[Samba] winbind stop working

Kevin Elliott kevin_elliott at ci.juneau.ak.us
Mon Apr 30 12:31:38 MDT 2012


Correction. I was reading the Debian versioning numbers.

We are on Samba/Winbind: 3.5.6 (Debian package:  2:3.5.6~dfsg-3squeeze6).

-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 


> -----Original Message-----
> From: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Kevin Elliott
> Sent: Monday, April 30, 2012 9:51 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] winbind stop working
> 
> We're also seeing similar symptoms with our Squid proxy's 
> winbindd as well.
> 
> After an indeterminate amount of time (sometimes an hour, 
> sometimes a day) the winbind process will lose the ability to 
> resolve UID/GIDs to SIDS and authentication to the proxy will fail:
> 
> [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
>   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
> 
> 
> If we try doing a winbind -p we get a sucessful return 
> however trying to lookup a SID from UID/GID fails.
> 
> We're on Debian 6.0.4 and Samba 2.3.5.6.
> 
> 
> Has anyone else seen this issue? Any possible workarounds or patches?
> 
> 
> 
> 
> Here's an the debugging output for a particular user:
> 
> [2012/04/27 11:04:52.217018,  3] smbd/process.c:1294(switch_message)
>   switch message SMBtconX (pid 15651) conn 0x0
> [2012/04/27 11:04:52.217041,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.217062,  5] 
> auth/token_util.c:525(debug_nt_user_token)
>   NT user token: (NULL)
> [2012/04/27 11:04:52.217085,  5] 
> auth/token_util.c:551(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2012/04/27 11:04:52.217132,  5] smbd/uid.c:369(change_to_root_user)
>   change_to_root_user: now uid=(0,0) gid=(0,0)
> [2012/04/27 11:04:52.217169,  4] smbd/reply.c:786(reply_tcon_and_X)
>   Client requested device type [?????] for share [FTP]
> [2012/04/27 11:04:52.217209,  5] smbd/service.c:1227(make_connection)
>   making a connection to 'normal' service ftp
> [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
>   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
> [2012/04/27 11:04:52.217268,  5] smbd/password.c:423(user_in_netgroup)
>   Unable to get default yp domain, let's try without specifying it
> [2012/04/27 11:04:52.217289,  5] smbd/password.c:430(user_in_netgroup)
>   looking for user CBJ_NT+kevin_miller of domain (ANY) in 
> netgroup CBJ_NT+domain users
> [2012/04/27 11:04:52.217316,  5] smbd/password.c:453(user_in_netgroup)
>   looking for user cbj_nt+kevin_miller of domain (ANY) in 
> netgroup CBJ_NT+domain users
> [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
>   lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain 
> users (name)
> [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
>   lookup_name: flags = 0x077
> [2012/04/27 11:04:52.217841, 10] 
> passdb/util_wellknown.c:152(lookup_wellknown_name)
>   map_name_to_wellknown_sid: looking up domain users
> [2012/04/27 11:04:52.217890,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2012/04/27 11:04:52.217921,  3] smbd/uid.c:429(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.217945,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2012/04/27 11:04:52.217966,  5] 
> auth/token_util.c:525(debug_nt_user_token)
>   NT user token: (NULL)
> [2012/04/27 11:04:52.217987,  5] 
> auth/token_util.c:551(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2012/04/27 11:04:52.218079,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.219317,  5] 
> smbd/share_access.c:117(token_contains_name)
>   lookup_name CBJ_NT+domain users failed
> [2012/04/27 11:04:52.219365, 10] 
> smbd/share_access.c:216(user_ok_token)
>   User CBJ_NT+kevin_miller not in 'valid users'
> [2012/04/27 11:04:52.219394,  2] 
> smbd/service.c:598(create_connection_server_info)
>   user 'CBJ_NT+kevin_miller' (from session setup) not 
> permitted to access this share (ftp)
> [2012/04/27 11:04:52.219420,  1] 
> smbd/service.c:678(make_connection_snum)
>   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
> [2012/04/27 11:04:52.219452,  3] smbd/error.c:80(error_packet_set)
>   error packet at smbd/reply.c(795) cmd=117 (SMBtconX) 
> NT_STATUS_ACCESS_DENIED
> 
> 
> Here's the debugging output from the winbindd-idmap.old log:
> 
> 2012/04/27 10:58:37.616201, 10] 
> winbindd/idmap_util.c:115(idmap_gid_to_sid)
>   idmap_gid_to_sid: gid = [1004], domain = ''
> [2012/04/27 10:58:37.616243, 10] 
> lib/gencache.c:334(gencache_get_data_blob)
