Help!

[Samba] Winbind authentication and wbinfo -i user no longe..

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Samba RSS
Next:  [gentoo-user] switching production server from my..  
Author Message
Dale Schroeder
External


Since: May 26, 2006
Posts: 89



PostPosted: Wed Dec 21, 2011 9:10 pm    Post subject: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: linux>samba (more info?)

Originally filed by Robert LeBlanc as Debian Bug # 652679 -
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>

<Quote>

Package: winbind
Version: 2:3.6.1-3
Severity: important

Dear Maintainer,

After upgrading to 3.6.1 I am no longer able to login to Debian using my Active Directory account.
'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but 'winbind -i user' returns
'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user user'. Changing
the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306 (fork_domain_child) fork_domain_child
called without domain.'. The previous wbint_Sid2Uid struct printout shows that dom_name is NULL,
but has the correct domain SID. I believe the problem may exist around there. I did upgrade the
'idmap backend = hash' to the new format 'idmap config * : backend = hash' as specifed in the man
page without any luck. Name to SID and SID to name works along with user-domgroups, but user-groups
does not work. 'wbinifo --group-info=group' fails with a similar error as 'wbinfo -i user'. I'm
going to try to get back to 3.5.11.

-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-Cool
Shell: /bin/sh linked to /bin/dash

Versions of packages winbind depends on:
ii adduser 3.113
ii libc6 2.13-21
ii libcap2 1:2.22-1
ii libcomerr2 1.42-1
ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
ii libk5crypto3 1.10+dfsg~alpha1-6
ii libkrb5-3 1.10+dfsg~alpha1-6
ii libldap-2.4-2 2.4.25-4+b1
ii libpam0g 1.1.3-6
ii libpopt0 1.16-1
ii libtalloc2 2.0.7-3
ii libtdb1 1.2.9-4+b1
ii libwbclient0 2:3.6.1-3
ii lsb-base 3.2-28
ii samba-common 2:3.6.1-3
ii zlib1g 1:1.2.3.4.dfsg-3

Versions of packages winbind recommends:
ii libpam-winbind 2:3.6.1-3

winbind suggests no packages.

-- no debconf information

</Quote>

I also have this error, and reported as follows:

Robert,

Same problem here, and I have not seen anyone mention this on the Samba
list. Systems are fully updated and testparm does not return any
errors. idmap backend is rid notated in the new format. All deprecated
parameters have been removed.

On my systems, I have found that full functionality returns after a
reboot; however, if samba/winbind processes are restarted for any
reason, AD authentication again no longer works. As with you, wbinfo
-u/-g continues to work, as does getent passwd. getent group only
returns linux groups. Another reboot will return winbind once again to
full functionality.

Even at log level 10, error messages have been hard to find among the
many winbind logs. At the time of failure, the one I consistently find
is in syslog:
winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.

--------------------------------------------------------------

This morning, I recreated the error by restarting Samba/winbind at 07:47.
The only suspicious level 10 log entries found from that timeframe are:

<syslog>
Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769, 0] winbindd/winbindd_ads.c:1068(lookup_groupmem)
Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed with: Time limit exceeded

<smbd>
[2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_deregister)
Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
[2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_child_pid)
Could not remove pid 3491 from serverid.tdb
[2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_child_pid)
Could not find child 3491 -- ignoring

[2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_deregister)
Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
[2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_child_pid)
Could not remove pid 3499 from serverid.tdb
[2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_child_pid)
Could not find child 3499 -- ignoring

"net ads testjoin" indicates that the join is good.

[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = %h server
security = ADS
map untrusted to domain = Yes
allow trusted domains = No
map to guest = Bad User
obey pam restrictions = Yes
password server = *
passdb backend = tdbsam
username map = /etc/samba/users.map
lanman auth = No
log level = 10
log file =/var/log/samba/%m
name resolve order = wins hosts bcast
deadtime = 15
printcap name = cups
preferred master = No
wins server = 192.168.1.xyz
panic action = /usr/share/samba/panic-action %d
ldap ssl = No
#
idmap config * : backend = tdb
idmap config * : range = 1000000 - 20000000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 1000 - 99999
template homedir =/home/domain/%U
template shell = /bin/bash
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = Yes
#
printing = cups
print command =
lpq command = %p
lprm command =
veto oplock files = /*.doc/*.xls/*.mdb/
map archive = No
map readonly = no
store dos attributes = Yes
ea support = Yes
admin users = root, "@domain admins"


I have seen numerous 3.6.x winbind problems reported, but do not recall
seeing this one.
Does this look like a Samba bug or is it Debian-specific? winbind
fixing itself after a reboot is particularly puzzling.
Any and all suggestions appreciated.

Dale

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
David Roid
External


Since: Sep 07, 2010
Posts: 8



PostPosted: Thu Dec 22, 2011 1:10 am    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Been there, you can try to add either "idmap config DOMAIN : default =
yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
gid = ..." to replace "idmap config * : ...", I don't know which one
actually fixed it.

