[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1

Robert LeBlanc robert at leblancnet.us
Thu Dec 22 09:38:52 MST 2011


What backend are you using? I can't get a single authentication to work
whether I reboot or not.

The new or old syntax for hash does not work for me. I get a segfault in
the hash module when compiled as shared modules. I've mentioned all that in
the bug report.

Robert

On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder <
dale at briannassaladdressing.com> wrote:

>  That is correct - it did not fix the problem - old or new idmap syntax.
> Any time I restart the processes, such as after a config change, winbind
> auth fails.
> "getent group" yields the syslog error shown in the original post.
> "wbinfo -i user"  fails even though "user" appears in "getent passwd".
> Reboot the system and everything is functioning again until the next time
> nmbd/smbd/winbind are restarted, after which winbind is nonfunctioning once
> again.
>
> Dale
>
>
>
> On 12/22/2011 9:02 AM, David Roid wrote:
>
> Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1
> using following idmap settings:
>
> idmap config * : range = ...
> idmap config * : backend = ...
> idmap config DOM : range = ...
> idmap config DOM : default = yes
> idmap config DOM : backend = ...
>
> then join the domain, no problem at all.
>
> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
>
>>  David, thanks for the help, but I'm afraid that workaround does not work
>> for me either.
>> Robert, thanks for furnishing all that useful info to bugzilla.
>> Jeremy, thanks for for the update on
>> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>>
>> I feel like I'm at the Academy Awards.
>> Merry Christmas to all.  <[];o{P>
>>
>> Dale
>>
>>
>>
>> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>
>> I tried to add "idmap config DOMAIN : default = yes" and it does not
>> help. I'm using hash. I've found some interesting things that I've included
>> in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>
>>  Robert
>>
>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid <dataroid at gmail.com> wrote:
>>
>>> Been there, you can try to add either "idmap config DOMAIN : default =
>>> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
>>> gid = ..." to replace "idmap config * : ...", I don't know which one
>>> actually fixed it.
>>>
>>> 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>
>>>
>>>>  Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>>
>>>> <Quote>
>>>>
>>>> Package: winbind
>>>> Version: 2:3.6.1-3
>>>> Severity: important
>>>>
>>>> Dear Maintainer,
>>>>
>>>> After upgrading to 3.6.1 I am no longer able to login to Debian using
>>>> my Active Directory account.
>>>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>>>> 'winbind -i user' returns
>>>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get
>>>> info for user user'. Changing
>>>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>>>> (fork_domain_child) fork_domain_child
>>>> called without domain.'. The previous wbint_Sid2Uid struct printout
>>>> shows that dom_name is NULL,
>>>> but has the correct domain SID. I believe the problem may exist around
>>>> there. I did upgrade the
>>>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>>>> hash' as specifed in the man
>>>> page without any luck. Name to SID and SID to name works along with
>>>> user-domgroups, but user-groups
>>>> does not work. 'wbinifo --group-info=group' fails with a similar error
>>>> as 'wbinfo -i user'. I'm
>>>> going to try to get back to 3.5.11.
>>>>
>>>> -- System Information:
>>>> Debian Release: wheezy/sid
>>>>  APT prefers testing
>>>>  APT policy: (500, 'testing')
>>>> Architecture: amd64 (x86_64)
>>>>
>>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>>>> Shell: /bin/sh linked to /bin/dash
>>>>
>>>> Versions of packages winbind depends on:
>>>> ii  adduser           3.113
>>>> ii  libc6             2.13-21
>>>> ii  libcap2           1:2.22-1
>>>> ii  libcomerr2        1.42-1
>>>> ii  libgssapi-krb5-2  1.10+dfsg~alpha1-6
>>>> ii  libk5crypto3      1.10+dfsg~alpha1-6
>>>> ii  libkrb5-3         1.10+dfsg~alpha1-6
>>>> ii  libldap-2.4-2     2.4.25-4+b1
>>>> ii  libpam0g          1.1.3-6
>>>> ii  libpopt0          1.16-1
>>>> ii  libtalloc2        2.0.7-3
>>>> ii  libtdb1           1.2.9-4+b1
>>>> ii  libwbclient0      2:3.6.1-3
>>>> ii  lsb-base          3.2-28
>>>> ii  samba-common      2:3.6.1-3
>>>> ii  zlib1g            1:1.2.3.4.dfsg-3
>>>>
>>>> Versions of packages winbind recommends:
>>>> ii  libpam-winbind  2:3.6.1-3
>>>>
>>>> winbind suggests no packages.
>>>>
>>>> -- no debconf information
>>>>
>>>> </Quote>
>>>>
>>>> I also have this error, and reported as follows:
>>>>
>>>> Robert,
>>>>
>>>> Same problem here, and I have not seen anyone mention this on the Samba
>>>> list.  Systems are fully updated and testparm does not return any
>>>> errors.  idmap backend is rid notated in the new format.  All deprecated
>>>> parameters have been removed.
>>>>
>>>> On my systems, I have found that full functionality returns after a
>>>> reboot; however, if samba/winbind processes are restarted for any
>>>> reason, AD authentication again no longer works.  As with you, wbinfo
>>>> -u/-g continues to work, as does getent passwd.  getent group only
>>>> returns linux groups.  Another reboot will return winbind once again to
>>>> full functionality.
>>>>
>>>> Even at log level 10, error messages have been hard to find among the
>>>> many winbind logs.  At the time of failure, the one I consistently find
>>>> is in syslog:
>>>>    winbindd[4186]:  ads_ranged_search failed with: Time limit exceeded.
>>>>
>>>> --------------------------------------------------------------
>>>>
>>>> This morning, I recreated the error by restarting Samba/winbind at
>>>> 07:47.
>>>> The only suspicious level 10 log entries found from that timeframe are:
>>>>
>>>> <syslog>
>>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21
>>>> 07:47:25.660769,  0] winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]:   ads_ranged_search failed
>>>> with: Time limit exceeded
>>>>
>>>> <smbd>
>>>> [2011/12/21 07:47:10.102879,  1] lib/serverid.c:197(serverid_deregister)
>>>>  Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>>> [2011/12/21 07:47:10.103603,  1] smbd/server.c:303(remove_child_pid)
>>>>  Could not remove pid 3491 from serverid.tdb
>>>> [2011/12/21 07:47:10.104114,  1] smbd/server.c:317(remove_child_pid)
>>>>  Could not find child 3491 -- ignoring
>>>>
>>>> [2011/12/21 07:48:10.174369,  1] lib/serverid.c:197(serverid_deregister)
>>>>  Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>>> [2011/12/21 07:48:10.175075,  1] smbd/server.c:303(remove_child_pid)
>>>>  Could not remove pid 3499 from serverid.tdb
>>>> [2011/12/21 07:48:10.490994,  1] smbd/server.c:317(remove_child_pid)
>>>>  Could not find child 3499 -- ignoring
>>>>
>>>> "net ads testjoin" indicates that the join is good.
>>>>
>>>> [global]
>>>>        workgroup = DOMAIN
>>>>        realm = DOMAIN.COM
>>>>        server string = %h server
>>>>        security = ADS
>>>>        map untrusted to domain = Yes
>>>>        allow trusted domains = No
>>>>        map to guest = Bad User
>>>>        obey pam restrictions = Yes
>>>>        password server = *
>>>>        passdb backend = tdbsam
>>>>        username map = /etc/samba/users.map
>>>>        lanman auth = No
>>>>        log level = 10
>>>>        log file =/var/log/samba/%m
>>>>        name resolve order = wins hosts bcast
>>>>        deadtime = 15
>>>>        printcap name = cups
>>>>        preferred master = No
>>>>        wins server = 192.168.1.xyz
>>>>        panic action = /usr/share/samba/panic-action %d
>>>>        ldap ssl = No
>>>>        #
>>>>        idmap config * : backend                = tdb
>>>>        idmap config * : range                  = 1000000 - 20000000
>>>>        idmap config DOMAIN : backend           = rid
>>>>        idmap config DOMAIN : range             = 1000 - 99999
>>>>        template homedir =/home/domain/%U
>>>>        template shell = /bin/bash
>>>>        winbind cache time = 10
>>>>        winbind enum users = Yes
>>>>        winbind enum groups = Yes
>>>>        winbind use default domain = Yes
>>>>        winbind offline logon = Yes
>>>>        #
>>>>        printing = cups
>>>>        print command =
>>>>        lpq command = %p
>>>>        lprm command =
>>>>        veto oplock files = /*.doc/*.xls/*.mdb/
>>>>        map archive = No
>>>>        map readonly = no
>>>>        store dos attributes = Yes
>>>>        ea support = Yes
>>>>        admin users = root, "@domain admins"
>>>>
>>>>
>>>> I have seen numerous 3.6.x winbind problems reported, but do not recall
>>>> seeing this one.
>>>> Does this look like a Samba bug or is it Debian-specific?  winbind
>>>> fixing itself after a reboot is particularly puzzling.
>>>> Any and all suggestions appreciated.
>>>>
>>>>
>>>> Dale
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>


More information about the samba mailing list