[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Robert LeBlanc
robert at leblancnet.us
Thu Dec 22 09:38:52 MST 2011
What backend are you using? I can't get a single authentication to work
whether I reboot or not.
The new or old syntax for hash does not work for me. I get a segfault in
the hash module when compiled as shared modules. I've mentioned all that in
the bug report.
Robert
On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder <
dale at briannassaladdressing.com> wrote:
> That is correct - it did not fix the problem - old or new idmap syntax.
> Any time I restart the processes, such as after a config change, winbind
> auth fails.
> "getent group" yields the syslog error shown in the original post.
> "wbinfo -i user" fails even though "user" appears in "getent passwd".
> Reboot the system and everything is functioning again until the next time
> nmbd/smbd/winbind are restarted, after which winbind is nonfunctioning once
> again.
>
> Dale
>
>
>
> On 12/22/2011 9:02 AM, David Roid wrote:
>
> Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1
> using following idmap settings:
>
> idmap config * : range = ...
> idmap config * : backend = ...
> idmap config DOM : range = ...
> idmap config DOM : default = yes
> idmap config DOM : backend = ...
>
> then join the domain, no problem at all.
>
> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
>
>> David, thanks for the help, but I'm afraid that workaround does not work
>> for me either.
>> Robert, thanks for furnishing all that useful info to bugzilla.
>> Jeremy, thanks for for the update on
>> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>>
>> I feel like I'm at the Academy Awards.
>> Merry Christmas to all. <[];o{P>
>>
>> Dale
>>
>>
>>
>> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>
>> I tried to add "idmap config DOMAIN : default = yes" and it does not
>> help. I'm using hash. I've found some interesting things that I've included
>> in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>
>> Robert
>>
>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid <dataroid at gmail.com> wrote:
>>
>>> Been there, you can try to add either "idmap config DOMAIN : default =
>>> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
>>> gid = ..." to replace "idmap config * : ...", I don't know which one
>>> actually fixed it.
>>>
>>> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
>>>
>>>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>>
>>>> <Quote>
>>>>
>>>> Package: winbind
>>>> Version: 2:3.6.1-3
>>>> Severity: important
>>>>
>>>> Dear Maintainer,
>>>>
>>>> After upgrading to 3.6.1 I am no longer able to login to Debian using
>>>> my Active Directory account.
>>>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>>>> 'winbind -i user' returns
>>>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get
>>>> info for user user'. Changing
>>>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>>>> (fork_domain_child) fork_domain_child
>>>> called without domain.'. The previous wbint_Sid2Uid struct printout
>>>> shows that dom_name is NULL,
>>>> but has the correct domain SID. I believe the problem may exist around
>>>> there. I did upgrade the
>>>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>>>> hash' as specifed in the man
>>>> page without any luck. Name to SID and SID to name works along with
>>>> user-domgroups, but user-groups
>>>> does not work. 'wbinifo --group-info=group' fails with a similar error
>>>> as 'wbinfo -i user'. I'm
>>>> going to try to get back to 3.5.11.
>>>>
>>>> -- System Information:
>>>> Debian Release: wheezy/sid
>>>> APT prefers testing
>>>> APT policy: (500, 'testing')
>>>> Architecture: amd64 (x86_64)
>>>>
>>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>>>> Shell: /bin/sh linked to /bin/dash
>>>>
>>>> Versions of packages winbind depends on:
>>>> ii adduser 3.113
>>>> ii libc6 2.13-21
>>>> ii libcap2 1:2.22-1
>>>> ii libcomerr2 1.42-1
>>>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>>>> ii libk5crypto3 1.10+dfsg~alpha1-6
>>>> ii libkrb5-3 1.10+dfsg~alpha1-6
>>>> ii libldap-2.4-2 2.4.25-4+b1
>>>> ii libpam0g 1.1.3-6
>>>> ii libpopt0 1.16-1
>>>> ii libtalloc2 2.0.7-3
>>>> ii libtdb1 1.2.9-4+b1
>>>> ii libwbclient0 2:3.6.1-3
>>>> ii lsb-base 3.2-28
>>>> ii samba-common 2:3.6.1-3
>>>> ii zlib1g 1:1.2.3.4.dfsg-3
>>>>
>>>> Versions of packages winbind recommends:
>>>> ii libpam-winbind 2:3.6.1-3
>>>>
>>>> winbind suggests no packages.
