[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1

Robert LeBlanc robert at leblancnet.us
Wed Dec 21 22:42:36 MST 2011


I tried to add "idmap config DOMAIN : default = yes" and it does not help.
I'm using hash. I've found some interesting things that I've included in
bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.

Robert

On Wed, Dec 21, 2011 at 5:33 PM, David Roid <dataroid at gmail.com> wrote:

> Been there, you can try to add either "idmap config DOMAIN : default =
> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
> gid = ..." to replace "idmap config * : ...", I don't know which one
> actually fixed it.
>
> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
>
>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>> >
>>
>> <Quote>
>>
>> Package: winbind
>> Version: 2:3.6.1-3
>> Severity: important
>>
>> Dear Maintainer,
>>
>> After upgrading to 3.6.1 I am no longer able to login to Debian using my
>> Active Directory account.
>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>> 'winbind -i user' returns
>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
>> for user user'. Changing
>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>> (fork_domain_child) fork_domain_child
>> called without domain.'. The previous wbint_Sid2Uid struct printout shows
>> that dom_name is NULL,
>> but has the correct domain SID. I believe the problem may exist around
>> there. I did upgrade the
>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>> hash' as specifed in the man
>> page without any luck. Name to SID and SID to name works along with
>> user-domgroups, but user-groups
>> does not work. 'wbinifo --group-info=group' fails with a similar error as
>> 'wbinfo -i user'. I'm
>> going to try to get back to 3.5.11.
>>
>> -- System Information:
>> Debian Release: wheezy/sid
>>  APT prefers testing
>>  APT policy: (500, 'testing')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>>
>> Versions of packages winbind depends on:
>> ii  adduser           3.113
>> ii  libc6             2.13-21
>> ii  libcap2           1:2.22-1
>> ii  libcomerr2        1.42-1
>> ii  libgssapi-krb5-2  1.10+dfsg~alpha1-6
>> ii  libk5crypto3      1.10+dfsg~alpha1-6
>> ii  libkrb5-3         1.10+dfsg~alpha1-6
>> ii  libldap-2.4-2     2.4.25-4+b1
>> ii  libpam0g          1.1.3-6
>> ii  libpopt0          1.16-1
>> ii  libtalloc2        2.0.7-3
>> ii  libtdb1           1.2.9-4+b1
>> ii  libwbclient0      2:3.6.1-3
>> ii  lsb-base          3.2-28
>> ii  samba-common      2:3.6.1-3
>> ii  zlib1g            1:1.2.3.4.dfsg-3
>>
>> Versions of packages winbind recommends:
>> ii  libpam-winbind  2:3.6.1-3
>>
>> winbind suggests no packages.
>>
>> -- no debconf information
>>
>> </Quote>
>>
>> I also have this error, and reported as follows:
>>
>> Robert,
>>
>> Same problem here, and I have not seen anyone mention this on the Samba
>> list.  Systems are fully updated and testparm does not return any
>> errors.  idmap backend is rid notated in the new format.  All deprecated
>> parameters have been removed.
>>
>> On my systems, I have found that full functionality returns after a
>> reboot; however, if samba/winbind processes are restarted for any
>> reason, AD authentication again no longer works.  As with you, wbinfo
>> -u/-g continues to work, as does getent passwd.  getent group only
>> returns linux groups.  Another reboot will return winbind once again to
>> full functionality.
>>
>> Even at log level 10, error messages have been hard to find among the
>> many winbind logs.  At the time of failure, the one I consistently find
>> is in syslog:
>>    winbindd[4186]:  ads_ranged_search failed with: Time limit exceeded.
>>
>> ------------------------------**------------------------------**--
>>
>> This morning, I recreated the error by restarting Samba/winbind at 07:47.
>> The only suspicious level 10 log entries found from that timeframe are:
>>
>> <syslog>
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
>>  0] winbindd/winbindd_ads.c:1068(**lookup_groupmem)
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]:   ads_ranged_search failed
>> with: Time limit exceeded
>>
>> <smbd>
>> [2011/12/21 07:47:10.102879,  1] lib/serverid.c:197(serverid_**
>> deregister)
>>  Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:47:10.103603,  1] smbd/server.c:303(remove_**child_pid)
>>  Could not remove pid 3491 from serverid.tdb
>> [2011/12/21 07:47:10.104114,  1] smbd/server.c:317(remove_**child_pid)
>>  Could not find child 3491 -- ignoring
>>
>> [2011/12/21 07:48:10.174369,  1] lib/serverid.c:197(serverid_**
>> deregister)
>>  Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:48:10.175075,  1] smbd/server.c:303(remove_**child_pid)
>>  Could not remove pid 3499 from serverid.tdb
>> [2011/12/21 07:48:10.490994,  1] smbd/server.c:317(remove_**child_pid)
>>  Could not find child 3499 -- ignoring
>>
>> "net ads testjoin" indicates that the join is good.
>>
>> [global]
>>        workgroup = DOMAIN
>>        realm = DOMAIN.COM
>>        server string = %h server
>>        security = ADS
>>        map untrusted to domain = Yes
>>        allow trusted domains = No
>>        map to guest = Bad User
>>        obey pam restrictions = Yes
>>        password server = *
>>        passdb backend = tdbsam
>>        username map = /etc/samba/users.map
>>        lanman auth = No
>>        log level = 10
>>        log file =/var/log/samba/%m
>>        name resolve order = wins hosts bcast
>>        deadtime = 15
>>        printcap name = cups
>>        preferred master = No
>>        wins server = 192.168.1.xyz
>>        panic action = /usr/share/samba/panic-action %d
>>        ldap ssl = No
>>        #
>>        idmap config * : backend                = tdb
>>        idmap config * : range                  = 1000000 - 20000000
>>        idmap config DOMAIN : backend           = rid
>>        idmap config DOMAIN : range             = 1000 - 99999
>>        template homedir =/home/domain/%U
>>        template shell = /bin/bash
>>        winbind cache time = 10
>>        winbind enum users = Yes
>>        winbind enum groups = Yes
>>        winbind use default domain = Yes
>>        winbind offline logon = Yes
>>        #
>>        printing = cups
>>        print command =
>>        lpq command = %p
>>        lprm command =
>>        veto oplock files = /*.doc/*.xls/*.mdb/
>>        map archive = No
>>        map readonly = no
>>        store dos attributes = Yes
>>        ea support = Yes
>>        admin users = root, "@domain admins"
>>
>>
>> I have seen numerous 3.6.x winbind problems reported, but do not recall
>> seeing this one.
>> Does this look like a Samba bug or is it Debian-specific?  winbind fixing
>> itself after a reboot is particularly puzzling.
>> Any and all suggestions appreciated.
>>
>>
>> Dale
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>
>


More information about the samba mailing list