[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1

Dale Schroeder dale at BriannasSaladDressing.com
Thu Dec 22 10:01:22 MST 2011


RID

On 12/22/2011 10:38 AM, Robert LeBlanc wrote:
> What backend are you using? I can't get a single authentication to 
> work whether I reboot or not.
>
> The new or old syntax for hash does not work for me. I get a segfault 
> in the hash module when compiled as shared modules. I've mentioned all 
> that in the bug report.
>
> Robert
>
> On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder 
> <dale at briannassaladdressing.com 
> <mailto:dale at briannassaladdressing.com>> wrote:
>
>     That is correct - it did not fix the problem - old or new idmap
>     syntax.  Any time I restart the processes, such as after a config
>     change, winbind auth fails.
>     "getent group" yields the syslog error shown in the original
>     post.  "wbinfo -i user"  fails even though "user" appears in
>     "getent passwd".
>     Reboot the system and everything is functioning again until the
>     next time nmbd/smbd/winbind are restarted, after which winbind is
>     nonfunctioning once again.
>
>     Dale
>
>
>
>     On 12/22/2011 9:02 AM, David Roid wrote:
>>     Didn't work? I just installed another opensuse 12.1, with Samba
>>     3.6.1 using following idmap settings:
>>
>>     idmap config * : range = ...
>>     idmap config * : backend = ...
>>     idmap config DOM : range = ...
>>     idmap config DOM : default = yes
>>     idmap config DOM : backend = ...
>>
>>     then join the domain, no problem at all.
>>
>>     2011/12/22 Dale Schroeder <dale at briannassaladdressing.com
>>     <mailto:dale at briannassaladdressing.com>>
>>
>>         David, thanks for the help, but I'm afraid that workaround
>>         does not work for me either.
>>         Robert, thanks for furnishing all that useful info to bugzilla.
>>         Jeremy, thanks for for the update on
>>         https://bugzilla.samba.org/show_bug.cgi?id=8384.
>>
>>         I feel like I'm at the Academy Awards.
>>         Merry Christmas to all. <[];o{P>
>>
>>         Dale
>>
>>
>>
>>         On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>>         I tried to add "idmap config DOMAIN : default = yes" and it
>>>         does not help. I'm using hash. I've found some interesting
>>>         things that I've included in bug 8676
>>>         https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>>
>>>         Robert
>>>
>>>         On Wed, Dec 21, 2011 at 5:33 PM, David Roid
>>>         <dataroid at gmail.com <mailto:dataroid at gmail.com>> wrote:
>>>
>>>             Been there, you can try to add either "idmap config
>>>             DOMAIN : default = yes", or use old-fashion "idmap
>>>             backend = ..." + "idmap uid = ..." + "idmap gid = ..."
>>>             to replace "idmap config * : ...", I don't know which
>>>             one actually fixed it.
>>>
>>>             2011/12/22 Dale Schroeder
>>>             <dale at briannassaladdressing.com
>>>             <mailto:dale at briannassaladdressing.com>>
>>>
>>>                 Originally filed by Robert LeBlanc as Debian Bug #
>>>                 652679 -
>>>                 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>
>>>                 <Quote>
>>>
>>>                 Package: winbind
>>>                 Version: 2:3.6.1-3
>>>                 Severity: important
>>>
>>>                 Dear Maintainer,
>>>
>>>                 After upgrading to 3.6.1 I am no longer able to
>>>                 login to Debian using my Active Directory account.
