[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1

Dale Schroeder dale at BriannasSaladDressing.com
Thu Dec 22 09:31:45 MST 2011


That is correct - it did not fix the problem - old or new idmap syntax.  
Any time I restart the processes, such as after a config change, winbind 
auth fails.
"getent group" yields the syslog error shown in the original post.  
"wbinfo -i user"  fails even though "user" appears in "getent passwd".
Reboot the system and everything is functioning again until the next 
time nmbd/smbd/winbind are restarted, after which winbind is 
nonfunctioning once again.

Dale


On 12/22/2011 9:02 AM, David Roid wrote:
> Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1 
> using following idmap settings:
>
> idmap config * : range = ...
> idmap config * : backend = ...
> idmap config DOM : range = ...
> idmap config DOM : default = yes
> idmap config DOM : backend = ...
>
> then join the domain, no problem at all.
>
> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com 
> <mailto:dale at briannassaladdressing.com>>
>
>     David, thanks for the help, but I'm afraid that workaround does
>     not work for me either.
>     Robert, thanks for furnishing all that useful info to bugzilla.
>     Jeremy, thanks for for the update on
>     https://bugzilla.samba.org/show_bug.cgi?id=8384.
>
>     I feel like I'm at the Academy Awards.
>     Merry Christmas to all. <[];o{P>
>
>     Dale
>
>
>
>     On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>     I tried to add "idmap config DOMAIN : default = yes" and it does
>>     not help. I'm using hash. I've found some interesting things that
>>     I've included in bug 8676
>>     https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>
>>     Robert
>>
>>     On Wed, Dec 21, 2011 at 5:33 PM, David Roid <dataroid at gmail.com
>>     <mailto:dataroid at gmail.com>> wrote:
>>
>>         Been there, you can try to add either "idmap config DOMAIN :
>>         default = yes", or use old-fashion "idmap backend = ..." +
>>         "idmap uid = ..." + "idmap gid = ..." to replace "idmap
>>         config * : ...", I don't know which one actually fixed it.
>>
>>         2011/12/22 Dale Schroeder <dale at briannassaladdressing.com
>>         <mailto:dale at briannassaladdressing.com>>
>>
>>             Originally filed by Robert LeBlanc as Debian Bug # 652679
>>             - <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>
>>             <Quote>
>>
>>             Package: winbind
>>             Version: 2:3.6.1-3
>>             Severity: important
>>
>>             Dear Maintainer,
>>
>>             After upgrading to 3.6.1 I am no longer able to login to
>>             Debian using my Active Directory account.
>>             'winbind -u', 'winbind -g', 'winbind -t' and many others
>>             work fine, but 'winbind -i user' returns
>>             'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>             Could not get info for user user'. Changing
>>             the verbosity of the logs, I find
>>             'winbindd/winbindd_dual.c:1306 (fork_domain_child)
>>             fork_domain_child
>>             called without domain.'. The previous wbint_Sid2Uid
>>             struct printout shows that dom_name is NULL,
>>             but has the correct domain SID. I believe the problem may
>>             exist around there. I did upgrade the
>>             'idmap backend = hash' to the new format 'idmap config *
>>             : backend = hash' as specifed in the man
>>             page without any luck. Name to SID and SID to name works
>>             along with user-domgroups, but user-groups
>>             does not work. 'wbinifo --group-info=group' fails with a
>>             similar error as 'wbinfo -i user'. I'm
>>             going to try to get back to 3.5.11.
>>
>>             -- System Information:
>>             Debian Release: wheezy/sid
>>              APT prefers testing
>>              APT policy: (500, 'testing')
>>             Architecture: amd64 (x86_64)
>>
>>             Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>             Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
>>             (charmap=UTF-8)
>>             Shell: /bin/sh linked to /bin/dash
>>
>>             Versions of packages winbind depends on:
>>             ii  adduser           3.113
>>             ii  libc6             2.13-21
>>             ii  libcap2           1:2.22-1
>>             ii  libcomerr2        1.42-1
>>             ii  libgssapi-krb5-2  1.10+dfsg~alpha1-6
>>             ii  libk5crypto3      1.10+dfsg~alpha1-6
>>             ii  libkrb5-3         1.10+dfsg~alpha1-6
>>             ii  libldap-2.4-2     2.4.25-4+b1
>>             ii  libpam0g          1.1.3-6
>>             ii  libpopt0          1.16-1
>>             ii  libtalloc2        2.0.7-3
>>             ii  libtdb1           1.2.9-4+b1
>>             ii  libwbclient0      2:3.6.1-3
>>             ii  lsb-base          3.2-28
>>             ii  samba-common      2:3.6.1-3
>>             ii  zlib1g            1:1.2.3.4.dfsg-3
>>
>>             Versions of packages winbind recommends:
>>             ii  libpam-winbind  2:3.6.1-3
>>
>>             winbind suggests no packages.
>>
>>             -- no debconf information
>>
>>             </Quote>
>>
>>             I also have this error, and reported as follows:
>>
>>             Robert,
>>
>>             Same problem here, and I have not seen anyone mention
>>             this on the Samba
>>             list.  Systems are fully updated and testparm does not