>   Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
> [2012/04/27 10:58:37.616265, 10] 
> winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
>   idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
> [2012/04/27 10:58:37.616331, 10] 
> winbindd/idmap.c:475(idmap_find_domain)
>   idmap_find_domain called for domain ''
> [2012/04/27 10:58:37.616352,  5] 
> winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
>   Requested id (1004) out of range (10000 - 79999). Filtered!
> [2012/04/27 10:58:37.616380, 10] 
> lib/gencache.c:180(gencache_set_data_blob)
>   Adding cache entry with key = IDMAP/UID2SID/1004 and 
> timeout = Fri Apr 27 11:00:37 2012
>    (120 seconds ahead)
> [2012/04/27 10:58:37.616436, 10] 
> winbindd/idmap_util.c:151(idmap_gid_to_sid)
>   gid [1004] not mapped
> [2012/04/27 10:58:37.616456,  1] 
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>        wbint_Gid2Sid: struct wbint_Gid2Sid
>           out: struct wbint_Gid2Sid
>               sid                      : *
>                   sid                      : S-0-0
>               result                   : NT_STATUS_NONE_MAPPED
> 
> 
> --
> Kevin Elliott
>  
> Network Specialist
> City and Borough of Juneau, MIS
> (907) 586 - 0905
>  
> 
> 
> 
> 
> > -----Original Message-----
> > From: samba-bounces at lists.samba.org
> > [mailto:samba-bounces at lists.samba.org] On Behalf Of Daniele
> > Sent: Sunday, April 29, 2012 11:50 PM
> > To: samba at lists.samba.org
> > Subject: [Samba] winbind stop working
> > 
> > Hi, I am trying to use squid proxy with validation on win
> > 2003 active directory to filter internet navigation and for it I 
> > installed an ubuntu
> > 10.04 server 64 bit with samba.
> > My installation looks ok, the server is joined to the AD, 
> ntlm is able 
> > to validate user, wbinfo report corret information and squid works 
> > good.
> > The problem arise after some hours: winbind become not able 
> to resolv 
> > info for users and to retrieve info for groups, so squid become not 
> > able to know id a user belong to a group allowed to navigate and 
> > refuse connection.
> > Restarting winbind solve the problem for some hours.
> > wbinfo report no particular problem; just give back messages like 
> > "could not get info for user xx" and also setting debuglevel to 
> > various numbers reports (to me) no significant clues.
> > I made a workaround scheduling a restart of winbind service 
> at every 
> > half hour and it works, but is not so elegant ...
> > Do you have any suggestion to solve this problem?
> > Thank you
> > Daniele
> > 
> > samba/winbind version is 3.4.7
> > squid is 2.7.STABLE7
> > os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
> > 
> > smb.conf:
> > [global]
> >      workgroup = CED
> >      realm = CED.AOS
> >      server string = Samba Server Version %v
> >      security = ADS
> >      password server = 172.18.10.24 172.18.10.23
> >      name resolve order = lmhosts host bcast
> >      ldap ssl = no
> >      idmap uid = 15000-25000
> >      idmap gid = 15000-25000
> >      winbind separator = +
> >      winbind enum users = Yes
> >      winbind enum groups = Yes
> >      winbind use default domain = Yes
> >      cups options = raw
> > [homes]
> >      comment = Home Directories
> >      read only = No
> >      browseable = No
> >      browsable = No
> > 
> > [printers]
> >      comment = All Printers
> >      path = /var/spool/samba
> >      printable = Yes
> >      browseable = No
> >      browsable = No
> > 
> > 
> > ----
> > Le informazioni contenute in questa comunicazione e gli eventuali 
> > documenti allegati hanno carattere confidenziale e sono ad uso 
> > esclusivo del destinatario. Nel caso in cui questa comunicazione Vi 
> > sia pervenuta per errore, Vi informiamo che la sua diffusione e 
> > riproduzione e' contraria alla legge, pertanto Vi preghiamo 
> di darci 
> > prontamente avviso e di cancellare quanto ricevuto.
> > Grazie.
> > 
> > This e-mail message and any files transmitted with it contain 
> > confidential information intended only for the person(s) to 
> whom it is 
> > addressed. If you are not the intended recipient, you are hereby 
> > notified that any use or distribution of this e-mail is strictly 
> > prohibited: please notify the sender and delete the 
> original message.
> > Thank you.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


More information about the samba mailing list