[Samba] winbind stop working
Gaiseric Vandal
gaiseric.vandal at gmail.com
Fri May 4 14:15:52 MDT 2012
I had a problem with Samba 3.0.x on Solaris 10 some time back. The
samba servers were DC's for the domain- they were not in an ADS
domain. However I did have domain trusts set up so winbind was
required. Winbind would allocate uid's and gid's. There is a cache
time value for either winbind or idmap (testparm -v will tell you.)
When the cache time expired the cached info was - obviously - invalid
BUT samba/winbind would not refresh the cache. Thus users from the
trusted domain would loose access. The cache files are local TDB
files- even tho (in case) the idmap and other account info was in ldap.
The cache issue was resolved when I upgraded to samba 3.4.x. However,
it seems that winbind now can't even create new idmap entries. Since
there is practically no personnel change in the trusted ADS domain this
isn't really an issue- I can always add the idmap entries in ldap.
Check your cache values. Backup and delete the idmap cache TBD files.
(Maybe the winbind cache files as well) Restarting winbind and typing
"getent passwd" and "getent group" should repopulate. TDBDump command
is useful for looking at the contents of the file if you aren't sure
what the file is for.
On 05/04/12 16:02, Kevin Elliott wrote:
> No one else has seen this issue?
>
> Should I move this to samba-technical? Or submit a bug report?
>
>
> Is there any other information that would be helpful in troubleshooting this?
>
>
>> -----Original Message-----
>> From: Kevin Elliott
>> Sent: Monday, April 30, 2012 9:51 AM
>> To: samba at lists.samba.org
>> Subject: RE: [Samba] winbind stop working
>>
>> We're also seeing similar symptoms with our Squid proxy's
>> winbindd as well.
>>
>> After an indeterminate amount of time (sometimes an hour,
>> sometimes a day) the winbind process will lose the ability to
>> resolve UID/GIDs to SIDS and authentication to the proxy will fail:
>>
>> [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid)
>> string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
>>
>>
>> If we try doing a winbind -p we get a sucessful return
>> however trying to lookup a SID from UID/GID fails.
>>
>> We're on Debian 6.0.4 and Samba 2.3.5.6.
>>
>>
>> Has anyone else seen this issue? Any possible workarounds or patches?
>>
>>
>>
>>
>> Here's an the debugging output for a particular user:
>>
>> [2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message)
>> switch message SMBtconX (pid 15651) conn 0x0
>> [2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2012/04/27 11:04:52.217062, 5]
>> auth/token_util.c:525(debug_nt_user_token)
>> NT user token: (NULL)
>> [2012/04/27 11:04:52.217085, 5]
>> auth/token_util.c:551(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user)
>> change_to_root_user: now uid=(0,0) gid=(0,0)
>> [2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X)
>> Client requested device type [?????] for share [FTP]
>> [2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection)
>> making a connection to 'normal' service ftp
>> [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid)
>> string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
>> [2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup)
>> Unable to get default yp domain, let's try without specifying it
>> [2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup)
>> looking for user CBJ_NT+kevin_miller of domain (ANY) in
>> netgroup CBJ_NT+domain users
>> [2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup)
>> looking for user cbj_nt+kevin_miller of domain (ANY) in
>> netgroup CBJ_NT+domain users
>> [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
>> lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain
>> users (name)
>> [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
>> lookup_name: flags = 0x077
>> [2012/04/27 11:04:52.217841, 10]
>> passdb/util_wellknown.c:152(lookup_wellknown_name)
>> map_name_to_wellknown_sid: looking up domain users
>> [2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx)
>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx)
>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2012/04/27 11:04:52.217966, 5]
>> auth/token_util.c:525(debug_nt_user_token)
>> NT user token: (NULL)
>> [2012/04/27 11:04:52.217987, 5]
>> auth/token_util.c:551(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2012/04/27 11:04:52.219317, 5]
>> smbd/share_access.c:117(token_contains_name)
>> lookup_name CBJ_NT+domain users failed
>> [2012/04/27 11:04:52.219365, 10]
>> smbd/share_access.c:216(user_ok_token)
>> User CBJ_NT+kevin_miller not in 'valid users'
>> [2012/04/27 11:04:52.219394, 2]
>> smbd/service.c:598(create_connection_server_info)
>> user 'CBJ_NT+kevin_miller' (from session setup) not
>> permitted to access this share (ftp)
>> [2012/04/27 11:04:52.219420, 1]
>> smbd/service.c:678(make_connection_snum)
>> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
>> [2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set)
>> error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
>> NT_STATUS_ACCESS_DENIED
>>
>>
>> Here's the debugging output from the winbindd-idmap.old log:
>>
>> 2012/04/27 10:58:37.616201, 10]
>> winbindd/idmap_util.c:115(idmap_gid_to_sid)
>> idmap_gid_to_sid: gid = [1004], domain = ''
>> [2012/04/27 10:58:37.616243, 10]
>> lib/gencache.c:334(gencache_get_data_blob)
>> Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
>> [2012/04/27 10:58:37.616265, 10]
>> winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
>> idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
>> [2012/04/27 10:58:37.616331, 10]
>> winbindd/idmap.c:475(idmap_find_domain)
>> idmap_find_domain called for domain ''
>> [2012/04/27 10:58:37.616352, 5]
>> winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
>> Requested id (1004) out of range (10000 - 79999). Filtered!
