[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
David Roid
dataroid at gmail.com
Thu Dec 22 08:02:24 MST 2011
Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1 using
following idmap settings:
idmap config * : range = ...
idmap config * : backend = ...
idmap config DOM : range = ...
idmap config DOM : default = yes
idmap config DOM : backend = ...
then join the domain, no problem at all.
2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
> David, thanks for the help, but I'm afraid that workaround does not work
> for me either.
> Robert, thanks for furnishing all that useful info to bugzilla.
> Jeremy, thanks for for the update on
> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>
> I feel like I'm at the Academy Awards.
> Merry Christmas to all. <[];o{P>
>
> Dale
>
>
>
> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>
> I tried to add "idmap config DOMAIN : default = yes" and it does not help.
> I'm using hash. I've found some interesting things that I've included in
> bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
>
> Robert
>
> On Wed, Dec 21, 2011 at 5:33 PM, David Roid <dataroid at gmail.com> wrote:
>
>> Been there, you can try to add either "idmap config DOMAIN : default =
>> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
>> gid = ..." to replace "idmap config * : ...", I don't know which one
>> actually fixed it.
>>
>> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
>>
>>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>
>>> <Quote>
>>>
>>> Package: winbind
>>> Version: 2:3.6.1-3
>>> Severity: important
>>>
>>> Dear Maintainer,
>>>
>>> After upgrading to 3.6.1 I am no longer able to login to Debian using my
>>> Active Directory account.
>>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>>> 'winbind -i user' returns
>>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
>>> for user user'. Changing
>>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>>> (fork_domain_child) fork_domain_child
>>> called without domain.'. The previous wbint_Sid2Uid struct printout
>>> shows that dom_name is NULL,
>>> but has the correct domain SID. I believe the problem may exist around
>>> there. I did upgrade the
>>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>>> hash' as specifed in the man
>>> page without any luck. Name to SID and SID to name works along with
>>> user-domgroups, but user-groups
>>> does not work. 'wbinifo --group-info=group' fails with a similar error
>>> as 'wbinfo -i user'. I'm
>>> going to try to get back to 3.5.11.
>>>
>>> -- System Information:
>>> Debian Release: wheezy/sid
>>> APT prefers testing
>>> APT policy: (500, 'testing')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>>> Shell: /bin/sh linked to /bin/dash
>>>
>>> Versions of packages winbind depends on:
>>> ii adduser 3.113
>>> ii libc6 2.13-21
>>> ii libcap2 1:2.22-1
>>> ii libcomerr2 1.42-1
>>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>>> ii libk5crypto3 1.10+dfsg~alpha1-6
>>> ii libkrb5-3 1.10+dfsg~alpha1-6
>>> ii libldap-2.4-2 2.4.25-4+b1
>>> ii libpam0g 1.1.3-6
>>> ii libpopt0 1.16-1
>>> ii libtalloc2 2.0.7-3
>>> ii libtdb1 1.2.9-4+b1
>>> ii libwbclient0 2:3.6.1-3
>>> ii lsb-base 3.2-28
>>> ii samba-common 2:3.6.1-3
>>> ii zlib1g 1:1.2.3.4.dfsg-3
>>>
>>> Versions of packages winbind recommends:
>>> ii libpam-winbind 2:3.6.1-3
>>>
>>> winbind suggests no packages.
>>>
>>> -- no debconf information
>>>
>>> </Quote>
>>>
>>> I also have this error, and reported as follows:
>>>
>>> Robert,
>>>
>>> Same problem here, and I have not seen anyone mention this on the Samba
>>> list. Systems are fully updated and testparm does not return any
>>> errors. idmap backend is rid notated in the new format. All deprecated
>>> parameters have been removed.
>>>
>>> On my systems, I have found that full functionality returns after a
>>> reboot; however, if samba/winbind processes are restarted for any
>>> reason, AD authentication again no longer works. As with you, wbinfo
>>> -u/-g continues to work, as does getent passwd. getent group only
>>> returns linux groups. Another reboot will return winbind once again to
>>> full functionality.
>>>
>>> Even at log level 10, error messages have been hard to find among the
>>> many winbind logs. At the time of failure, the one I consistently find
>>> is in syslog:
>>> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>>>
>>> --------------------------------------------------------------
>>>
>>> This morning, I recreated the error by restarting Samba/winbind at 07:47.
>>> The only suspicious level 10 log entries found from that timeframe are:
>>>
>>> <syslog>
>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
>>> 0] winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
>>> with: Time limit exceeded
>>>
>>> <smbd>
>>> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_deregister)
>>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_child_pid)
>>> Could not remove pid 3491 from serverid.tdb
>>> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_child_pid)
>>> Could not find child 3491 -- ignoring
>>>
>>> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_deregister)
>>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_child_pid)
>>> Could not remove pid 3499 from serverid.tdb
>>> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_child_pid)
>>> Could not find child 3499 -- ignoring
>>>
>>> "net ads testjoin" indicates that the join is good.
>>>
>>> [global]
>>> workgroup = DOMAIN
>>> realm = DOMAIN.COM
>>> server string = %h server
>>> security = ADS
>>> map untrusted to domain = Yes
>>> allow trusted domains = No
>>> map to guest = Bad User
>>> obey pam restrictions = Yes
>>> password server = *
>>> passdb backend = tdbsam
>>> username map = /etc/samba/users.map
>>> lanman auth = No
>>> log level = 10
>>> log file =/var/log/samba/%m
>>> name resolve order = wins hosts bcast
>>> deadtime = 15
>>> printcap name = cups
>>> preferred master = No
>>> wins server = 192.168.1.xyz
>>> panic action = /usr/share/samba/panic-action %d
>>> ldap ssl = No
>>> #
>>> idmap config * : backend = tdb
>>> idmap config * : range = 1000000 - 20000000
>>> idmap config DOMAIN : backend = rid
>>> idmap config DOMAIN : range = 1000 - 99999
>>> template homedir =/home/domain/%U
>>> template shell = /bin/bash
>>> winbind cache time = 10
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> winbind offline logon = Yes
>>> #
>>> printing = cups
>>> print command =
>>> lpq command = %p
>>> lprm command =
>>> veto oplock files = /*.doc/*.xls/*.mdb/
>>> map archive = No
>>> map readonly = no
>>> store dos attributes = Yes
>>> ea support = Yes
>>> admin users = root, "@domain admins"
>>>
>>>
>>> I have seen numerous 3.6.x winbind problems reported, but do not recall
>>> seeing this one.
>>> Does this look like a Samba bug or is it Debian-specific? winbind
>>> fixing itself after a reboot is particularly puzzling.
>>> Any and all suggestions appreciated.
>>>
>>>
>>> Dale
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
More information about the samba
mailing list