[Samba] winbind errors and panics

Mart van de Wege mvdwege at gmail.com
Thu Jan 26 05:48:56 MST 2012 

Hi,

I'm setting up a Samba AD member server on CentOS 6. Everything seems to
work, except that Windows users don't get automatically created in the
idmap backend (which is an LDAP tree, btw).

I do get the following errors in the winbind logging:

[2012/01/26 13:04:20.634990,  1]
winbindd/idmap_ldap.c:193(verify_idpool)
  Unable to verify the idpool, cannot continue initialization!
[2012/01/26 13:04:20.635125,  0] winbindd/idmap.c:599(idmap_alloc_init)
  ERROR: Initialization failed for alloc backend, deferred!

and a panic by winbind:

[2012/01/26 13:06:50.726749,  0] lib/fault.c:46(fault_report)
  ===============================================================
[2012/01/26 13:06:50.726893,  0] lib/fault.c:47(fault_report)
  INTERNAL ERROR: Signal 11 in pid 2730 (3.5.10-114.el6)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2012/01/26 13:06:50.726931,  0] lib/fault.c:49(fault_report)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2012/01/26 13:06:50.726967,  0] lib/fault.c:50(fault_report)
  ===============================================================
[2012/01/26 13:06:50.727005,  0] lib/util.c:1490(smb_panic)
  PANIC (pid 2730): internal error
[2012/01/26 13:06:50.730324,  0] lib/util.c:1594(log_stack_trace)
  BACKTRACE: 19 stack frames:
   #0 winbindd(log_stack_trace+0x2e) [0x95a88e]
   #1 winbindd(smb_panic+0x2e) [0x95a9ae]
   #2 winbindd(+0x170f9f) [0x947f9f]
   #3 [0x110400]
   #4 /lib/libldap-2.4.so.2(ldap_unbind_ext+0x25) [0x186855]
   #5 /lib/libldap-2.4.so.2(ldap_unbind+0x70) [0x1869a0]
   #6 winbindd(+0x52d07f) [0xd0407f]
   #7 winbindd(+0x52d325) [0xd04325]
   #8 winbindd(run_events+0x110) [0x96c800]
   #9 winbindd(+0xbffd8) [0x896fd8]
   #10 winbindd(+0xc0f1d) [0x897f1d]
   #11 winbindd(+0x198d08) [0x96fd08]
   #12 winbindd(tevent_common_loop_immediate+0xe6) [0x96e4f6]
   #13 winbindd(run_events+0x3e) [0x96c72e]
   #14 winbindd(+0x195bc1) [0x96cbc1]
   #15 winbindd(_tevent_loop_once+0x98) [0x96d2c8]
   #16 winbindd(main+0xa9a) [0x86804a]
   #17 /lib/libc.so.6(__libc_start_main+0xe6) [0xf9ace6]
   #18 winbindd(+0x8e531) [0x865531]
[2012/01/26 13:06:50.731949,  0] lib/fault.c:326(dump_core)
  dumping core in /var/log/samba/cores/winbindd

Here's my testparm output with <domain> replacing our internal
domainname: 

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Profiles]"
Processing section "[<domain>]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
	workgroup = <domain>
	realm = <domain>.LOCAL
	server string = Samba Server Version %v
	security = ADS
	passdb backend = ldapsam:ldap://limara.mgt.<domain>.local
	log file = /var/log/samba/log.%m
	max log size = 50
	ldap admin dn = cn=Manager,dc=<domain>,dc=local
	ldap group suffix = ou=Group,dc=office
	ldap idmap suffix = ou=People,ou=Domain Users,dc=office
	ldap machine suffix = ou=Computers,dc=office
	ldap suffix = dc=<domain>,dc=local
	ldap ssl = no
	idmap backend = ldap:ldap://limara.mgt.<domain>.local
	idmap alloc backend = ldap
	idmap uid = 10000-19999
	idmap gid = 10000-19999
	idmap alloc config : ldap_base_dn = dc=office,dc=<domain>,dc=local
	idmap alloc config : ldap_url = ldap://limara.mgt.<domain>.local
	ldapsam:editposix = yes
	ldapsam:trusted = yes
	cups options = raw

[homes]
	comment = Home Directories
	path = /srv/windows/users/%S
	valid users = <domain>\%S
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

[Profiles]
	path = /srv/windows/profiles/
	read only = No
	guest ok = Yes
	browseable = No

[<Domain>]
	path = /srv/windows/shared/
	read only = No

Searching on the errors on Google gives me only parts of the source
code, questions, and no answers.

For a sidenote: if I do create the user objects manually, the idmappings
get created without problems. I could run production with the server as
it is now, but I'd prefer to have the account creation/idmapping to go
automatically, as that saves me a lot of admin work.

More information about the samba mailing list