2011/12/22 Dale Schroeder

> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
> >
>
> <Quote>
>
> Package: winbind
> Version: 2:3.6.1-3
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to 3.6.1 I am no longer able to login to Debian using my
> Active Directory account.
> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
> 'winbind -i user' returns
> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
> for user user'. Changing
> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
> (fork_domain_child) fork_domain_child
> called without domain.'. The previous wbint_Sid2Uid struct printout shows
> that dom_name is NULL,
> but has the correct domain SID. I believe the problem may exist around
> there. I did upgrade the
> 'idmap backend = hash' to the new format 'idmap config * : backend = hash'
> as specifed in the man
> page without any luck. Name to SID and SID to name works along with
> user-domgroups, but user-groups
> does not work. 'wbinifo --group-info=group' fails with a similar error as
> 'wbinfo -i user'. I'm
> going to try to get back to 3.5.11.
>
> -- System Information:
> Debian Release: wheezy/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-Cool
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages winbind depends on:
> ii adduser 3.113
> ii libc6 2.13-21
> ii libcap2 1:2.22-1
> ii libcomerr2 1.42-1
> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
> ii libk5crypto3 1.10+dfsg~alpha1-6
> ii libkrb5-3 1.10+dfsg~alpha1-6
> ii libldap-2.4-2 2.4.25-4+b1
> ii libpam0g 1.1.3-6
> ii libpopt0 1.16-1
> ii libtalloc2 2.0.7-3
> ii libtdb1 1.2.9-4+b1
> ii libwbclient0 2:3.6.1-3
> ii lsb-base 3.2-28
> ii samba-common 2:3.6.1-3
> ii zlib1g 1:1.2.3.4.dfsg-3
>
> Versions of packages winbind recommends:
> ii libpam-winbind 2:3.6.1-3
>
> winbind suggests no packages.
>
> -- no debconf information
>
> </Quote>
>
> I also have this error, and reported as follows:
>
> Robert,
>
> Same problem here, and I have not seen anyone mention this on the Samba
> list. Systems are fully updated and testparm does not return any
> errors. idmap backend is rid notated in the new format. All deprecated
> parameters have been removed.
>
> On my systems, I have found that full functionality returns after a
> reboot; however, if samba/winbind processes are restarted for any
> reason, AD authentication again no longer works. As with you, wbinfo
> -u/-g continues to work, as does getent passwd. getent group only
> returns linux groups. Another reboot will return winbind once again to
> full functionality.
>
> Even at log level 10, error messages have been hard to find among the
> many winbind logs. At the time of failure, the one I consistently find
> is in syslog:
> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>
> ------------------------------**------------------------------**--
>
> This morning, I recreated the error by restarting Samba/winbind at 07:47.
> The only suspicious level 10 log entries found from that timeframe are:
>
> <syslog>
> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
> 0] winbindd/winbindd_ads.c:1068(**lookup_groupmem)
> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
> with: Time limit exceeded
>
> <smbd>
> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_**deregister)
> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_**child_pid)
> Could not remove pid 3491 from serverid.tdb
> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_**child_pid)
> Could not find child 3491 -- ignoring
>
> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_**deregister)
> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_**child_pid)
> Could not remove pid 3499 from serverid.tdb
> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_**child_pid)
> Could not find child 3499 -- ignoring
>
> "net ads testjoin" indicates that the join is good.
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.COM
> server string = %h server
> security = ADS
> map untrusted to domain = Yes
> allow trusted domains = No
> map to guest = Bad User
> obey pam restrictions = Yes
> password server = *
> passdb backend = tdbsam
> username map = /etc/samba/users.map
> lanman auth = No
> log level = 10
> log file =/var/log/samba/%m
> name resolve order = wins hosts bcast
> deadtime = 15
> printcap name = cups
> preferred master = No
> wins server = 192.168.1.xyz
> panic action = /usr/share/samba/panic-action %d
> ldap ssl = No
> #
> idmap config * : backend = tdb
> idmap config * : range = 1000000 - 20000000
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 1000 - 99999
> template homedir =/home/domain/%U
> template shell = /bin/bash
> winbind cache time = 10
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind offline logon = Yes
> #
> printing = cups
> print command =
> lpq command = %p
> lprm command =
> veto oplock files = /*.doc/*.xls/*.mdb/
> map archive = No
> map readonly = no
> store dos attributes = Yes
> ea support = Yes
> admin users = root, "@domain admins"
>
>
> I have seen numerous 3.6.x winbind problems reported, but do not recall
> seeing this one.
> Does this look like a Samba bug or is it Debian-specific? winbind fixing
> itself after a reboot is particularly puzzling.
> Any and all suggestions appreciated.
>
> Dale
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Dale Schroeder
External


Since: May 26, 2006
Posts: 89



PostPosted: Thu Dec 22, 2011 3:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

David, thanks for the help, but I'm afraid that workaround does not work
for me either.
Robert, thanks for furnishing all that useful info to bugzilla.
Jeremy, thanks for for the update on
https://bugzilla.samba.org/show_bug.cgi?id=8384.

I feel like I'm at the Academy Awards.
Merry Christmas to all. <[];o{P>

Dale


On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
> I tried to add "idmap config DOMAIN : default = yes" and it does not
> help. I'm using hash. I've found some interesting things that I've
> included in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