>>             return any
>>             errors.  idmap backend is rid notated in the new format.
>>              All deprecated
>>             parameters have been removed.
>>
>>             On my systems, I have found that full functionality
>>             returns after a
>>             reboot; however, if samba/winbind processes are restarted
>>             for any
>>             reason, AD authentication again no longer works.  As with
>>             you, wbinfo
>>             -u/-g continues to work, as does getent passwd.  getent
>>             group only
>>             returns linux groups.  Another reboot will return winbind
>>             once again to
>>             full functionality.
>>
>>             Even at log level 10, error messages have been hard to
>>             find among the
>>             many winbind logs.  At the time of failure, the one I
>>             consistently find
>>             is in syslog:
>>                winbindd[4186]:  ads_ranged_search failed with: Time
>>             limit exceeded.
>>
>>             --------------------------------------------------------------
>>
>>             This morning, I recreated the error by restarting
>>             Samba/winbind at 07:47.
>>             The only suspicious level 10 log entries found from that
>>             timeframe are:
>>
>>             <syslog>
>>             Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21
>>             07:47:25.660769,  0]
>>             winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>             Dec 21 07:47:25 debinsp3200 winbindd[3489]:  
>>             ads_ranged_search failed with: Time limit exceeded
>>
>>             <smbd>
>>             [2011/12/21 07:47:10.102879,  1]
>>             lib/serverid.c:197(serverid_deregister)
>>              Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>             [2011/12/21 07:47:10.103603,  1]
>>             smbd/server.c:303(remove_child_pid)
>>              Could not remove pid 3491 from serverid.tdb
>>             [2011/12/21 07:47:10.104114,  1]
>>             smbd/server.c:317(remove_child_pid)
>>              Could not find child 3491 -- ignoring
>>
>>             [2011/12/21 07:48:10.174369,  1]
>>             lib/serverid.c:197(serverid_deregister)
>>              Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>             [2011/12/21 07:48:10.175075,  1]
>>             smbd/server.c:303(remove_child_pid)
>>              Could not remove pid 3499 from serverid.tdb
>>             [2011/12/21 07:48:10.490994,  1]
>>             smbd/server.c:317(remove_child_pid)
>>              Could not find child 3499 -- ignoring
>>
>>             "net ads testjoin" indicates that the join is good.
>>
>>             [global]
>>                    workgroup = DOMAIN
>>                    realm = DOMAIN.COM <http://DOMAIN.COM>
>>                    server string = %h server
>>                    security = ADS
>>                    map untrusted to domain = Yes
>>                    allow trusted domains = No
>>                    map to guest = Bad User
>>                    obey pam restrictions = Yes
>>                    password server = *
>>                    passdb backend = tdbsam
>>                    username map = /etc/samba/users.map
>>                    lanman auth = No
>>                    log level = 10
>>                    log file =/var/log/samba/%m
>>                    name resolve order = wins hosts bcast
>>                    deadtime = 15
>>                    printcap name = cups
>>                    preferred master = No
>>                    wins server = 192.168.1.xyz
>>                    panic action = /usr/share/samba/panic-action %d
>>                    ldap ssl = No
>>                    #
>>                    idmap config * : backend                = tdb
>>                    idmap config * : range                  = 1000000
>>             - 20000000
>>                    idmap config DOMAIN : backend           = rid
>>                    idmap config DOMAIN : range             = 1000 - 99999
>>                    template homedir =/home/domain/%U
>>                    template shell = /bin/bash
>>                    winbind cache time = 10
>>                    winbind enum users = Yes
>>                    winbind enum groups = Yes
>>                    winbind use default domain = Yes
>>                    winbind offline logon = Yes
>>                    #
>>                    printing = cups
>>                    print command =
>>                    lpq command = %p
>>                    lprm command =
>>                    veto oplock files = /*.doc/*.xls/*.mdb/
>>                    map archive = No
>>                    map readonly = no
>>                    store dos attributes = Yes
>>                    ea support = Yes
>>                    admin users = root, "@domain admins"
>>
>>
>>             I have seen numerous 3.6.x winbind problems reported, but
>>             do not recall seeing this one.
>>             Does this look like a Samba bug or is it Debian-specific?
>>              winbind fixing itself after a reboot is particularly
>>             puzzling.
>>             Any and all suggestions appreciated.
>>
>>
>>             Dale
>>
>>             -- 
>>             To unsubscribe from this list go to the following URL and
>>             read the
>>             instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>


More information about the samba mailing list