[Samba] winbind stop working
Kevin Elliott
kevin_elliott at ci.juneau.ak.us
Mon Apr 30 12:31:38 MDT 2012
Correction. I was reading the Debian versioning numbers.
We are on Samba/Winbind: 3.5.6 (Debian package: 2:3.5.6~dfsg-3squeeze6).
--
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Kevin Elliott
> Sent: Monday, April 30, 2012 9:51 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] winbind stop working
>
> We're also seeing similar symptoms with our Squid proxy's
> winbindd as well.
>
> After an indeterminate amount of time (sometimes an hour,
> sometimes a day) the winbind process will lose the ability to
> resolve UID/GIDs to SIDS and authentication to the proxy will fail:
>
> [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid)
> string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
>
>
> If we try doing a winbind -p we get a sucessful return
> however trying to lookup a SID from UID/GID fails.
>
> We're on Debian 6.0.4 and Samba 2.3.5.6.
>
>
> Has anyone else seen this issue? Any possible workarounds or patches?
>
>
>
>
> Here's an the debugging output for a particular user:
>
> [2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message)
> switch message SMBtconX (pid 15651) conn 0x0
> [2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.217062, 5]
> auth/token_util.c:525(debug_nt_user_token)
> NT user token: (NULL)
> [2012/04/27 11:04:52.217085, 5]
> auth/token_util.c:551(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X)
> Client requested device type [?????] for share [FTP]
> [2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection)
> making a connection to 'normal' service ftp
> [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid)
> string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
> [2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup)
> Unable to get default yp domain, let's try without specifying it
> [2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup)
> looking for user CBJ_NT+kevin_miller of domain (ANY) in
> netgroup CBJ_NT+domain users
> [2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup)
> looking for user cbj_nt+kevin_miller of domain (ANY) in
> netgroup CBJ_NT+domain users
> [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
> lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain
> users (name)
> [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
> lookup_name: flags = 0x077
> [2012/04/27 11:04:52.217841, 10]
> passdb/util_wellknown.c:152(lookup_wellknown_name)
> map_name_to_wellknown_sid: looking up domain users
> [2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2012/04/27 11:04:52.217966, 5]
> auth/token_util.c:525(debug_nt_user_token)
> NT user token: (NULL)
> [2012/04/27 11:04:52.217987, 5]
> auth/token_util.c:551(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.219317, 5]
> smbd/share_access.c:117(token_contains_name)
> lookup_name CBJ_NT+domain users failed
> [2012/04/27 11:04:52.219365, 10]
> smbd/share_access.c:216(user_ok_token)
> User CBJ_NT+kevin_miller not in 'valid users'
> [2012/04/27 11:04:52.219394, 2]
> smbd/service.c:598(create_connection_server_info)
> user 'CBJ_NT+kevin_miller' (from session setup) not
> permitted to access this share (ftp)
> [2012/04/27 11:04:52.219420, 1]
> smbd/service.c:678(make_connection_snum)
> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
> [2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set)
> error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
>
>
> Here's the debugging output from the winbindd-idmap.old log:
>
> 2012/04/27 10:58:37.616201, 10]
> winbindd/idmap_util.c:115(idmap_gid_to_sid)
> idmap_gid_to_sid: gid = [1004], domain = ''
> [2012/04/27 10:58:37.616243, 10]
> lib/gencache.c:334(gencache_get_data_blob)
> Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
> [2012/04/27 10:58:37.616265, 10]
> winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
> idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
> [2012/04/27 10:58:37.616331, 10]
> winbindd/idmap.c:475(idmap_find_domain)
> idmap_find_domain called for domain ''
> [2012/04/27 10:58:37.616352, 5]
> winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
> Requested id (1004) out of range (10000 - 79999). Filtered!
> [2012/04/27 10:58:37.616380, 10]
> lib/gencache.c:180(gencache_set_data_blob)
> Adding cache entry with key = IDMAP/UID2SID/1004 and
> timeout = Fri Apr 27 11:00:37 2012
> (120 seconds ahead)
> [2012/04/27 10:58:37.616436, 10]
> winbindd/idmap_util.c:151(idmap_gid_to_sid)
> gid [1004] not mapped
> [2012/04/27 10:58:37.616456, 1]
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
> wbint_Gid2Sid: struct wbint_Gid2Sid
> out: struct wbint_Gid2Sid
> sid : *
> sid : S-0-0
> result : NT_STATUS_NONE_MAPPED
>
>
> --
> Kevin Elliott
>
> Network Specialist
> City and Borough of Juneau, MIS
> (907) 586 - 0905
>
>
>
>
>
> > -----Original Message-----
> > From: samba-bounces at lists.samba.org
> > [mailto:samba-bounces at lists.samba.org] On Behalf Of Daniele
> > Sent: Sunday, April 29, 2012 11:50 PM
> > To: samba at lists.samba.org
> > Subject: [Samba] winbind stop working
> >
> > Hi, I am trying to use squid proxy with validation on win
> > 2003 active directory to filter internet navigation and for it I
> > installed an ubuntu
> > 10.04 server 64 bit with samba.
> > My installation looks ok, the server is joined to the AD,
> ntlm is able
> > to validate user, wbinfo report corret information and squid works
> > good.
> > The problem arise after some hours: winbind become not able
> to resolv
> > info for users and to retrieve info for groups, so squid become not
> > able to know id a user belong to a group allowed to navigate and
> > refuse connection.
> > Restarting winbind solve the problem for some hours.
> > wbinfo report no particular problem; just give back messages like
> > "could not get info for user xx" and also setting debuglevel to
> > various numbers reports (to me) no significant clues.
> > I made a workaround scheduling a restart of winbind service
> at every
> > half hour and it works, but is not so elegant ...
> > Do you have any suggestion to solve this problem?
> > Thank you
> > Daniele
> >
> > samba/winbind version is 3.4.7
> > squid is 2.7.STABLE7
> > os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
> >
> > smb.conf:
> > [global]
> > workgroup = CED
> > realm = CED.AOS
> > server string = Samba Server Version %v
> > security = ADS
> > password server = 172.18.10.24 172.18.10.23
> > name resolve order = lmhosts host bcast
> > ldap ssl = no
> > idmap uid = 15000-25000
> > idmap gid = 15000-25000
> > winbind separator = +
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > cups options = raw
> > [homes]
> > comment = Home Directories
> > read only = No
> > browseable = No
> > browsable = No
> >
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > printable = Yes
> > browseable = No
> > browsable = No
> >
> >
> > ----
> > Le informazioni contenute in questa comunicazione e gli eventuali
> > documenti allegati hanno carattere confidenziale e sono ad uso
> > esclusivo del destinatario. Nel caso in cui questa comunicazione Vi
> > sia pervenuta per errore, Vi informiamo che la sua diffusione e
> > riproduzione e' contraria alla legge, pertanto Vi preghiamo
> di darci
> > prontamente avviso e di cancellare quanto ricevuto.
> > Grazie.
> >
> > This e-mail message and any files transmitted with it contain
> > confidential information intended only for the person(s) to
> whom it is
> > addressed. If you are not the intended recipient, you are hereby
> > notified that any use or distribution of this e-mail is strictly
> > prohibited: please notify the sender and delete the
> original message.
> > Thank you.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list