[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
David Roid
dataroid at gmail.com
Wed Dec 21 17:33:21 MST 2011
Been there, you can try to add either "idmap config DOMAIN : default =
yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
gid = ..." to replace "idmap config * : ...", I don't know which one
actually fixed it.
2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
> >
>
> <Quote>
>
> Package: winbind
> Version: 2:3.6.1-3
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to 3.6.1 I am no longer able to login to Debian using my
> Active Directory account.
> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
> 'winbind -i user' returns
> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
> for user user'. Changing
> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
> (fork_domain_child) fork_domain_child
> called without domain.'. The previous wbint_Sid2Uid struct printout shows
> that dom_name is NULL,
> but has the correct domain SID. I believe the problem may exist around
> there. I did upgrade the
> 'idmap backend = hash' to the new format 'idmap config * : backend = hash'
> as specifed in the man
> page without any luck. Name to SID and SID to name works along with
> user-domgroups, but user-groups
> does not work. 'wbinifo --group-info=group' fails with a similar error as
> 'wbinfo -i user'. I'm
> going to try to get back to 3.5.11.
>
> -- System Information:
> Debian Release: wheezy/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages winbind depends on:
> ii adduser 3.113
> ii libc6 2.13-21
> ii libcap2 1:2.22-1
> ii libcomerr2 1.42-1
> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
> ii libk5crypto3 1.10+dfsg~alpha1-6
> ii libkrb5-3 1.10+dfsg~alpha1-6
> ii libldap-2.4-2 2.4.25-4+b1
> ii libpam0g 1.1.3-6
> ii libpopt0 1.16-1
> ii libtalloc2 2.0.7-3
> ii libtdb1 1.2.9-4+b1
> ii libwbclient0 2:3.6.1-3
> ii lsb-base 3.2-28
> ii samba-common 2:3.6.1-3
> ii zlib1g 1:1.2.3.4.dfsg-3
>
> Versions of packages winbind recommends:
> ii libpam-winbind 2:3.6.1-3
>
> winbind suggests no packages.
>
> -- no debconf information
>
> </Quote>
>
> I also have this error, and reported as follows:
>
> Robert,
>
> Same problem here, and I have not seen anyone mention this on the Samba
> list. Systems are fully updated and testparm does not return any
> errors. idmap backend is rid notated in the new format. All deprecated
> parameters have been removed.
>
> On my systems, I have found that full functionality returns after a
> reboot; however, if samba/winbind processes are restarted for any
> reason, AD authentication again no longer works. As with you, wbinfo
> -u/-g continues to work, as does getent passwd. getent group only
> returns linux groups. Another reboot will return winbind once again to
> full functionality.
>
> Even at log level 10, error messages have been hard to find among the
> many winbind logs. At the time of failure, the one I consistently find
> is in syslog:
> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>
> ------------------------------**------------------------------**--
>
> This morning, I recreated the error by restarting Samba/winbind at 07:47.
> The only suspicious level 10 log entries found from that timeframe are:
>
> <syslog>
> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
> 0] winbindd/winbindd_ads.c:1068(**lookup_groupmem)
> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
> with: Time limit exceeded
>
> <smbd>
> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_**deregister)
> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_**child_pid)
> Could not remove pid 3491 from serverid.tdb
> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_**child_pid)
> Could not find child 3491 -- ignoring
>
> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_**deregister)
> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_**child_pid)
> Could not remove pid 3499 from serverid.tdb
> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_**child_pid)
> Could not find child 3499 -- ignoring
>
> "net ads testjoin" indicates that the join is good.
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.COM
> server string = %h server
> security = ADS
> map untrusted to domain = Yes
> allow trusted domains = No
> map to guest = Bad User
> obey pam restrictions = Yes
> password server = *
> passdb backend = tdbsam
> username map = /etc/samba/users.map
> lanman auth = No
> log level = 10
> log file =/var/log/samba/%m
> name resolve order = wins hosts bcast
> deadtime = 15
> printcap name = cups
> preferred master = No
> wins server = 192.168.1.xyz
> panic action = /usr/share/samba/panic-action %d
> ldap ssl = No
> #
> idmap config * : backend = tdb
> idmap config * : range = 1000000 - 20000000
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 1000 - 99999
> template homedir =/home/domain/%U
> template shell = /bin/bash
> winbind cache time = 10
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind offline logon = Yes
> #
> printing = cups
> print command =
> lpq command = %p
> lprm command =
> veto oplock files = /*.doc/*.xls/*.mdb/
> map archive = No
> map readonly = no
> store dos attributes = Yes
> ea support = Yes
> admin users = root, "@domain admins"
>
>
> I have seen numerous 3.6.x winbind problems reported, but do not recall
> seeing this one.
> Does this look like a Samba bug or is it Debian-specific? winbind fixing
> itself after a reboot is particularly puzzling.
> Any and all suggestions appreciated.
>
> Dale
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
More information about the samba
mailing list