>>>                 'winbind -u', 'winbind -g', 'winbind -t' and many
>>>                 others work fine, but 'winbind -i user' returns
>>>                 'failed to call wbcGetpwnam:
>>>                 WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
>>>                 user'. Changing
>>>                 the verbosity of the logs, I find
>>>                 'winbindd/winbindd_dual.c:1306 (fork_domain_child)
>>>                 fork_domain_child
>>>                 called without domain.'. The previous wbint_Sid2Uid
>>>                 struct printout shows that dom_name is NULL,
>>>                 but has the correct domain SID. I believe the
>>>                 problem may exist around there. I did upgrade the
>>>                 'idmap backend = hash' to the new format 'idmap
>>>                 config * : backend = hash' as specifed in the man
>>>                 page without any luck. Name to SID and SID to name
>>>                 works along with user-domgroups, but user-groups
>>>                 does not work. 'wbinifo --group-info=group' fails
>>>                 with a similar error as 'wbinfo -i user'. I'm
>>>                 going to try to get back to 3.5.11.
>>>
>>>                 -- System Information:
>>>                 Debian Release: wheezy/sid
>>>                  APT prefers testing
>>>                  APT policy: (500, 'testing')
>>>                 Architecture: amd64 (x86_64)
>>>
>>>                 Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>>                 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
>>>                 (charmap=UTF-8)
>>>                 Shell: /bin/sh linked to /bin/dash
>>>
>>>                 Versions of packages winbind depends on:
>>>                 ii  adduser           3.113
>>>                 ii  libc6             2.13-21
>>>                 ii  libcap2           1:2.22-1
>>>                 ii  libcomerr2        1.42-1
>>>                 ii  libgssapi-krb5-2  1.10+dfsg~alpha1-6
>>>                 ii  libk5crypto3      1.10+dfsg~alpha1-6
>>>                 ii  libkrb5-3         1.10+dfsg~alpha1-6
>>>                 ii  libldap-2.4-2     2.4.25-4+b1
>>>                 ii  libpam0g          1.1.3-6
>>>                 ii  libpopt0          1.16-1
>>>                 ii  libtalloc2        2.0.7-3
>>>                 ii  libtdb1           1.2.9-4+b1
>>>                 ii  libwbclient0      2:3.6.1-3
>>>                 ii  lsb-base          3.2-28
>>>                 ii  samba-common      2:3.6.1-3
>>>                 ii  zlib1g            1:1.2.3.4.dfsg-3
>>>
>>>                 Versions of packages winbind recommends:
>>>                 ii  libpam-winbind  2:3.6.1-3
>>>
>>>                 winbind suggests no packages.
>>>
>>>                 -- no debconf information
>>>
>>>                 </Quote>
>>>
>>>                 I also have this error, and reported as follows:
>>>
>>>                 Robert,
>>>
>>>                 Same problem here, and I have not seen anyone
>>>                 mention this on the Samba
>>>                 list.  Systems are fully updated and testparm does
>>>                 not return any
>>>                 errors.  idmap backend is rid notated in the new
>>>                 format.  All deprecated
>>>                 parameters have been removed.
>>>
>>>                 On my systems, I have found that full functionality
>>>                 returns after a
>>>                 reboot; however, if samba/winbind processes are
>>>                 restarted for any
>>>                 reason, AD authentication again no longer works.  As
>>>                 with you, wbinfo
>>>                 -u/-g continues to work, as does getent passwd.
>>>                  getent group only
>>>                 returns linux groups.  Another reboot will return
>>>                 winbind once again to
>>>                 full functionality.
>>>
>>>                 Even at log level 10, error messages have been hard
>>>                 to find among the
>>>                 many winbind logs.  At the time of failure, the one
>>>                 I consistently find
>>>                 is in syslog:
>>>                    winbindd[4186]:  ads_ranged_search failed with:
>>>                 Time limit exceeded.
>>>
>>>                 --------------------------------------------------------------
>>>
>>>                 This morning, I recreated the error by restarting
>>>                 Samba/winbind at 07:47.
