[Samba] AD client can't connect to share after winbind cache expires [Samba 3.4.12 on Gentoo]

M Z magez.magez at gmail.com
Sun Apr 28 12:47:19 MDT 2013 

Hello,


we're using Samba 3.4.12 on older installation of Gentoo
(2.6.34-gentoo-r12) to serve files to AD users and after Samba restart,
users can't connect to shared folders - error on client side: session setup
failed: NT_STATUS_LOGON_FAILURE; errors on server side -
Get_Pwnam_internals didn't find user [user]!,check_ntlm_password: winbind
authentication for user [user] FAILED with error NT_STATUS_NO_SUCH_USER


wbinfo -i user returns "Could not get info for user"

BUT

wbinfo -u, wbinfo -g work (list all >30K AD users,groups) also getent
passwd, group work (list all local and AD users/groups)

and after issuing wbinfo -u, the user is able to log in and access shared
files - and at the same time the wbinfo -i user works as expected returning
line from /etc/passwd with AD account

after 5 minutes (default winbind cache is 5 minutes) it's in in original
state again - user can't log in and wbinfo -i doesn't work again.


So quick summary - I have to issue wbinfo -u to populate winbind cache to
be able to log in with AD account. After the cache expires, the AD accounts
can't log in anymore.



smb.conf:

[global]
        netbios name = MSVMSVFMGT01
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        idmap alloc backend = tdb
        idmap uid = 10000-100000
        winbind enum users = yes
        winbind gid = 10000-20000
        workgroup = DC
        os level = 20
        winbind enum groups = yes
        socket address = 10.1.73.250
        password server = *
        preferred master = no
        winbind separator = +
        max log size = 500
        log level = 10
        log file = /var/log/samba/log.%m
        encrypt passwords = yes
        dns proxy = no
        realm = DC.REALM.SK
        security = ADS
#       wins server = ip of your wins server
        wins proxy = no



/etc/nsswitch.conf:

passwd:      compat winbind
shadow:      compat winbind
group:       compat winbind
...




log.winbindd (when wbinfo -i issued and fails)


[2013/04/28 20:39:45,  6] winbindd/winbindd.c:827(new_connection)
  accepted socket 22
[2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request)
  process_request: request fn INTERFACE_VERSION
[2013/04/28 20:39:45,  3]
winbindd/winbindd_misc.c:754(winbindd_interface_version)
  [16641]: request interface version
[2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2013/04/28 20:39:45,  3]
winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
  [16641]: request location of privileged pipe
[2013/04/28 20:39:45,  6] winbindd/winbindd.c:827(new_connection)
  accepted socket 25
[2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request)
  process_request: request fn GETPWNAM
[2013/04/28 20:39:45,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [16641]: getpwnam DC+matej.zary
[2013/04/28 20:39:45, 10] winbindd/winbindd_dual.c:125(async_request)
  Sending request to child pid 16287 (domain=DC)
[2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug)
  s3_event: Added timed event "async_request_timeout_handler":
0x7f337ab2fc60
[2013/04/28 20:39:45, 10] lib/events.c:156(get_timed_events_timeout)
  timed_events_timeout: 299/999972
[2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug)
  s3_event: Destroying timer event 0x7f337ab2fc60
"async_request_timeout_handler"
[2013/04/28 20:39:45, 10]
winbindd/winbindd_cache.c:2667(cache_retrieve_response)
  Retrieving response for pid 16287
[2013/04/28 20:39:45, 10] winbindd/winbindd_dual.c:125(async_request)
  Sending request to child pid 16287 (domain=DC)
[2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug)
  s3_event: Added timed event "async_request_timeout_handler":
0x7f337aab2030
[2013/04/28 20:39:45, 10] lib/events.c:156(get_timed_events_timeout)
  timed_events_timeout: 299/999977
[2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug)
  s3_event: Destroying timer event 0x7f337aab2030
"async_request_timeout_handler"
[2013/04/28 20:39:45, 10]
winbindd/winbindd_cache.c:2667(cache_retrieve_response)
  Retrieving response for pid 16287
[2013/04/28 20:39:45,  5] winbindd/winbindd_async.c:296(lookupname_recv2)
  lookup_name returned an error
[2013/04/28 20:39:45,  5]
winbindd/winbindd_user.c:497(getpwnam_name2sid_recv)
  Could not lookup name for user DC+matej.zary


Any ideas where to look further? Many thanks...



Best Regards

Matej Zary

More information about the samba mailing list