>
> Robert
>
> On Wed, Dec 21, 2011 at 5:33 PM, David Roid <
> > wrote:
>
> Been there, you can try to add either "idmap config DOMAIN :
> default = yes", or use old-fashion "idmap backend = ..." + "idmap
> uid = ..." + "idmap gid = ..." to replace "idmap config * : ...",
> I don't know which one actually fixed it.
>
> 2011/12/22 Dale Schroeder <dale@briannassaladdressing.com
> >
>
> Originally filed by Robert LeBlanc as Debian Bug # 652679 -
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>
> <Quote>
>
> Package: winbind
> Version: 2:3.6.1-3
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to 3.6.1 I am no longer able to login to
> Debian using my Active Directory account.
> 'winbind -u', 'winbind -g', 'winbind -t' and many others work
> fine, but 'winbind -i user' returns
> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could
> not get info for user user'. Changing
> the verbosity of the logs, I find
> 'winbindd/winbindd_dual.c:1306 (fork_domain_child)
> fork_domain_child
> called without domain.'. The previous wbint_Sid2Uid struct
> printout shows that dom_name is NULL,
> but has the correct domain SID. I believe the problem may
> exist around there. I did upgrade the
> 'idmap backend = hash' to the new format 'idmap config * :
> backend = hash' as specifed in the man
> page without any luck. Name to SID and SID to name works along
> with user-domgroups, but user-groups
> does not work. 'wbinifo --group-info=group' fails with a
> similar error as 'wbinfo -i user'. I'm
> going to try to get back to 3.5.11.
>
> -- System Information:
> Debian Release: wheezy/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-Cool
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages winbind depends on:
> ii adduser 3.113
> ii libc6 2.13-21
> ii libcap2 1:2.22-1
> ii libcomerr2 1.42-1
> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
> ii libk5crypto3 1.10+dfsg~alpha1-6
> ii libkrb5-3 1.10+dfsg~alpha1-6
> ii libldap-2.4-2 2.4.25-4+b1
> ii libpam0g 1.1.3-6
> ii libpopt0 1.16-1
> ii libtalloc2 2.0.7-3
> ii libtdb1 1.2.9-4+b1
> ii libwbclient0 2:3.6.1-3
> ii lsb-base 3.2-28
> ii samba-common 2:3.6.1-3
> ii zlib1g 1:1.2.3.4.dfsg-3
>
> Versions of packages winbind recommends:
> ii libpam-winbind 2:3.6.1-3
>
> winbind suggests no packages.
>
> -- no debconf information
>
> </Quote>
>
> I also have this error, and reported as follows:
>
> Robert,
>
> Same problem here, and I have not seen anyone mention this on
> the Samba
> list. Systems are fully updated and testparm does not return any
> errors. idmap backend is rid notated in the new format. All
> deprecated
> parameters have been removed.
>
> On my systems, I have found that full functionality returns
> after a
> reboot; however, if samba/winbind processes are restarted for any
> reason, AD authentication again no longer works. As with you,
> wbinfo
> -u/-g continues to work, as does getent passwd. getent group only
> returns linux groups. Another reboot will return winbind once
> again to
> full functionality.
>
> Even at log level 10, error messages have been hard to find
> among the
> many winbind logs. At the time of failure, the one I
> consistently find
> is in syslog:
> winbindd[4186]: ads_ranged_search failed with: Time limit
> exceeded.
>
> --------------------------------------------------------------
>
> This morning, I recreated the error by restarting
> Samba/winbind at 07:47.
> The only suspicious level 10 log entries found from that
> timeframe are:
>
> <syslog>
> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21
> 07:47:25.660769, 0] winbindd/winbindd_ads.c:1068(lookup_groupmem)
> Dec 21 07:47:25 debinsp3200 winbindd[3489]:
> ads_ranged_search failed with: Time limit exceeded
>
> <smbd>
> [2011/12/21 07:47:10.102879, 1]
> lib/serverid.c:197(serverid_deregister)
> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:47:10.103603, 1]
> smbd/server.c:303(remove_child_pid)
> Could not remove pid 3491 from serverid.tdb
> [2011/12/21 07:47:10.104114, 1]
> smbd/server.c:317(remove_child_pid)
> Could not find child 3491 -- ignoring
>
> [2011/12/21 07:48:10.174369, 1]
> lib/serverid.c:197(serverid_deregister)
> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:48:10.175075, 1]
> smbd/server.c:303(remove_child_pid)
> Could not remove pid 3499 from serverid.tdb
> [2011/12/21 07:48:10.490994, 1]
> smbd/server.c:317(remove_child_pid)
> Could not find child 3499 -- ignoring
>
> "net ads testjoin" indicates that the join is good.
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.COM <http://DOMAIN.COM>
> server string = %h server
> security = ADS
> map untrusted to domain = Yes
> allow trusted domains = No
> map to guest = Bad User
> obey pam restrictions = Yes
> password server = *
> passdb backend = tdbsam
> username map = /etc/samba/users.map
> lanman auth = No
> log level = 10
> log file =/var/log/samba/%m
> name resolve order = wins hosts bcast
> deadtime = 15
> printcap name = cups
> preferred master = No
> wins server = 192.168.1.xyz
> panic action = /usr/share/samba/panic-action %d
> ldap ssl = No
> #
> idmap config * : backend = tdb
> idmap config * : range = 1000000 -
> 20000000
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 1000 - 99999
> template homedir =/home/domain/%U
> template shell = /bin/bash
> winbind cache time = 10
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind offline logon = Yes
> #
> printing = cups
> print command =
> lpq command = %p
> lprm command =
> veto oplock files = /*.doc/*.xls/*.mdb/
> map archive = No
> map readonly = no
> store dos attributes = Yes
> ea support = Yes
> admin users = root, "@domain admins"
>
>
> I have seen numerous 3.6.x winbind problems reported, but do
> not recall seeing this one.
> Does this look like a Samba bug or is it Debian-specific?
> winbind fixing itself after a reboot is particularly puzzling.
> Any and all suggestions appreciated.
>
>
> Dale
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
David Roid
External


