[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Dale Schroeder
dale at BriannasSaladDressing.com
Thu Dec 22 09:31:45 MST 2011
That is correct - it did not fix the problem - old or new idmap syntax.
Any time I restart the processes, such as after a config change, winbind
auth fails.
"getent group" yields the syslog error shown in the original post.
"wbinfo -i user" fails even though "user" appears in "getent passwd".
Reboot the system and everything is functioning again until the next
time nmbd/smbd/winbind are restarted, after which winbind is
nonfunctioning once again.
Dale
On 12/22/2011 9:02 AM, David Roid wrote:
> Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1
> using following idmap settings:
>
> idmap config * : range = ...
> idmap config * : backend = ...
> idmap config DOM : range = ...
> idmap config DOM : default = yes
> idmap config DOM : backend = ...
>
> then join the domain, no problem at all.
>
> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com
> <mailto:dale at briannassaladdressing.com>>
>
> David, thanks for the help, but I'm afraid that workaround does
> not work for me either.
> Robert, thanks for furnishing all that useful info to bugzilla.
> Jeremy, thanks for for the update on
> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>
> I feel like I'm at the Academy Awards.
> Merry Christmas to all. <[];o{P>
>
> Dale
>
>
>
> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>> I tried to add "idmap config DOMAIN : default = yes" and it does
>> not help. I'm using hash. I've found some interesting things that
>> I've included in bug 8676
>> https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>
>> Robert
>>
>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid <dataroid at gmail.com
>> <mailto:dataroid at gmail.com>> wrote:
>>
>> Been there, you can try to add either "idmap config DOMAIN :
>> default = yes", or use old-fashion "idmap backend = ..." +
>> "idmap uid = ..." + "idmap gid = ..." to replace "idmap
>> config * : ...", I don't know which one actually fixed it.
>>
>> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com
>> <mailto:dale at briannassaladdressing.com>>
>>
>> Originally filed by Robert LeBlanc as Debian Bug # 652679
>> - <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>
>> <Quote>
>>
>> Package: winbind
>> Version: 2:3.6.1-3
>> Severity: important
>>
>> Dear Maintainer,
>>
>> After upgrading to 3.6.1 I am no longer able to login to
>> Debian using my Active Directory account.
>> 'winbind -u', 'winbind -g', 'winbind -t' and many others
>> work fine, but 'winbind -i user' returns
>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user user'. Changing
>> the verbosity of the logs, I find
>> 'winbindd/winbindd_dual.c:1306 (fork_domain_child)
>> fork_domain_child
>> called without domain.'. The previous wbint_Sid2Uid
>> struct printout shows that dom_name is NULL,
>> but has the correct domain SID. I believe the problem may
>> exist around there. I did upgrade the
>> 'idmap backend = hash' to the new format 'idmap config *
>> : backend = hash' as specifed in the man
>> page without any luck. Name to SID and SID to name works
>> along with user-domgroups, but user-groups
>> does not work. 'wbinifo --group-info=group' fails with a
>> similar error as 'wbinfo -i user'. I'm
>> going to try to get back to 3.5.11.
>>
>> -- System Information:
>> Debian Release: wheezy/sid
>> APT prefers testing
>> APT policy: (500, 'testing')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
>> (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>>
>> Versions of packages winbind depends on:
>> ii adduser 3.113
>> ii libc6 2.13-21
>> ii libcap2 1:2.22-1
>> ii libcomerr2 1.42-1
>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>> ii libk5crypto3 1.10+dfsg~alpha1-6
>> ii libkrb5-3 1.10+dfsg~alpha1-6
>> ii libldap-2.4-2 2.4.25-4+b1
>> ii libpam0g 1.1.3-6
>> ii libpopt0 1.16-1
>> ii libtalloc2 2.0.7-3
>> ii libtdb1 1.2.9-4+b1
>> ii libwbclient0 2:3.6.1-3
>> ii lsb-base 3.2-28
>> ii samba-common 2:3.6.1-3
>> ii zlib1g 1:1.2.3.4.dfsg-3
>>
>> Versions of packages winbind recommends:
>> ii libpam-winbind 2:3.6.1-3
>>
>> winbind suggests no packages.
