[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Dale Schroeder
dale at BriannasSaladDressing.com
Thu Dec 22 10:01:22 MST 2011
RID
On 12/22/2011 10:38 AM, Robert LeBlanc wrote:
> What backend are you using? I can't get a single authentication to
> work whether I reboot or not.
>
> The new or old syntax for hash does not work for me. I get a segfault
> in the hash module when compiled as shared modules. I've mentioned all
> that in the bug report.
>
> Robert
>
> On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder
> <dale at briannassaladdressing.com
> <mailto:dale at briannassaladdressing.com>> wrote:
>
> That is correct - it did not fix the problem - old or new idmap
> syntax. Any time I restart the processes, such as after a config
> change, winbind auth fails.
> "getent group" yields the syslog error shown in the original
> post. "wbinfo -i user" fails even though "user" appears in
> "getent passwd".
> Reboot the system and everything is functioning again until the
> next time nmbd/smbd/winbind are restarted, after which winbind is
> nonfunctioning once again.
>
> Dale
>
>
>
> On 12/22/2011 9:02 AM, David Roid wrote:
>> Didn't work? I just installed another opensuse 12.1, with Samba
>> 3.6.1 using following idmap settings:
>>
>> idmap config * : range = ...
>> idmap config * : backend = ...
>> idmap config DOM : range = ...
>> idmap config DOM : default = yes
>> idmap config DOM : backend = ...
>>
>> then join the domain, no problem at all.
>>
>> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com
>> <mailto:dale at briannassaladdressing.com>>
>>
>> David, thanks for the help, but I'm afraid that workaround
>> does not work for me either.
>> Robert, thanks for furnishing all that useful info to bugzilla.
>> Jeremy, thanks for for the update on
>> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>>
>> I feel like I'm at the Academy Awards.
>> Merry Christmas to all. <[];o{P>
>>
>> Dale
>>
>>
>>
>> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>> I tried to add "idmap config DOMAIN : default = yes" and it
>>> does not help. I'm using hash. I've found some interesting
>>> things that I've included in bug 8676
>>> https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>>
>>> Robert
>>>
>>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid
>>> <dataroid at gmail.com <mailto:dataroid at gmail.com>> wrote:
>>>
>>> Been there, you can try to add either "idmap config
>>> DOMAIN : default = yes", or use old-fashion "idmap
>>> backend = ..." + "idmap uid = ..." + "idmap gid = ..."
>>> to replace "idmap config * : ...", I don't know which
>>> one actually fixed it.
>>>
>>> 2011/12/22 Dale Schroeder
>>> <dale at briannassaladdressing.com
>>> <mailto:dale at briannassaladdressing.com>>
>>>
>>> Originally filed by Robert LeBlanc as Debian Bug #
>>> 652679 -
>>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>
>>> <Quote>
>>>
>>> Package: winbind
>>> Version: 2:3.6.1-3
>>> Severity: important
>>>
>>> Dear Maintainer,
>>>
>>> After upgrading to 3.6.1 I am no longer able to
>>> login to Debian using my Active Directory account.
>>> 'winbind -u', 'winbind -g', 'winbind -t' and many
>>> others work fine, but 'winbind -i user' returns
>>> 'failed to call wbcGetpwnam:
>>> WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
>>> user'. Changing
>>> the verbosity of the logs, I find
>>> 'winbindd/winbindd_dual.c:1306 (fork_domain_child)
>>> fork_domain_child
>>> called without domain.'. The previous wbint_Sid2Uid
>>> struct printout shows that dom_name is NULL,
>>> but has the correct domain SID. I believe the
>>> problem may exist around there. I did upgrade the
>>> 'idmap backend = hash' to the new format 'idmap
>>> config * : backend = hash' as specifed in the man
>>> page without any luck. Name to SID and SID to name
>>> works along with user-domgroups, but user-groups
>>> does not work. 'wbinifo --group-info=group' fails
>>> with a similar error as 'wbinfo -i user'. I'm
>>> going to try to get back to 3.5.11.
>>>
>>> -- System Information:
>>> Debian Release: wheezy/sid
>>> APT prefers testing
>>> APT policy: (500, 'testing')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
>>> (charmap=UTF-8)
>>> Shell: /bin/sh linked to /bin/dash
>>>
>>> Versions of packages winbind depends on:
>>> ii adduser 3.113
>>> ii libc6 2.13-21
>>> ii libcap2 1:2.22-1
>>> ii libcomerr2 1.42-1
>>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>>> ii libk5crypto3 1.10+dfsg~alpha1-6
>>> ii libkrb5-3 1.10+dfsg~alpha1-6
>>> ii libldap-2.4-2 2.4.25-4+b1
>>> ii libpam0g 1.1.3-6
>>> ii libpopt0 1.16-1
>>> ii libtalloc2 2.0.7-3
>>> ii libtdb1 1.2.9-4+b1
>>> ii libwbclient0 2:3.6.1-3
>>> ii lsb-base 3.2-28
>>> ii samba-common 2:3.6.1-3
>>> ii zlib1g 1:1.2.3.4.dfsg-3
>>>
>>> Versions of packages winbind recommends:
>>> ii libpam-winbind 2:3.6.1-3
>>>
>>> winbind suggests no packages.