Since: Sep 07, 2010
Posts: 8



PostPosted: Thu Dec 22, 2011 4:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1 using
following idmap settings:

idmap config * : range = ...
idmap config * : backend = ...
idmap config DOM : range = ...
idmap config DOM : default = yes
idmap config DOM : backend = ...

then join the domain, no problem at all.

2011/12/22 Dale Schroeder

> David, thanks for the help, but I'm afraid that workaround does not work
> for me either.
> Robert, thanks for furnishing all that useful info to bugzilla.
> Jeremy, thanks for for the update on
> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>
> I feel like I'm at the Academy Awards.
> Merry Christmas to all. <[];o{P>
>
> Dale
>
>
>
> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>
> I tried to add "idmap config DOMAIN : default = yes" and it does not help.
> I'm using hash. I've found some interesting things that I've included in
> bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
>
> Robert
>
> On Wed, Dec 21, 2011 at 5:33 PM, David Roid wrote:
>
>> Been there, you can try to add either "idmap config DOMAIN : default =
>> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
>> gid = ..." to replace "idmap config * : ...", I don't know which one
>> actually fixed it.
>>
>> 2011/12/22 Dale Schroeder
>>
>>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>
>>> <Quote>
>>>
>>> Package: winbind
>>> Version: 2:3.6.1-3
>>> Severity: important
>>>
>>> Dear Maintainer,
>>>
>>> After upgrading to 3.6.1 I am no longer able to login to Debian using my
>>> Active Directory account.
>>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>>> 'winbind -i user' returns
>>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
>>> for user user'. Changing
>>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>>> (fork_domain_child) fork_domain_child
>>> called without domain.'. The previous wbint_Sid2Uid struct printout
>>> shows that dom_name is NULL,
>>> but has the correct domain SID. I believe the problem may exist around
>>> there. I did upgrade the
>>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>>> hash' as specifed in the man
>>> page without any luck. Name to SID and SID to name works along with
>>> user-domgroups, but user-groups
>>> does not work. 'wbinifo --group-info=group' fails with a similar error
>>> as 'wbinfo -i user'. I'm
>>> going to try to get back to 3.5.11.
>>>
>>> -- System Information:
>>> Debian Release: wheezy/sid
>>> APT prefers testing
>>> APT policy: (500, 'testing')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-Cool
>>> Shell: /bin/sh linked to /bin/dash
>>>
>>> Versions of packages winbind depends on:
>>> ii adduser 3.113
>>> ii libc6 2.13-21
>>> ii libcap2 1:2.22-1
>>> ii libcomerr2 1.42-1
>>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>>> ii libk5crypto3 1.10+dfsg~alpha1-6
>>> ii libkrb5-3 1.10+dfsg~alpha1-6
>>> ii libldap-2.4-2 2.4.25-4+b1
>>> ii libpam0g 1.1.3-6
>>> ii libpopt0 1.16-1
>>> ii libtalloc2 2.0.7-3
>>> ii libtdb1 1.2.9-4+b1
>>> ii libwbclient0 2:3.6.1-3
>>> ii lsb-base 3.2-28
>>> ii samba-common 2:3.6.1-3
>>> ii zlib1g 1:1.2.3.4.dfsg-3
>>>
>>> Versions of packages winbind recommends:
>>> ii libpam-winbind 2:3.6.1-3
>>>
>>> winbind suggests no packages.
>>>
>>> -- no debconf information
>>>
>>> </Quote>
>>>
>>> I also have this error, and reported as follows:
>>>
>>> Robert,
>>>
>>> Same problem here, and I have not seen anyone mention this on the Samba
>>> list. Systems are fully updated and testparm does not return any
>>> errors. idmap backend is rid notated in the new format. All deprecated
>>> parameters have been removed.
>>>
>>> On my systems, I have found that full functionality returns after a
>>> reboot; however, if samba/winbind processes are restarted for any
>>> reason, AD authentication again no longer works. As with you, wbinfo
>>> -u/-g continues to work, as does getent passwd. getent group only
>>> returns linux groups. Another reboot will return winbind once again to
>>> full functionality.
>>>
>>> Even at log level 10, error messages have been hard to find among the
>>> many winbind logs. At the time of failure, the one I consistently find
>>> is in syslog:
>>> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>>>
>>> --------------------------------------------------------------
>>>
>>> This morning, I recreated the error by restarting Samba/winbind at 07:47.
>>> The only suspicious level 10 log entries found from that timeframe are:
>>>
>>> <syslog>
>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
>>> 0] winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
>>> with: Time limit exceeded
>>>
>>> <smbd>
>>> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_deregister)
>>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_child_pid)
>>> Could not remove pid 3491 from serverid.tdb
>>> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_child_pid)
>>> Could not find child 3491 -- ignoring
>>>
>>> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_deregister)
>>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_child_pid)
>>> Could not remove pid 3499 from serverid.tdb
>>> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_child_pid)
>>> Could not find child 3499 -- ignoring
>>>
>>> "net ads testjoin" indicates that the join is good.
>>>
>>> [global]
>>> workgroup = DOMAIN
>>> realm = DOMAIN.COM
>>> server string = %h server
>>> security = ADS
>>> map untrusted to domain = Yes
>>> allow trusted domains = No
>>> map to guest = Bad User
>>> obey pam restrictions = Yes
>>> password server = *
>>> passdb backend = tdbsam
>>> username map = /etc/samba/users.map
>>> lanman auth = No
>>> log level = 10
>>> log file =/var/log/samba/%m
>>> name resolve order = wins hosts bcast
>>> deadtime = 15
>>> printcap name = cups
>>> preferred master = No
>>> wins server = 192.168.1.xyz
>>> panic action = /usr/share/samba/panic-action %d
>>> ldap ssl = No
>>> #
>>> idmap config * : backend = tdb
>>> idmap config * : range = 1000000 - 20000000
>>> idmap config DOMAIN : backend = rid
>>> idmap config DOMAIN : range = 1000 - 99999
>>> template homedir =/home/domain/%U
>>> template shell = /bin/bash
>>> winbind cache time = 10
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> winbind offline logon = Yes
>>> #
>>> printing = cups
>>> print command =
>>> lpq command = %p
>>> lprm command =
>>> veto oplock files = /*.doc/*.xls/*.mdb/
>>> map archive = No
>>> map readonly = no
>>> store dos attributes = Yes
>>> ea support = Yes
>>> admin users = root, "@domain admins"
>>>
>>>
>>> I have seen numerous 3.6.x winbind problems reported, but do not recall
>>> seeing this one.
>>> Does this look like a Samba bug or is it Debian-specific? winbind
>>> fixing itself after a reboot is particularly puzzling.
>>> Any and all suggestions appreciated.
>>>
>>>
>>> Dale
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Dale Schroeder
External


