[Samba] FreeBSD 9.1 + Samba 3.6.12 : Winbind sid lookup issue

Mike Carlson m87carlson at gmail.com
Thu Feb 28 17:56:58 MST 2013 

Hey Samba list.

We recently had to switch from 3.5.x to 3.6, due to the ports tree dropping
3.5

Since then, I've have had issues with the looking up users consistently. It
may work for 30 minutes, and then stop.

I finally started to run winbindd -i -d and here are some of my findings:

Environment:

OS: FreeBSD 9.1-RELEASE
uname -a: FreeBSD pkg-server 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825:
Tue Dec  4 09:23:10 UTC 2012
root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
amd64

Samba:
pkg info -f samba36
Name           : samba36
Version        : 3.6.12
Origin         : net/samba36
Prefix         : /usr/local
Categories     : net
Licenses       : GPLv3
Maintainer     : timur at FreeBSD.org
WWW            : http://www.samba.org/
Comment        : A free SMB and CIFS client and server for UNIX
Options        :
        LDAP: on
        ADS: on
        CUPS: off
        WINBIND: on
        SWAT: off
        ACL_SUPPORT: on
        AIO_SUPPORT: on
        FAM_SUPPORT: off
        SYSLOG: off
        QUOTAS: off
        UTMP: off
        PAM_SMBPASS: off
        DNSUPDATE: on
        AVAHI: off
        PTHREADPOOL: on
        EXP_MODULES: on
        POPT: on
        IPV6: on
        MAX_DEBUG: off
        SMBTORTURE: off

smb.conf:
[global]
 workgroup = DISCDRIVE
 server string = Samba Server
 security = ads
 hosts allow = 192.168. 10.250. 10.5.68. 10.29. 10.26. 10.7.1. 127.
 log file = /var/log/samba/log.%m
 max log size = 50
 realm = DISCDRIVE.BAYPHOTO.COM
 wins server = dc-3.discdrive.bayphoto.com
 dns proxy = no
 kerberos method = system keytab

 idmap config DISCDRIVE : backend = rid
 idmap config DISCDRIVE : range = 20001-30000
 idmap config DISCDRIVE : base_rid = 0
 idmap config BAYPHOTO : backend = rid
 idmap config BAYPHOTO : range = 10000-20000
 idmap config BAYPHOTO : base_rid = 0
 idmap config DISCDRIVE : default = yes

 allow trusted domains = Yes
 winbind use default domain = yes
 winbind enum users = Yes
 winbind enum groups = Yes
 template shell = /bin/zsh

 template homedir = /home/%D/%U
 winbind use default domain=Yes
 winbind nss info = sfu
 winbind offline logon = Yes
 winbind refresh tickets = True
 winbind nested groups = Yes
 winbind cache time = 3600

 winbind reconnect delay = 30
 winbind expand groups = 10
 winbind max domain connections = 10

 max protocol = SMB2

I can look up some of our users, but I cannot see ALL of them, or I'll see
one and after a while it will no longer show up again.

I've removed /var/db/samba/*, ran net cache flush, restarted samba, but the
follow scenario happens everytime.

samba 3.6.12

freebsd 9.1-RELEASE

# id jenkins-ci
id: jenkins-ci: no such user
# pw usershow jenkins-ci
pw: no such user `jenkins-ci'
# pw usershow mikec
mikec:*:21208:20514::0:0:Mike Carlson:/home/DISCDRIVE/mikec:/bin/zsh
root at pkg-server:/root # getent passwd| grep jenkins
jenkins-ci:*:21608:20514:jenkins:/home/DISCDRIVE/jenkins-ci:/bin/zsh
# id 21608
id: 21608: no such user
# wbinfo -i mikec
mikec:*:21208:20514:Mike Carlson:/home/DISCDRIVE/mikec:/bin/zsh
# wbinfo -i jenkins-ci
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user jenkins-ci
# wbinfo -u|grep jenkins-ci
jenkins-ci

All the while, this is what winbindd reports:
Winbindd -i -d9

getpwnam jenkins-ci
offline logons active, restricting max domain connections to 1
offline logons active, restricting max domain connections to 1
Could not convert sid S-1-5-21-1193775395-2634469651-4076480956-1607:
NT_STATUS_OBJECT_NAME_NOT_FOUND
closing socket 25, client exited

I've tried samba4 as well, and I experience the same problems. This has
been tried on a few different systems as well and I'm at my wits end with
it.

More information about the samba mailing list