>>
>> -- no debconf information
>>
>> </Quote>
>>
>> I also have this error, and reported as follows:
>>
>> Robert,
>>
>> Same problem here, and I have not seen anyone mention
>> this on the Samba
>> list. Systems are fully updated and testparm does not
>> return any
>> errors. idmap backend is rid notated in the new format.
>> All deprecated
>> parameters have been removed.
>>
>> On my systems, I have found that full functionality
>> returns after a
>> reboot; however, if samba/winbind processes are restarted
>> for any
>> reason, AD authentication again no longer works. As with
>> you, wbinfo
>> -u/-g continues to work, as does getent passwd. getent
>> group only
>> returns linux groups. Another reboot will return winbind
>> once again to
>> full functionality.
>>
>> Even at log level 10, error messages have been hard to
>> find among the
>> many winbind logs. At the time of failure, the one I
>> consistently find
>> is in syslog:
>> winbindd[4186]: ads_ranged_search failed with: Time
>> limit exceeded.
>>
>> --------------------------------------------------------------
>>
>> This morning, I recreated the error by restarting
>> Samba/winbind at 07:47.
>> The only suspicious level 10 log entries found from that
>> timeframe are:
>>
>> <syslog>
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21
>> 07:47:25.660769, 0]
>> winbindd/winbindd_ads.c:1068(lookup_groupmem)
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]:
>> ads_ranged_search failed with: Time limit exceeded
>>
>> <smbd>
>> [2011/12/21 07:47:10.102879, 1]
>> lib/serverid.c:197(serverid_deregister)
>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:47:10.103603, 1]
>> smbd/server.c:303(remove_child_pid)
>> Could not remove pid 3491 from serverid.tdb
>> [2011/12/21 07:47:10.104114, 1]
>> smbd/server.c:317(remove_child_pid)
>> Could not find child 3491 -- ignoring
>>
>> [2011/12/21 07:48:10.174369, 1]
>> lib/serverid.c:197(serverid_deregister)
>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:48:10.175075, 1]
>> smbd/server.c:303(remove_child_pid)
>> Could not remove pid 3499 from serverid.tdb
>> [2011/12/21 07:48:10.490994, 1]
>> smbd/server.c:317(remove_child_pid)
>> Could not find child 3499 -- ignoring
>>
>> "net ads testjoin" indicates that the join is good.
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.COM <http://DOMAIN.COM>
>> server string = %h server
>> security = ADS
>> map untrusted to domain = Yes
>> allow trusted domains = No
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> password server = *
>> passdb backend = tdbsam
>> username map = /etc/samba/users.map
>> lanman auth = No
>> log level = 10
>> log file =/var/log/samba/%m
>> name resolve order = wins hosts bcast
>> deadtime = 15
>> printcap name = cups
>> preferred master = No
>> wins server = 192.168.1.xyz
>> panic action = /usr/share/samba/panic-action %d
>> ldap ssl = No
>> #
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000
>> - 20000000
>> idmap config DOMAIN : backend = rid
>> idmap config DOMAIN : range = 1000 - 99999
>> template homedir =/home/domain/%U
>> template shell = /bin/bash
>> winbind cache time = 10
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind offline logon = Yes
>> #
>> printing = cups
>> print command =
>> lpq command = %p
>> lprm command =
>> veto oplock files = /*.doc/*.xls/*.mdb/
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> ea support = Yes
>> admin users = root, "@domain admins"
>>
>>
>> I have seen numerous 3.6.x winbind problems reported, but
>> do not recall seeing this one.
>> Does this look like a Samba bug or is it Debian-specific?
>> winbind fixing itself after a reboot is particularly
>> puzzling.
>> Any and all suggestions appreciated.
>>
>>
>> Dale
>>
>> --
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>
More information about the samba
mailing list