>>>
>>> -- no debconf information
>>>
>>> </Quote>
>>>
>>> I also have this error, and reported as follows:
>>>
>>> Robert,
>>>
>>> Same problem here, and I have not seen anyone
>>> mention this on the Samba
>>> list. Systems are fully updated and testparm does
>>> not return any
>>> errors. idmap backend is rid notated in the new
>>> format. All deprecated
>>> parameters have been removed.
>>>
>>> On my systems, I have found that full functionality
>>> returns after a
>>> reboot; however, if samba/winbind processes are
>>> restarted for any
>>> reason, AD authentication again no longer works. As
>>> with you, wbinfo
>>> -u/-g continues to work, as does getent passwd.
>>> getent group only
>>> returns linux groups. Another reboot will return
>>> winbind once again to
>>> full functionality.
>>>
>>> Even at log level 10, error messages have been hard
>>> to find among the
>>> many winbind logs. At the time of failure, the one
>>> I consistently find
>>> is in syslog:
>>> winbindd[4186]: ads_ranged_search failed with:
>>> Time limit exceeded.
>>>
>>> --------------------------------------------------------------
>>>
>>> This morning, I recreated the error by restarting
>>> Samba/winbind at 07:47.
>>> The only suspicious level 10 log entries found from
>>> that timeframe are:
>>>
>>> <syslog>
>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]:
>>> [2011/12/21 07:47:25.660769, 0]
>>> winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]:
>>> ads_ranged_search failed with: Time limit exceeded
>>>
>>> <smbd>
>>> [2011/12/21 07:47:10.102879, 1]
>>> lib/serverid.c:197(serverid_deregister)
>>> Deleting serverid.tdb record failed:
>>> NT_STATUS_NOT_FOUND
>>> [2011/12/21 07:47:10.103603, 1]
>>> smbd/server.c:303(remove_child_pid)
>>> Could not remove pid 3491 from serverid.tdb
>>> [2011/12/21 07:47:10.104114, 1]
>>> smbd/server.c:317(remove_child_pid)
>>> Could not find child 3491 -- ignoring
>>>
>>> [2011/12/21 07:48:10.174369, 1]
>>> lib/serverid.c:197(serverid_deregister)
>>> Deleting serverid.tdb record failed:
>>> NT_STATUS_NOT_FOUND
>>> [2011/12/21 07:48:10.175075, 1]
>>> smbd/server.c:303(remove_child_pid)
>>> Could not remove pid 3499 from serverid.tdb
>>> [2011/12/21 07:48:10.490994, 1]
>>> smbd/server.c:317(remove_child_pid)
>>> Could not find child 3499 -- ignoring
>>>
>>> "net ads testjoin" indicates that the join is good.
>>>
>>> [global]
>>> workgroup = DOMAIN
>>> realm = DOMAIN.COM <http://DOMAIN.COM>
>>> server string = %h server
>>> security = ADS
>>> map untrusted to domain = Yes
>>> allow trusted domains = No
>>> map to guest = Bad User
>>> obey pam restrictions = Yes
>>> password server = *
>>> passdb backend = tdbsam
>>> username map = /etc/samba/users.map
>>> lanman auth = No
>>> log level = 10
>>> log file =/var/log/samba/%m
>>> name resolve order = wins hosts bcast
>>> deadtime = 15
>>> printcap name = cups
>>> preferred master = No
>>> wins server = 192.168.1.xyz
>>> panic action = /usr/share/samba/panic-action %d
>>> ldap ssl = No
>>> #
>>> idmap config * : backend = tdb
>>> idmap config * : range =
>>> 1000000 - 20000000
>>> idmap config DOMAIN : backend = rid
>>> idmap config DOMAIN : range =
>>> 1000 - 99999
>>> template homedir =/home/domain/%U
>>> template shell = /bin/bash
>>> winbind cache time = 10
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> winbind offline logon = Yes
>>> #
>>> printing = cups
>>> print command =
>>> lpq command = %p
>>> lprm command =
>>> veto oplock files = /*.doc/*.xls/*.mdb/
>>> map archive = No
>>> map readonly = no
>>> store dos attributes = Yes
>>> ea support = Yes
>>> admin users = root, "@domain admins"
>>>
>>>
>>> I have seen numerous 3.6.x winbind problems
>>> reported, but do not recall seeing this one.
>>> Does this look like a Samba bug or is it
>>> Debian-specific? winbind fixing itself after a
>>> reboot is particularly puzzling.
>>> Any and all suggestions appreciated.
>>>
>>>
>>> Dale
>>>
>>> --
>>> To unsubscribe from this list go to the following
>>> URL and read the
>>> instructions:
>>> https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>
More information about the samba
mailing list