Since: May 26, 2006
Posts: 89



PostPosted: Thu Dec 22, 2011 5:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

That is correct - it did not fix the problem - old or new idmap syntax.
Any time I restart the processes, such as after a config change, winbind
auth fails.
"getent group" yields the syslog error shown in the original post.
"wbinfo -i user" fails even though "user" appears in "getent passwd".
Reboot the system and everything is functioning again until the next
time nmbd/smbd/winbind are restarted, after which winbind is
nonfunctioning once again.

Dale


On 12/22/2011 9:02 AM, David Roid wrote:
> Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1
> using following idmap settings:
>
> idmap config * : range = ...
> idmap config * : backend = ...
> idmap config DOM : range = ...
> idmap config DOM : default = yes
> idmap config DOM : backend = ...
>
> then join the domain, no problem at all.
>
> 2011/12/22 Dale Schroeder <dale@briannassaladdressing.com
> >
>
> David, thanks for the help, but I'm afraid that workaround does
> not work for me either.
> Robert, thanks for furnishing all that useful info to bugzilla.
> Jeremy, thanks for for the update on
> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>
> I feel like I'm at the Academy Awards.
> Merry Christmas to all. <[];o{P>
>
> Dale
>
>
>
> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>> I tried to add "idmap config DOMAIN : default = yes" and it does
>> not help. I'm using hash. I've found some interesting things that
>> I've included in bug 8676
>> https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>
>> Robert
>>
>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid <
>> > wrote:
>>
>> Been there, you can try to add either "idmap config DOMAIN :
>> default = yes", or use old-fashion "idmap backend = ..." +
>> "idmap uid = ..." + "idmap gid = ..." to replace "idmap
>> config * : ...", I don't know which one actually fixed it.
>>
>> 2011/12/22 Dale Schroeder <dale@briannassaladdressing.com
>> >
>>
>> Originally filed by Robert LeBlanc as Debian Bug # 652679
>> - <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>
>> <Quote>
>>
>> Package: winbind
>> Version: 2:3.6.1-3
>> Severity: important
>>
>> Dear Maintainer,
>>
>> After upgrading to 3.6.1 I am no longer able to login to
>> Debian using my Active Directory account.
>> 'winbind -u', 'winbind -g', 'winbind -t' and many others
>> work fine, but 'winbind -i user' returns
>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user user'. Changing
>> the verbosity of the logs, I find
>> 'winbindd/winbindd_dual.c:1306 (fork_domain_child)
>> fork_domain_child
>> called without domain.'. The previous wbint_Sid2Uid
>> struct printout shows that dom_name is NULL,
>> but has the correct domain SID. I believe the problem may
>> exist around there. I did upgrade the
>> 'idmap backend = hash' to the new format 'idmap config *
>> : backend = hash' as specifed in the man
>> page without any luck. Name to SID and SID to name works
>> along with user-domgroups, but user-groups
>> does not work. 'wbinifo --group-info=group' fails with a
>> similar error as 'wbinfo -i user'. I'm
>> going to try to get back to 3.5.11.
>>
>> -- System Information:
>> Debian Release: wheezy/sid
>> APT prefers testing
>> APT policy: (500, 'testing')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
>> (charmap=UTF-Cool
>> Shell: /bin/sh linked to /bin/dash
>>
>> Versions of packages winbind depends on:
>> ii adduser 3.113
>> ii libc6 2.13-21
>> ii libcap2 1:2.22-1
>> ii libcomerr2 1.42-1
>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>> ii libk5crypto3 1.10+dfsg~alpha1-6
>> ii libkrb5-3 1.10+dfsg~alpha1-6
>> ii libldap-2.4-2 2.4.25-4+b1
>> ii libpam0g 1.1.3-6
>> ii libpopt0 1.16-1
>> ii libtalloc2 2.0.7-3
>> ii libtdb1 1.2.9-4+b1
>> ii libwbclient0 2:3.6.1-3
>> ii lsb-base 3.2-28
>> ii samba-common 2:3.6.1-3
>> ii zlib1g 1:1.2.3.4.dfsg-3
>>
>> Versions of packages winbind recommends:
>> ii libpam-winbind 2:3.6.1-3
>>
>> winbind suggests no packages.
>>
>> -- no debconf information
>>
>> </Quote>
>>
>> I also have this error, and reported as follows:
>>
>> Robert,
>>
>> Same problem here, and I have not seen anyone mention
>> this on the Samba
>> list. Systems are fully updated and testparm does not
>> return any
>> errors. idmap backend is rid notated in the new format.
>> All deprecated
>> parameters have been removed.
>>
>> On my systems, I have found that full functionality
>> returns after a
>> reboot; however, if samba/winbind processes are restarted
>> for any
>> reason, AD authentication again no longer works. As with
>> you, wbinfo
>> -u/-g continues to work, as does getent passwd. getent
>> group only
>> returns linux groups. Another reboot will return winbind
>> once again to
>> full functionality.
>>
>> Even at log level 10, error messages have been hard to
>> find among the
>> many winbind logs. At the time of failure, the one I
>> consistently find
>> is in syslog:
>> winbindd[4186]: ads_ranged_search failed with: Time
>> limit exceeded.
>>
>> --------------------------------------------------------------
>>
>> This morning, I recreated the error by restarting
>> Samba/winbind at 07:47.
>> The only suspicious level 10 log entries found from that
>> timeframe are:
>>
>> <syslog>
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21
>> 07:47:25.660769, 0]
>> winbindd/winbindd_ads.c:1068(lookup_groupmem)
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]:
>> ads_ranged_search failed with: Time limit exceeded
>>
>> <smbd>
>> [2011/12/21 07:47:10.102879, 1]
>> lib/serverid.c:197(serverid_deregister)
>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:47:10.103603, 1]
>> smbd/server.c:303(remove_child_pid)
>> Could not remove pid 3491 from serverid.tdb
>> [2011/12/21 07:47:10.104114, 1]
>> smbd/server.c:317(remove_child_pid)
>> Could not find child 3491 -- ignoring
>>
>> [2011/12/21 07:48:10.174369, 1]
>> lib/serverid.c:197(serverid_deregister)
>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:48:10.175075, 1]
>> smbd/server.c:303(remove_child_pid)
>> Could not remove pid 3499 from serverid.tdb
>> [2011/12/21 07:48:10.490994, 1]
>> smbd/server.c:317(remove_child_pid)
>> Could not find child 3499 -- ignoring
>>
>> "net ads testjoin" indicates that the join is good.
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.COM <http://DOMAIN.COM>
>> server string = %h server
>> security = ADS
>> map untrusted to domain = Yes
>> allow trusted domains = No
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> password server = *
>> passdb backend = tdbsam
>> username map = /etc/samba/users.map
>> lanman auth = No
>> log level = 10
>> log file =/var/log/samba/%m
>> name resolve order = wins hosts bcast
>> deadtime = 15
>> printcap name = cups
>> preferred master = No
>> wins server = 192.168.1.xyz
>> panic action = /usr/share/samba/panic-action %d
>> ldap ssl = No
>> #
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000
>> - 20000000
>> idmap config DOMAIN : backend = rid
>> idmap config DOMAIN : range = 1000 - 99999
>> template homedir =/home/domain/%U
>> template shell = /bin/bash
>> winbind cache time = 10
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind offline logon = Yes
>> #
>> printing = cups
>> print command =
>> lpq command = %p
>> lprm command =
>> veto oplock files = /*.doc/*.xls/*.mdb/
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> ea support = Yes
>> admin users = root, "@domain admins"
>>
>>
>> I have seen numerous 3.6.x winbind problems reported, but
>> do not recall seeing this one.
>> Does this look like a Samba bug or is it Debian-specific?
>> winbind fixing itself after a reboot is particularly
>> puzzling.
>> Any and all suggestions appreciated.
>>
>>
>> Dale
>>
>> --
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Dale Schroeder
External


Since: May 26, 2006
Posts: 89



PostPosted: Thu Dec 22, 2011 6:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

