is rid notated in the new format.  All deprecated
> parameters have been removed.
>
> On my systems, I have found that full functionality returns after a
> reboot; however, if samba/winbind processes are restarted for any
> reason, AD authentication again no longer works.  As with you, wbinfo
> -u/-g continues to work, as does getent passwd.  getent group only
> returns linux groups.  Another reboot will return winbind once again to
> full functionality.
>
> Even at log level 10, error messages have been hard to find among the
> many winbind logs.  At the time of failure, the one I consistently find
> is in syslog:
>    winbindd[4186]:  ads_ranged_search failed with: Time limit exceeded.
>
> ------------------------------**------------------------------**--
>
> This morning, I recreated the error by restarting Samba/winbind at 07:47.
> The only suspicious level 10 log entries found from that timeframe are:
>
> <syslog>
> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
>  0] winbindd/winbindd_ads.c:1068(**lookup_groupmem)
> Dec 21 07:47:25 debinsp3200 winbindd[3489]:   ads_ranged_search failed
> with: Time limit exceeded
>
> <smbd>
> [2011/12/21 07:47:10.102879,  1] lib/serverid.c:197(serverid_**deregister)
>  Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:47:10.103603,  1] smbd/server.c:303(remove_**child_pid)
>  Could not remove pid 3491 from serverid.tdb
> [2011/12/21 07:47:10.104114,  1] smbd/server.c:317(remove_**child_pid)
>  Could not find child 3491 -- ignoring
>
> [2011/12/21 07:48:10.174369,  1] lib/serverid.c:197(serverid_**deregister)
>  Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:48:10.175075,  1] smbd/server.c:303(remove_**child_pid)
>  Could not remove pid 3499 from serverid.tdb
> [2011/12/21 07:48:10.490994,  1] smbd/server.c:317(remove_**child_pid)
>  Could not find child 3499 -- ignoring
>
> "net ads testjoin" indicates that the join is good.
>
> [global]
>        workgroup = DOMAIN
>        realm = DOMAIN.COM
>        server string = %h server
>        security = ADS
>        map untrusted to domain = Yes
>        allow trusted domains = No
>        map to guest = Bad User
>        obey pam restrictions = Yes
>        password server = *
>        passdb backend = tdbsam
>        username map = /etc/samba/users.map
>        lanman auth = No
>        log level = 10
>        log file =/var/log/samba/%m
>        name resolve order = wins hosts bcast
>        deadtime = 15
>        printcap name = cups
>        preferred master = No
>        wins server = 192.168.1.xyz
>        panic action = /usr/share/samba/panic-action %d
>        ldap ssl = No
>        #
>        idmap config * : backend                = tdb
>        idmap config * : range                  = 1000000 - 20000000
>        idmap config DOMAIN : backend           = rid
>        idmap config DOMAIN : range             = 1000 - 99999
>        template homedir =/home/domain/%U
>        template shell = /bin/bash
>        winbind cache time = 10
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        winbind use default domain = Yes
>        winbind offline logon = Yes
>        #
>        printing = cups
>        print command =
>        lpq command = %p
>        lprm command =
>        veto oplock files = /*.doc/*.xls/*.mdb/
>        map archive = No
>        map readonly = no
>        store dos attributes = Yes
>        ea support = Yes
>        admin users = root, "@domain admins"
>
>
> I have seen numerous 3.6.x winbind problems reported, but do not recall
> seeing this one.
> Does this look like a Samba bug or is it Debian-specific?  winbind fixing
> itself after a reboot is particularly puzzling.
> Any and all suggestions appreciated.
>
> Dale
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>


More information about the samba mailing list