>> [2012/04/27 10:58:37.616380, 10]
>> lib/gencache.c:180(gencache_set_data_blob)
>> Adding cache entry with key = IDMAP/UID2SID/1004 and
>> timeout = Fri Apr 27 11:00:37 2012
>> (120 seconds ahead)
>> [2012/04/27 10:58:37.616436, 10]
>> winbindd/idmap_util.c:151(idmap_gid_to_sid)
>> gid [1004] not mapped
>> [2012/04/27 10:58:37.616456, 1]
>> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>> wbint_Gid2Sid: struct wbint_Gid2Sid
>> out: struct wbint_Gid2Sid
>> sid : *
>> sid : S-0-0
>> result : NT_STATUS_NONE_MAPPED
>>
>>
>> --
>> Kevin Elliott
>>
>> Network Specialist
>> City and Borough of Juneau, MIS
>> (907) 586 - 0905
>>
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Daniele
>>> Sent: Sunday, April 29, 2012 11:50 PM
>>> To: samba at lists.samba.org
>>> Subject: [Samba] winbind stop working
>>>
>>> Hi, I am trying to use squid proxy with validation on win
>>> 2003 active directory to filter internet navigation and for it I
>>> installed an ubuntu
>>> 10.04 server 64 bit with samba.
>>> My installation looks ok, the server is joined to the AD,
>> ntlm is able
>>> to validate user, wbinfo report corret information and squid works
>>> good.
>>> The problem arise after some hours: winbind become not able
>> to resolv
>>> info for users and to retrieve info for groups, so squid become not
>>> able to know id a user belong to a group allowed to navigate and
>>> refuse connection.
>>> Restarting winbind solve the problem for some hours.
>>> wbinfo report no particular problem; just give back messages like
>>> "could not get info for user xx" and also setting debuglevel to
>>> various numbers reports (to me) no significant clues.
>>> I made a workaround scheduling a restart of winbind service
>> at every
>>> half hour and it works, but is not so elegant ...
>>> Do you have any suggestion to solve this problem?
>>> Thank you
>>> Daniele
>>>
>>> samba/winbind version is 3.4.7
>>> squid is 2.7.STABLE7
>>> os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
>>>
>>> smb.conf:
>>> [global]
>>> workgroup = CED
>>> realm = CED.AOS
>>> server string = Samba Server Version %v
>>> security = ADS
>>> password server = 172.18.10.24 172.18.10.23
>>> name resolve order = lmhosts host bcast
>>> ldap ssl = no
>>> idmap uid = 15000-25000
>>> idmap gid = 15000-25000
>>> winbind separator = +
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> cups options = raw
>>> [homes]
>>> comment = Home Directories
>>> read only = No
>>> browseable = No
>>> browsable = No
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/spool/samba
>>> printable = Yes
>>> browseable = No
>>> browsable = No
>>>
>>>
>>> ----
>>> Le informazioni contenute in questa comunicazione e gli eventuali
>>> documenti allegati hanno carattere confidenziale e sono ad uso
>>> esclusivo del destinatario. Nel caso in cui questa comunicazione Vi
>>> sia pervenuta per errore, Vi informiamo che la sua diffusione e
>>> riproduzione e' contraria alla legge, pertanto Vi preghiamo
>> di darci
>>> prontamente avviso e di cancellare quanto ricevuto.
>>> Grazie.
>>>
>>> This e-mail message and any files transmitted with it contain
>>> confidential information intended only for the person(s) to
>> whom it is
>>> addressed. If you are not the intended recipient, you are hereby
>>> notified that any use or distribution of this e-mail is strictly
>>> prohibited: please notify the sender and delete the
>> original message.
>>> Thank you.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
More information about the samba
mailing list