RID

On 12/22/2011 10:38 AM, Robert LeBlanc wrote:
> What backend are you using? I can't get a single authentication to
> work whether I reboot or not.
>
> The new or old syntax for hash does not work for me. I get a segfault
> in the hash module when compiled as shared modules. I've mentioned all
> that in the bug report.
>
> Robert
>
> On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder
> <dale@briannassaladdressing.com
> > wrote:
>
> That is correct - it did not fix the problem - old or new idmap
> syntax. Any time I restart the processes, such as after a config
> change, winbind auth fails.
> "getent group" yields the syslog error shown in the original
> post. "wbinfo -i user" fails even though "user" appears in
> "getent passwd".
> Reboot the system and everything is functioning again until the
> next time nmbd/smbd/winbind are restarted, after which winbind is
> nonfunctioning once again.
>
> Dale
>
>
>
> On 12/22/2011 9:02 AM, David Roid wrote:
>> Didn't work? I just installed another opensuse 12.1, with Samba
>> 3.6.1 using following idmap settings:
>>
>> idmap config * : range = ...
>> idmap config * : backend = ...
>> idmap config DOM : range = ...
>> idmap config DOM : default = yes
>> idmap config DOM : backend = ...
>>
>> then join the domain, no problem at all.
>>
>> 2011/12/22 Dale Schroeder <dale@briannassaladdressing.com
>> >
>>
>> David, thanks for the help, but I'm afraid that workaround
>> does not work for me either.
>> Robert, thanks for furnishing all that useful info to bugzilla.
>> Jeremy, thanks for for the update on
>> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>>
>> I feel like I'm at the Academy Awards.
>> Merry Christmas to all. <[];o{P>
>>
>> Dale
>>
>>
>>
>> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>> I tried to add "idmap config DOMAIN : default = yes" and it
>>> does not help. I'm using hash. I've found some interesting
>>> things that I've included in bug 8676
>>> https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>>
>>> Robert
>>>
>>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid
>>> > wrote:
>>>
>>> Been there, you can try to add either "idmap config
>>> DOMAIN : default = yes", or use old-fashion "idmap
>>> backend = ..." + "idmap uid = ..." + "idmap gid = ..."
>>> to replace "idmap config * : ...", I don't know which
>>> one actually fixed it.
>>>
>>> 2011/12/22 Dale Schroeder
>>> <dale@briannassaladdressing.com
>>> >
>>>
>>> Originally filed by Robert LeBlanc as Debian Bug #
>>> 652679 -
>>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>
>>> <Quote>
>>>
>>> Package: winbind
>>> Version: 2:3.6.1-3
>>> Severity: important
>>>
>>> Dear Maintainer,
>>>
>>> After upgrading to 3.6.1 I am no longer able to
>>> login to Debian using my Active Directory account.
>>> 'winbind -u', 'winbind -g', 'winbind -t' and many
>>> others work fine, but 'winbind -i user' returns
>>> 'failed to call wbcGetpwnam:
>>> WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
>>> user'. Changing
>>> the verbosity of the logs, I find
>>> 'winbindd/winbindd_dual.c:1306 (fork_domain_child)
>>> fork_domain_child
>>> called without domain.'. The previous wbint_Sid2Uid
>>> struct printout shows that dom_name is NULL,
>>> but has the correct domain SID. I believe the
>>> problem may exist around there. I did upgrade the
>>> 'idmap backend = hash' to the new format 'idmap
>>> config * : backend = hash' as specifed in the man
>>> page without any luck. Name to SID and SID to name
>>> works along with user-domgroups, but user-groups
>>> does not work. 'wbinifo --group-info=group' fails
>>> with a similar error as 'wbinfo -i user'. I'm
>>> going to try to get back to 3.5.11.
>>>
>>> -- System Information:
>>> Debian Release: wheezy/sid
>>> APT prefers testing
>>> APT policy: (500, 'testing')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
>>> (charmap=UTF-Cool
>>> Shell: /bin/sh linked to /bin/dash
>>>
>>> Versions of packages winbind depends on:
>>> ii adduser 3.113
>>> ii libc6 2.13-21
>>> ii libcap2 1:2.22-1
>>> ii libcomerr2 1.42-1
>>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>>> ii libk5crypto3 1.10+dfsg~alpha1-6
>>> ii libkrb5-3 1.10+dfsg~alpha1-6
>>> ii libldap-2.4-2 2.4.25-4+b1
>>> ii libpam0g 1.1.3-6
>>> ii libpopt0 1.16-1
>>> ii libtalloc2 2.0.7-3
>>> ii libtdb1 1.2.9-4+b1
>>> ii libwbclient0 2:3.6.1-3
>>> ii lsb-base 3.2-28
>>> ii samba-common 2:3.6.1-3
>>> ii zlib1g 1:1.2.3.4.dfsg-3
>>>
>>> Versions of packages winbind recommends:
>>> ii libpam-winbind 2:3.6.1-3
>>>
>>> winbind suggests no packages.
>>>
>>> -- no debconf information
>>>
>>> </Quote>
>>>
>>> I also have this error, and reported as follows:
>>>
>>> Robert,
>>>
>>> Same problem here, and I have not seen anyone
>>> mention this on the Samba
>>> list. Systems are fully updated and testparm does
>>> not return any
>>> errors. idmap backend is rid notated in the new
>>> format. All deprecated
>>> parameters have been removed.
>>>
>>> On my systems, I have found that full functionality
>>> returns after a
>>> reboot; however, if samba/winbind processes are
>>> restarted for any
>>> reason, AD authentication again no longer works. As
>>> with you, wbinfo
>>> -u/-g continues to work, as does getent passwd.
>>> getent group only
>>> returns linux groups. Another reboot will return
>>> winbind once again to
>>> full functionality.
>>>
>>> Even at log level 10, error messages have been hard
>>> to find among the
>>> many winbind logs. At the time of failure, the one
>>> I consistently find
>>> is in syslog:
>>> winbindd[4186]: ads_ranged_search failed with:
>>> Time limit exceeded.
>>>
>>> --------------------------------------------------------------
>>>
>>> This morning, I recreated the error by restarting
>>> Samba/winbind at 07:47.
>>> The only suspicious level 10 log entries found from
>>> that timeframe are:
>>>
>>> <syslog>
>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]:
>>> [2011/12/21 07:47:25.660769, 0]
>>> winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]:
>>> ads_ranged_search failed with: Time limit exceeded
>>>
>>> <smbd>
>>> [2011/12/21 07:47:10.102879, 1]
>>> lib/serverid.c:197(serverid_deregister)
>>> Deleting serverid.tdb record failed:
>>> NT_STATUS_NOT_FOUND
>>> [2011/12/21 07:47:10.103603, 1]
>>> smbd/server.c:303(remove_child_pid)
>>> Could not remove pid 3491 from serverid.tdb
>>> [2011/12/21 07:47:10.104114, 1]
>>> smbd/server.c:317(remove_child_pid)
>>> Could not find child 3491 -- ignoring
>>>
>>> [2011/12/21 07:48:10.174369, 1]
>>> lib/serverid.c:197(serverid_deregister)
>>> Deleting serverid.tdb record failed:
>>> NT_STATUS_NOT_FOUND
>>> [2011/12/21 07:48:10.175075, 1]
>>> smbd/server.c:303(remove_child_pid)
>>> Could not remove pid 3499 from serverid.tdb
>>> [2011/12/21 07:48:10.490994, 1]
>>> smbd/server.c:317(remove_child_pid)
>>> Could not find child 3499 -- ignoring
>>>
>>> "net ads testjoin" indicates that the join is good.
>>>
>>> [global]
>>> workgroup = DOMAIN
>>> realm = DOMAIN.COM <http://DOMAIN.COM>
>>> server string = %h server
>>> security = ADS
>>> map untrusted to domain = Yes
>>> allow trusted domains = No
>>> map to guest = Bad User
>>> obey pam restrictions = Yes
>>> password server = *
>>> passdb backend = tdbsam
>>> username map = /etc/samba/users.map
>>> lanman auth = No
>>> log level = 10
>>> log file =/var/log/samba/%m
>>> name resolve order = wins hosts bcast
>>> deadtime = 15
>>> printcap name = cups
>>> preferred master = No
>>> wins server = 192.168.1.xyz
>>> panic action = /usr/share/samba/panic-action %d
>>> ldap ssl = No
>>> #
>>> idmap config * : backend = tdb
>>> idmap config * : range =
>>> 1000000 - 20000000
>>> idmap config DOMAIN : backend = rid
>>> idmap config DOMAIN : range =
>>> 1000 - 99999
>>> template homedir =/home/domain/%U
>>> template shell = /bin/bash
>>> winbind cache time = 10
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> winbind offline logon = Yes
>>> #
>>> printing = cups
>>> print command =
>>> lpq command = %p
>>> lprm command =
>>> veto oplock files = /*.doc/*.xls/*.mdb/
>>> map archive = No
>>> map readonly = no
>>> store dos attributes = Yes
>>> ea support = Yes
>>> admin users = root, "@domain admins"
>>>
>>>
>>> I have seen numerous 3.6.x winbind problems
>>> reported, but do not recall seeing this one.
>>> Does this look like a Samba bug or is it
>>> Debian-specific? winbind fixing itself after a
>>> reboot is particularly puzzling.
>>> Any and all suggestions appreciated.
>>>
>>>
>>> Dale
>>>
>>> --
>>> To unsubscribe from this list go to the following
>>> URL and read the
>>> instructions:
>>> https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Robert LeBlanc
External


Since: May 21, 2009
Posts: 19



PostPosted: Wed Dec 28, 2011 10:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

I tried to add "idmap config DOMAIN : default = yes" and it does not help.
I'm using hash. I've found some interesting things that I've included in
bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.

