[Samba] winbind is not taking default domain

Marco Huang marco.huang at auckland.ac.nz
Thu Mar 31 16:01:38 MDT 2011 

Problem solved after leave domain, clear winbind cache, stop winbind caching, and rejoin the domain - all these steps have to do at once. We have extremely large users and groups, and some groups contain hugh number of members, the problem could be related winbind caching. 

On 31/03/2011, at 9:34 AM, Marco Huang wrote:

> Not sure if you import all the users and groups into your /etc/passwd and /etc/group file respectively, would fix your problem.  
> 
> On 29/03/2011, at 11:39 PM, Werner Durgarten wrote:
> 
>> Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in without typing in the default domain does not work any more.
>> 
>> 
>> -------- Original-Nachricht --------
>>> Datum: Mon, 28 Mar 2011 16:34:19 +1300
>>> Von: Marco Huang <marco.huang at auckland.ac.nz>
>>> An: samba at lists.samba.org
>>> Betreff: [Samba] winbind is not taking default domain
>> 
>>> Hi,
>>> 
>>> We have been running samba file server about 2 years without this problem.
>>> The problem appeared at the same time on our debian and centos servers.
>>> Not sure if it's related to any updates on our windows AD servers.
>>> 
>>> Debian Squeeze
>>> sernet-samba-3.5.8-27
>>> 
>>> Centos 5.5
>>> samba3-3.5.5-43.el5
>>> 
>>> Use Active Directory for user login authentication
>>> Use uid/gid from ldap
>>> The reason we still want winbind is for managing permissions from client
>>> end. 
>>> 
>>> Since last week, users failed on login with "valid users = @staff" until I
>>> stopped winbind. I found if I change to valid users = @"ABC\staff", users
>>> can login, however the change can not resolve the problem of ACLs on the
>>> folders/files. Of cause, if I stop winbind, works ok - user can login, and
>>> following the current permissions, but we do need winbind for managing
>>> permissions from client end.
>>> 
>>> # smb.conf
>>> 
>>> [global]
>>>  realm = ad.mydomain
>>>  workgroup = ABC
>>>  server string = %h server 
>>>  enable privileges = yes 
>>>  dns proxy = no
>>>  netbios name = linfiles
>>>  smb ports = 139 445
>>> 
>>>  load printers = no
>>>  printing = bsd
>>>  printcap name = /dev/null
>>>  disable spoolss = yes
>>> 	
>>>  log file = /var/log/samba/%U.log
>>>  log level = 10 winbind:10
>>>  debug timestamp = yes
>>>  max log size = 1000
>>>  syslog only = no
>>>  syslog = 2
>>>  panic action = /usr/share/samba/panic-action %d
>>> 
>>>  security = ADS
>>>  encrypt passwords = true
>>>  obey pam restrictions = no
>>>  invalid users = root
>>> 
>>>  unix extensions = no
>>> 
>>>  idmap backend = nss
>>>  idmap config ABC : default = yes
>>>  idmap config ABC : backend = nss
>>>  idmap alloc backend = nss
>>>  idmap cache time = 30
>>>  allow trusted domains = no
>>> 
>>>  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>>> SO_RCVBUF=65536 SO_SNDBUF=65536
>>>  locking = yes
>>>  strict locking = no
>>>  posix locking = yes
>>>  kernel oplocks = no
>>>  oplocks = yes
>>>  level2 oplocks = yes
>>> 
>>>  winbind trusted domains only =  yes
>>>  winbind use default domain = yes
>>>  winbind enum users = no
>>>  winbind enum groups = no
>>>  winbind cache time = 3600
>>> 	
>>>  acl compatibility = auto
>>> 
>>> [sit]
>>>  comment = Shares
>>>  browseable = yes
>>>  writable = yes
>>>  create mask = 0770
>>>  directory mask = 0770
>>>  acl group control = yes
>>>  acl check permissions = True
>>>  nt acl support = yes
>>>  force directory security mode = 770
>>>  inherit permissions = yes
>>>  inherit acls = yes
>>>  inherit owner = no
>>>  map acl inherit = yes
>>>  path = /mnt/sit
>>>  valid users = @staff
>>> 
>>> # /etc/nsswitch.conf
>>> passwd:     files ldap
>>> shadow:     files
>>> group:      files ldap
>>> 
>>> # getent group staff returns group members with testuser.
>>> 
>>> # wbinfo --own-domain
>>> ABC
>>> 
>>> # Here are some logs from debug mode, winbind just trying to lookup domain
>>> LINFILES and Unix Group rather than ABC.
>>> 
>>> [2011/03/25 12:43:50.645636,  3] lib/util_sid.c:228(string_to_sid)
>>> string_to_sid: Sid @staff does not start with 'S-'.
>>> [2011/03/25 12:43:50.645683,  5] smbd/password.c:423(user_in_netgroup)
>>> Unable to get default yp domain, let's try without specifying it
>>> [2011/03/25 12:43:50.645694,  5] smbd/password.c:430(user_in_netgroup)
>>> looking for user testuser of domain (ANY) in netgroup staff
>>> [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name)
>>> lookup_name: LINFILES\staff => LINFILES (domain), staff (name)
>>> [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name)
>>> lookup_name: flags = 0x077
>>> [2011/03/25 12:43:50.645753,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>>> [2011/03/25 12:43:50.645764,  3] smbd/uid.c:429(push_conn_ctx)
>>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>>> [2011/03/25 12:43:50.645773,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>>> [2011/03/25 12:43:50.645783,  5]
>>> auth/token_util.c:525(debug_nt_user_token)
>>> NT user token: (NULL)
>>> [2011/03/25 12:43:50.645792,  5]
>>> auth/token_util.c:551(debug_unix_user_token)
>>> UNIX token of user 0
>>> Primary group is 0 and contains 0 supplementary groups
>>> [2011/03/25 12:43:50.645825,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2011/03/25 12:43:50.645837, 10] passdb/lookup_sid.c:69(lookup_name)
>>> lookup_name: Unix Group\staff => Unix Group (domain), staff (name)
>>> [2011/03/25 12:43:50.645847, 10] passdb/lookup_sid.c:70(lookup_name)
>>> lookup_name: flags = 0x077
>>> [2011/03/25 12:43:50.647804, 10] smbd/share_access.c:216(user_ok_token)
>>> User testuser not in 'valid users'
>>> [2011/03/25 12:43:50.647820,  2]
>>> smbd/service.c:598(create_connection_server_info)
>>> user 'testuser' (from session setup) not permitted to access this share
>>> (sit)
>>> [2011/03/25 12:43:50.647832,  1] smbd/service.c:678(make_connection_snum)
>>> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
>>> [2011/03/25 12:43:50.647882,  3] smbd/error.c:80(error_packet_set)
>>> error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
>>> NT_STATUS_ACCESS_DENIED
>>> 
>>> 
>>> cheers
>>> --
>>> Marco 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> -- 
>> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
>> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list