>>>>
>>>> -- no debconf information
>>>>
>>>> </Quote>
>>>>
>>>> I also have this error, and reported as follows:
>>>>
>>>> Robert,
>>>>
>>>> Same problem here, and I have not seen anyone mention this on the Samba
>>>> list. Systems are fully updated and testparm does not return any
>>>> errors. idmap backend is rid notated in the new format. All deprecated
>>>> parameters have been removed.
>>>>
>>>> On my systems, I have found that full functionality returns after a
>>>> reboot; however, if samba/winbind processes are restarted for any
>>>> reason, AD authentication again no longer works. As with you, wbinfo
>>>> -u/-g continues to work, as does getent passwd. getent group only
>>>> returns linux groups. Another reboot will return winbind once again to
>>>> full functionality.
>>>>
>>>> Even at log level 10, error messages have been hard to find among the
>>>> many winbind logs. At the time of failure, the one I consistently find
>>>> is in syslog:
>>>> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>>>>
>>>> --------------------------------------------------------------
>>>>
>>>> This morning, I recreated the error by restarting Samba/winbind at
>>>> 07:47.
>>>> The only suspicious level 10 log entries found from that timeframe are:
>>>>
>>>> <syslog>
>>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21
>>>> 07:47:25.660769, 0] winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
>>>> with: Time limit exceeded
>>>>
>>>> <smbd>
>>>> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_deregister)
>>>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>>> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_child_pid)
>>>> Could not remove pid 3491 from serverid.tdb
>>>> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_child_pid)
>>>> Could not find child 3491 -- ignoring
>>>>
>>>> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_deregister)
>>>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>>> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_child_pid)
>>>> Could not remove pid 3499 from serverid.tdb
>>>> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_child_pid)
>>>> Could not find child 3499 -- ignoring
>>>>
>>>> "net ads testjoin" indicates that the join is good.
>>>>
>>>> [global]
>>>> workgroup = DOMAIN
>>>> realm = DOMAIN.COM
>>>> server string = %h server
>>>> security = ADS
>>>> map untrusted to domain = Yes
>>>> allow trusted domains = No
>>>> map to guest = Bad User
>>>> obey pam restrictions = Yes
>>>> password server = *
>>>> passdb backend = tdbsam
>>>> username map = /etc/samba/users.map
>>>> lanman auth = No
>>>> log level = 10
>>>> log file =/var/log/samba/%m
>>>> name resolve order = wins hosts bcast
>>>> deadtime = 15
>>>> printcap name = cups
>>>> preferred master = No
>>>> wins server = 192.168.1.xyz
>>>> panic action = /usr/share/samba/panic-action %d
>>>> ldap ssl = No
>>>> #
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 1000000 - 20000000
>>>> idmap config DOMAIN : backend = rid
>>>> idmap config DOMAIN : range = 1000 - 99999
>>>> template homedir =/home/domain/%U
>>>> template shell = /bin/bash
>>>> winbind cache time = 10
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> winbind offline logon = Yes
>>>> #
>>>> printing = cups
>>>> print command =
>>>> lpq command = %p
>>>> lprm command =
>>>> veto oplock files = /*.doc/*.xls/*.mdb/
>>>> map archive = No
>>>> map readonly = no
>>>> store dos attributes = Yes
>>>> ea support = Yes
>>>> admin users = root, "@domain admins"
>>>>
>>>>
>>>> I have seen numerous 3.6.x winbind problems reported, but do not recall
>>>> seeing this one.
>>>> Does this look like a Samba bug or is it Debian-specific? winbind
>>>> fixing itself after a reboot is particularly puzzling.
>>>> Any and all suggestions appreciated.
>>>>
>>>>
>>>> Dale
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>
More information about the samba
mailing list