[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Robert LeBlanc
robert at leblancnet.us
Wed Dec 21 22:42:36 MST 2011
I tried to add "idmap config DOMAIN : default = yes" and it does not help.
I'm using hash. I've found some interesting things that I've included in
bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
Robert
On Wed, Dec 21, 2011 at 5:33 PM, David Roid <dataroid at gmail.com> wrote:
> Been there, you can try to add either "idmap config DOMAIN : default =
> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
> gid = ..." to replace "idmap config * : ...", I don't know which one
> actually fixed it.
>
> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
>
>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>> >
>>
>> <Quote>
>>
>> Package: winbind
>> Version: 2:3.6.1-3
>> Severity: important
>>
>> Dear Maintainer,
>>
>> After upgrading to 3.6.1 I am no longer able to login to Debian using my
>> Active Directory account.
>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>> 'winbind -i user' returns
>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
>> for user user'. Changing
>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>> (fork_domain_child) fork_domain_child
>> called without domain.'. The previous wbint_Sid2Uid struct printout shows
>> that dom_name is NULL,
>> but has the correct domain SID. I believe the problem may exist around
>> there. I did upgrade the
>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>> hash' as specifed in the man
>> page without any luck. Name to SID and SID to name works along with
>> user-domgroups, but user-groups
>> does not work. 'wbinifo --group-info=group' fails with a similar error as
>> 'wbinfo -i user'. I'm
>> going to try to get back to 3.5.11.
>>
>> -- System Information:
>> Debian Release: wheezy/sid
>> APT prefers testing
>> APT policy: (500, 'testing')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>>
>> Versions of packages winbind depends on:
>> ii adduser 3.113
>> ii libc6 2.13-21
>> ii libcap2 1:2.22-1
>> ii libcomerr2 1.42-1
>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>> ii libk5crypto3 1.10+dfsg~alpha1-6
>> ii libkrb5-3 1.10+dfsg~alpha1-6
>> ii libldap-2.4-2 2.4.25-4+b1
>> ii libpam0g 1.1.3-6
>> ii libpopt0 1.16-1
>> ii libtalloc2 2.0.7-3
>> ii libtdb1 1.2.9-4+b1
>> ii libwbclient0 2:3.6.1-3
>> ii lsb-base 3.2-28
>> ii samba-common 2:3.6.1-3
>> ii zlib1g 1:1.2.3.4.dfsg-3
>>
>> Versions of packages winbind recommends:
>> ii libpam-winbind 2:3.6.1-3
>>
>> winbind suggests no packages.
>>
>> -- no debconf information
>>
>> </Quote>
>>
>> I also have this error, and reported as follows:
>>
>> Robert,
>>
>> Same problem here, and I have not seen anyone mention this on the Samba
>> list. Systems are fully updated and testparm does not return any
>> errors. idmap backend is rid notated in the new format. All deprecated
>> parameters have been removed.
>>
>> On my systems, I have found that full functionality returns after a
>> reboot; however, if samba/winbind processes are restarted for any
>> reason, AD authentication again no longer works. As with you, wbinfo
>> -u/-g continues to work, as does getent passwd. getent group only
>> returns linux groups. Another reboot will return winbind once again to
>> full functionality.
>>
>> Even at log level 10, error messages have been hard to find among the
>> many winbind logs. At the time of failure, the one I consistently find
>> is in syslog:
>> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>>
>> ------------------------------**------------------------------**--
>>
>> This morning, I recreated the error by restarting Samba/winbind at 07:47.
>> The only suspicious level 10 log entries found from that timeframe are:
>>
>> <syslog>
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
>> 0] winbindd/winbindd_ads.c:1068(**lookup_groupmem)
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
>> with: Time limit exceeded
>>
>> <smbd>
>> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_**
>> deregister)
>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_**child_pid)
>> Could not remove pid 3491 from serverid.tdb
>> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_**child_pid)
>> Could not find child 3491 -- ignoring
>>
>> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_**
>> deregister)
>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_**child_pid)
>> Could not remove pid 3499 from serverid.tdb
>> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_**child_pid)
>> Could not find child 3499 -- ignoring
>>
>> "net ads testjoin" indicates that the join is good.
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.COM
>> server string = %h server
>> security = ADS
>> map untrusted to domain = Yes
>> allow trusted domains = No
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> password server = *
>> passdb backend = tdbsam
>> username map = /etc/samba/users.map
>> lanman auth = No
>> log level = 10
>> log file =/var/log/samba/%m
>> name resolve order = wins hosts bcast
>> deadtime = 15
>> printcap name = cups
>> preferred master = No
>> wins server = 192.168.1.xyz
>> panic action = /usr/share/samba/panic-action %d
>> ldap ssl = No
>> #
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000 - 20000000
>> idmap config DOMAIN : backend = rid
>> idmap config DOMAIN : range = 1000 - 99999
>> template homedir =/home/domain/%U
>> template shell = /bin/bash
>> winbind cache time = 10
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind offline logon = Yes
>> #
>> printing = cups
>> print command =
>> lpq command = %p
>> lprm command =
>> veto oplock files = /*.doc/*.xls/*.mdb/
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> ea support = Yes
>> admin users = root, "@domain admins"
>>
>>
>> I have seen numerous 3.6.x winbind problems reported, but do not recall
>> seeing this one.
>> Does this look like a Samba bug or is it Debian-specific? winbind fixing
>> itself after a reboot is particularly puzzling.
>> Any and all suggestions appreciated.
>>
>>
>> Dale
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>
>
More information about the samba
mailing list