>>>                 The only suspicious level 10 log entries found from
>>>                 that timeframe are:
>>>
>>>                 <syslog>
>>>                 Dec 21 07:47:25 debinsp3200 winbindd[3489]:
>>>                 [2011/12/21 07:47:25.660769,  0]
>>>                 winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>>                 Dec 21 07:47:25 debinsp3200 winbindd[3489]:  
>>>                 ads_ranged_search failed with: Time limit exceeded
>>>
>>>                 <smbd>
>>>                 [2011/12/21 07:47:10.102879,  1]
>>>                 lib/serverid.c:197(serverid_deregister)
>>>                  Deleting serverid.tdb record failed:
>>>                 NT_STATUS_NOT_FOUND
>>>                 [2011/12/21 07:47:10.103603,  1]
>>>                 smbd/server.c:303(remove_child_pid)
>>>                  Could not remove pid 3491 from serverid.tdb
>>>                 [2011/12/21 07:47:10.104114,  1]
>>>                 smbd/server.c:317(remove_child_pid)
>>>                  Could not find child 3491 -- ignoring
>>>
>>>                 [2011/12/21 07:48:10.174369,  1]
>>>                 lib/serverid.c:197(serverid_deregister)
>>>                  Deleting serverid.tdb record failed:
>>>                 NT_STATUS_NOT_FOUND
>>>                 [2011/12/21 07:48:10.175075,  1]
>>>                 smbd/server.c:303(remove_child_pid)
>>>                  Could not remove pid 3499 from serverid.tdb
>>>                 [2011/12/21 07:48:10.490994,  1]
>>>                 smbd/server.c:317(remove_child_pid)
>>>                  Could not find child 3499 -- ignoring
>>>
>>>                 "net ads testjoin" indicates that the join is good.
>>>
>>>                 [global]
>>>                        workgroup = DOMAIN
>>>                        realm = DOMAIN.COM <http://DOMAIN.COM>
>>>                        server string = %h server
>>>                        security = ADS
>>>                        map untrusted to domain = Yes
>>>                        allow trusted domains = No
>>>                        map to guest = Bad User
>>>                        obey pam restrictions = Yes
>>>                        password server = *
>>>                        passdb backend = tdbsam
>>>                        username map = /etc/samba/users.map
>>>                        lanman auth = No
>>>                        log level = 10
>>>                        log file =/var/log/samba/%m
>>>                        name resolve order = wins hosts bcast
>>>                        deadtime = 15
>>>                        printcap name = cups
>>>                        preferred master = No
>>>                        wins server = 192.168.1.xyz
>>>                        panic action = /usr/share/samba/panic-action %d
>>>                        ldap ssl = No
>>>                        #
>>>                        idmap config * : backend                = tdb
>>>                        idmap config * : range                  =
>>>                 1000000 - 20000000
>>>                        idmap config DOMAIN : backend           = rid
>>>                        idmap config DOMAIN : range             =
>>>                 1000 - 99999
>>>                        template homedir =/home/domain/%U
>>>                        template shell = /bin/bash
>>>                        winbind cache time = 10
>>>                        winbind enum users = Yes
>>>                        winbind enum groups = Yes
>>>                        winbind use default domain = Yes
>>>                        winbind offline logon = Yes
>>>                        #
>>>                        printing = cups
>>>                        print command =
>>>                        lpq command = %p
>>>                        lprm command =
>>>                        veto oplock files = /*.doc/*.xls/*.mdb/
>>>                        map archive = No
>>>                        map readonly = no
>>>                        store dos attributes = Yes
>>>                        ea support = Yes
>>>                        admin users = root, "@domain admins"
>>>
>>>
>>>                 I have seen numerous 3.6.x winbind problems
>>>                 reported, but do not recall seeing this one.
>>>                 Does this look like a Samba bug or is it
>>>                 Debian-specific?  winbind fixing itself after a
>>>                 reboot is particularly puzzling.
>>>                 Any and all suggestions appreciated.
>>>
>>>
>>>                 Dale
>>>
>>>                 -- 
>>>                 To unsubscribe from this list go to the following
>>>                 URL and read the
>>>                 instructions:
>>>                 https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>


More information about the samba mailing list