Robert

On Wed, Dec 21, 2011 at 5:33 PM, David Roid wrote:

> Been there, you can try to add either "idmap config DOMAIN : default =
> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
> gid = ..." to replace "idmap config * : ...", I don't know which one
> actually fixed it.
>
> 2011/12/22 Dale Schroeder
>
>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>> >
>>
>> <Quote>
>>
>> Package: winbind
>> Version: 2:3.6.1-3
>> Severity: important
>>
>> Dear Maintainer,
>>
>> After upgrading to 3.6.1 I am no longer able to login to Debian using my
>> Active Directory account.
>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>> 'winbind -i user' returns
>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
>> for user user'. Changing
>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>> (fork_domain_child) fork_domain_child
>> called without domain.'. The previous wbint_Sid2Uid struct printout shows
>> that dom_name is NULL,
>> but has the correct domain SID. I believe the problem may exist around
>> there. I did upgrade the
>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>> hash' as specifed in the man
>> page without any luck. Name to SID and SID to name works along with
>> user-domgroups, but user-groups
>> does not work. 'wbinifo --group-info=group' fails with a similar error as
>> 'wbinfo -i user'. I'm
>> going to try to get back to 3.5.11.
>>
>> -- System Information:
>> Debian Release: wheezy/sid
>> APT prefers testing
>> APT policy: (500, 'testing')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-Cool
>> Shell: /bin/sh linked to /bin/dash
>>
>> Versions of packages winbind depends on:
>> ii adduser 3.113
>> ii libc6 2.13-21
>> ii libcap2 1:2.22-1
>> ii libcomerr2 1.42-1
>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>> ii libk5crypto3 1.10+dfsg~alpha1-6
>> ii libkrb5-3 1.10+dfsg~alpha1-6
>> ii libldap-2.4-2 2.4.25-4+b1
>> ii libpam0g 1.1.3-6
>> ii libpopt0 1.16-1
>> ii libtalloc2 2.0.7-3
>> ii libtdb1 1.2.9-4+b1
>> ii libwbclient0 2:3.6.1-3
>> ii lsb-base 3.2-28
>> ii samba-common 2:3.6.1-3
>> ii zlib1g 1:1.2.3.4.dfsg-3
>>
>> Versions of packages winbind recommends:
>> ii libpam-winbind 2:3.6.1-3
>>
>> winbind suggests no packages.
>>
>> -- no debconf information
>>
>> </Quote>
>>
>> I also have this error, and reported as follows:
>>
>> Robert,
>>
>> Same problem here, and I have not seen anyone mention this on the Samba
>> list. Systems are fully updated and testparm does not return any
>> errors. idmap backend is rid notated in the new format. All deprecated
>> parameters have been removed.
>>
>> On my systems, I have found that full functionality returns after a
>> reboot; however, if samba/winbind processes are restarted for any
>> reason, AD authentication again no longer works. As with you, wbinfo
>> -u/-g continues to work, as does getent passwd. getent group only
>> returns linux groups. Another reboot will return winbind once again to
>> full functionality.
>>
>> Even at log level 10, error messages have been hard to find among the
>> many winbind logs. At the time of failure, the one I consistently find
>> is in syslog:
>> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>>
>> ------------------------------**------------------------------**--
>>
>> This morning, I recreated the error by restarting Samba/winbind at 07:47.
>> The only suspicious level 10 log entries found from that timeframe are:
>>
>> <syslog>
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
>> 0] winbindd/winbindd_ads.c:1068(**lookup_groupmem)
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
>> with: Time limit exceeded
>>
>> <smbd>
>> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_**
>> deregister)
>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_**child_pid)
>> Could not remove pid 3491 from serverid.tdb
>> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_**child_pid)
>> Could not find child 3491 -- ignoring
>>
>> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_**
>> deregister)
>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_**child_pid)
>> Could not remove pid 3499 from serverid.tdb
>> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_**child_pid)
>> Could not find child 3499 -- ignoring
>>
>> "net ads testjoin" indicates that the join is good.
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.COM
>> server string = %h server
>> security = ADS
>> map untrusted to domain = Yes
>> allow trusted domains = No
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> password server = *
>> passdb backend = tdbsam
>> username map = /etc/samba/users.map
>> lanman auth = No
>> log level = 10
>> log file =/var/log/samba/%m
>> name resolve order = wins hosts bcast
>> deadtime = 15
>> printcap name = cups
>> preferred master = No
>> wins server = 192.168.1.xyz
>> panic action = /usr/share/samba/panic-action %d
>> ldap ssl = No
>> #
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000 - 20000000
>> idmap config DOMAIN : backend = rid
>> idmap config DOMAIN : range = 1000 - 99999
>> template homedir =/home/domain/%U
>> template shell = /bin/bash
>> winbind cache time = 10
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind offline logon = Yes
>> #
>> printing = cups
>> print command =
>> lpq command = %p
>> lprm command =
>> veto oplock files = /*.doc/*.xls/*.mdb/
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> ea support = Yes
>> admin users = root, "@domain admins"
>>
>>
>> I have seen numerous 3.6.x winbind problems reported, but do not recall
>> seeing this one.
>> Does this look like a Samba bug or is it Debian-specific? winbind fixing
>> itself after a reboot is particularly puzzling.
>> Any and all suggestions appreciated.
>>
>>
>> Dale
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Robert LeBlanc
External


Since: May 21, 2009
Posts: 19



PostPosted: Wed Dec 28, 2011 10:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

What backend are you using? I can't get a single authentication to work
whether I reboot or not.

The new or old syntax for hash does not work for me. I get a segfault in
the hash module when compiled as shared modules. I've mentioned all that in
the bug report.

Robert

On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder <
dale@briannassaladdressing.com> wrote:

> That is correct - it did not fix the problem - old or new idmap syntax.
> Any time I restart the processes, such as after a config change, winbind
> auth fails.
> "getent group" yields the syslog error shown in the original post.
> "wbinfo -i user" fails even though "user" appears in "getent passwd".
> Reboot the system and everything is functioning again until the next time
> nmbd/smbd/winbind are restarted, after which winbind is nonfunctioning once
> again.
>
> Dale
>
>
>
> On 12/22/2011 9:02 AM, David Roid wrote:
>
> Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1
> using following idmap settings:
>
> idmap config * : range = ...
> idmap config * : backend = ...
> idmap config DOM : range = ...
> idmap config DOM : default = yes
> idmap config DOM : backend = ...
>
> then join the domain, no problem at all.
>
> 2011/12/22 Dale Schroeder
>
>> David, thanks for the help, but I'm afraid that workaround does not work
>> for me either.
>> Robert, thanks for furnishing all that useful info to bugzilla.
>> Jeremy, thanks for for the update on
>> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>>
>> I feel like I'm at the Academy Awards.
>> Merry Christmas to all. <[];o{P>
>>
>> Dale
>>
>>
>>
>> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>
>> I tried to add "idmap config DOMAIN : default = yes" and it does not
>> help. I'm using hash. I've found some interesting things that I've included
>> in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>
>> Robert
>>
>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid wrote:
>>
>>> Been there, you can try to add either "idmap config DOMAIN : default =
>>> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
>>> gid = ..." to replace "idmap config * : ...", I don't know which one
>>> actually fixed it.
>>>
>>> 2011/12/22 Dale Schroeder
>>>
>>>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>>
>>>> <Quote>
>>>>
>>>> Package: winbind
>>>> Version: 2:3.6.1-3
>>>> Severity: important
>>>>
>>>> Dear Maintainer,
>>>>
>>>> After upgrading to 3.6.1 I am no longer able to login to Debian using
>>>> my Active Directory account.
>>>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>>>> 'winbind -i user' returns
>>>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get
>>>> info for user user'. Changing
>>>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>>>> (fork_domain_child) fork_domain_child
>>>> called without domain.'. The previous wbint_Sid2Uid struct printout
>>>> shows that dom_name is NULL,
>>>> but has the correct domain SID. I believe the problem may exist around
>>>> there. I did upgrade the
>>>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>>>> hash' as specifed in the man
>>>> page without any luck. Name to SID and SID to name works along with
>>>> user-domgroups, but user-groups
>>>> does not work. 'wbinifo --group-info=group' fails with a similar error
>>>> as 'wbinfo -i user'. I'm
>>>> going to try to get back to 3.5.11.
>>>>
>>>> -- System Information:
>>>> Debian Release: wheezy/sid
>>>> APT prefers testing
>>>> APT policy: (500, 'testing')
>>>> Architecture: amd64 (x86_64)
>>>>
>>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-Cool
>>>> Shell: /bin/sh linked to /bin/dash
>>>>
>>>> Versions of packages winbind depends on:
>>>> ii adduser 3.113
>>>> ii libc6 2.13-21
>>>> ii libcap2 1:2.22-1
>>>> ii libcomerr2 1.42-1
>>>> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
>>>> ii libk5crypto3 1.10+dfsg~alpha1-6
>>>> ii libkrb5-3 1.10+dfsg~alpha1-6
>>>> ii libldap-2.4-2 2.4.25-4+b1
>>>> ii libpam0g 1.1.3-6
>>>> ii libpopt0 1.16-1
>>>> ii libtalloc2 2.0.7-3
>>>> ii libtdb1 1.2.9-4+b1
>>>> ii libwbclient0 2:3.6.1-3
>>>> ii lsb-base 3.2-28
>>>> ii samba-common 2:3.6.1-3
>>>> ii zlib1g 1:1.2.3.4.dfsg-3
>>>>
>>>> Versions of packages winbind recommends:
>>>> ii libpam-winbind 2:3.6.1-3
>>>>
>>>> winbind suggests no packages.
>>>>
>>>> -- no debconf information
>>>>
>>>> </Quote>
>>>>
>>>> I also have this error, and reported as follows:
>>>>
>>>> Robert,
>>>>
>>>> Same problem here, and I have not seen anyone mention this on the Samba
>>>> list. Systems are fully updated and testparm does not return any
>>>> errors. idmap backend is rid notated in the new format. All deprecated
>>>> parameters have been removed.
>>>>
>>>> On my systems, I have found that full functionality returns after a
>>>> reboot; however, if samba/winbind processes are restarted for any
>>>> reason, AD authentication again no longer works. As with you, wbinfo
>>>> -u/-g continues to work, as does getent passwd. getent group only
>>>> returns linux groups. Another reboot will return winbind once again to
>>>> full functionality.
>>>>
>>>> Even at log level 10, error messages have been hard to find among the
>>>> many winbind logs. At the time of failure, the one I consistently find
>>>> is in syslog:
>>>> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>>>>
>>>> --------------------------------------------------------------
>>>>
>>>> This morning, I recreated the error by restarting Samba/winbind at
>>>> 07:47.
>>>> The only suspicious level 10 log entries found from that timeframe are:
>>>>
>>>> <syslog>
>>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21
>>>> 07:47:25.660769, 0] winbindd/winbindd_ads.c:1068(lookup_groupmem)
>>>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
>>>> with: Time limit exceeded
>>>>
>>>> <smbd>
>>>> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_deregister)
>>>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>>> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_child_pid)
>>>> Could not remove pid 3491 from serverid.tdb
>>>> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_child_pid)
>>>> Could not find child 3491 -- ignoring
>>>>
>>>> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_deregister)
>>>> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
>>>> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_child_pid)
>>>> Could not remove pid 3499 from serverid.tdb
>>>> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_child_pid)
>>>> Could not find child 3499 -- ignoring
>>>>
>>>> "net ads testjoin" indicates that the join is good.
>>>>
>>>> [global]
>>>> workgroup = DOMAIN
>>>> realm = DOMAIN.COM
>>>> server string = %h server
>>>> security = ADS
>>>> map untrusted to domain = Yes
>>>> allow trusted domains = No
>>>> map to guest = Bad User
>>>> obey pam restrictions = Yes
>>>> password server = *
>>>> passdb backend = tdbsam
>>>> username map = /etc/samba/users.map
>>>> lanman auth = No
>>>> log level = 10
>>>> log file =/var/log/samba/%m
>>>> name resolve order = wins hosts bcast
>>>> deadtime = 15
>>>> printcap name = cups
>>>> preferred master = No
>>>> wins server = 192.168.1.xyz
>>>> panic action = /usr/share/samba/panic-action %d
>>>> ldap ssl = No
>>>> #
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 1000000 - 20000000
>>>> idmap config DOMAIN : backend = rid
>>>> idmap config DOMAIN : range = 1000 - 99999
>>>> template homedir =/home/domain/%U
>>>> template shell = /bin/bash
>>>> winbind cache time = 10
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> winbind offline logon = Yes
>>>> #
>>>> printing = cups
>>>> print command =
>>>> lpq command = %p
>>>> lprm command =
>>>> veto oplock files = /*.doc/*.xls/*.mdb/
>>>> map archive = No
>>>> map readonly = no
>>>> store dos attributes = Yes
>>>> ea support = Yes
>>>> admin users = root, "@domain admins"
>>>>
>>>>
>>>> I have seen numerous 3.6.x winbind problems reported, but do not recall
>>>> seeing this one.
>>>> Does this look like a Samba bug or is it Debian-specific? winbind
>>>> fixing itself after a reboot is particularly puzzling.
>>>> Any and all suggestions appreciated.
>>>>
>>>>
>>>> Dale
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Samba All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum