Help!

[Samba] Winbind authentication and wbinfo -i user no longe..

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Samba RSS
Next:  [gentoo-user] switching production server from my..  
Author Message
Dale Schroeder
External


Since: May 26, 2006
Posts: 89



PostPosted: Wed Dec 21, 2011 9:10 pm    Post subject: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: linux>samba (more info?)

Originally filed by Robert LeBlanc as Debian Bug # 652679 -
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>

<Quote>

Package: winbind
Version: 2:3.6.1-3
Severity: important

Dear Maintainer,

After upgrading to 3.6.1 I am no longer able to login to Debian using my Active Directory account.
'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but 'winbind -i user' returns
'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user user'. Changing
the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306 (fork_domain_child) fork_domain_child
called without domain.'. The previous wbint_Sid2Uid struct printout shows that dom_name is NULL,
but has the correct domain SID. I believe the problem may exist around there. I did upgrade the
'idmap backend = hash' to the new format 'idmap config * : backend = hash' as specifed in the man
page without any luck. Name to SID and SID to name works along with user-domgroups, but user-groups
does not work. 'wbinifo --group-info=group' fails with a similar error as 'wbinfo -i user'. I'm
going to try to get back to 3.5.11.

-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-Cool
Shell: /bin/sh linked to /bin/dash

Versions of packages winbind depends on:
ii adduser 3.113
ii libc6 2.13-21
ii libcap2 1:2.22-1
ii libcomerr2 1.42-1
ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
ii libk5crypto3 1.10+dfsg~alpha1-6
ii libkrb5-3 1.10+dfsg~alpha1-6
ii libldap-2.4-2 2.4.25-4+b1
ii libpam0g 1.1.3-6
ii libpopt0 1.16-1
ii libtalloc2 2.0.7-3
ii libtdb1 1.2.9-4+b1
ii libwbclient0 2:3.6.1-3
ii lsb-base 3.2-28
ii samba-common 2:3.6.1-3
ii zlib1g 1:1.2.3.4.dfsg-3

Versions of packages winbind recommends:
ii libpam-winbind 2:3.6.1-3

winbind suggests no packages.

-- no debconf information

</Quote>

I also have this error, and reported as follows:

Robert,

Same problem here, and I have not seen anyone mention this on the Samba
list. Systems are fully updated and testparm does not return any
errors. idmap backend is rid notated in the new format. All deprecated
parameters have been removed.

On my systems, I have found that full functionality returns after a
reboot; however, if samba/winbind processes are restarted for any
reason, AD authentication again no longer works. As with you, wbinfo
-u/-g continues to work, as does getent passwd. getent group only
returns linux groups. Another reboot will return winbind once again to
full functionality.

Even at log level 10, error messages have been hard to find among the
many winbind logs. At the time of failure, the one I consistently find
is in syslog:
winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.

--------------------------------------------------------------

This morning, I recreated the error by restarting Samba/winbind at 07:47.
The only suspicious level 10 log entries found from that timeframe are:

<syslog>
Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769, 0] winbindd/winbindd_ads.c:1068(lookup_groupmem)
Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed with: Time limit exceeded

<smbd>
[2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_deregister)
Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
[2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_child_pid)
Could not remove pid 3491 from serverid.tdb
[2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_child_pid)
Could not find child 3491 -- ignoring

[2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_deregister)
Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
[2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_child_pid)
Could not remove pid 3499 from serverid.tdb
[2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_child_pid)
Could not find child 3499 -- ignoring

"net ads testjoin" indicates that the join is good.

[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = %h server
security = ADS
map untrusted to domain = Yes
allow trusted domains = No
map to guest = Bad User
obey pam restrictions = Yes
password server = *
passdb backend = tdbsam
username map = /etc/samba/users.map
lanman auth = No
log level = 10
log file =/var/log/samba/%m
name resolve order = wins hosts bcast
deadtime = 15
printcap name = cups
preferred master = No
wins server = 192.168.1.xyz
panic action = /usr/share/samba/panic-action %d
ldap ssl = No
#
idmap config * : backend = tdb
idmap config * : range = 1000000 - 20000000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 1000 - 99999
template homedir =/home/domain/%U
template shell = /bin/bash
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = Yes
#
printing = cups
print command =
lpq command = %p
lprm command =
veto oplock files = /*.doc/*.xls/*.mdb/
map archive = No
map readonly = no
store dos attributes = Yes
ea support = Yes
admin users = root, "@domain admins"


I have seen numerous 3.6.x winbind problems reported, but do not recall
seeing this one.
Does this look like a Samba bug or is it Debian-specific? winbind
fixing itself after a reboot is particularly puzzling.
Any and all suggestions appreciated.

Dale

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Advertisement
David Roid
External


Since: Sep 07, 2010
Posts: 8



PostPosted: Thu Dec 22, 2011 1:10 am    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: per prev. post (more info?)

Been there, you can try to add either "idmap config DOMAIN : default =
yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
gid = ..." to replace "idmap config * : ...", I don't know which one
actually fixed it.

2011/12/22 Dale Schroeder

> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
> >
>
> <Quote>
>
> Package: winbind
> Version: 2:3.6.1-3
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to 3.6.1 I am no longer able to login to Debian using my
> Active Directory account.
> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
> 'winbind -i user' returns
> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
> for user user'. Changing
> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
> (fork_domain_child) fork_domain_child
> called without domain.'. The previous wbint_Sid2Uid struct printout shows
> that dom_name is NULL,
> but has the correct domain SID. I believe the problem may exist around
> there. I did upgrade the
> 'idmap backend = hash' to the new format 'idmap config * : backend = hash'
> as specifed in the man
> page without any luck. Name to SID and SID to name works along with
> user-domgroups, but user-groups
> does not work. 'wbinifo --group-info=group' fails with a similar error as
> 'wbinfo -i user'. I'm
> going to try to get back to 3.5.11.
>
> -- System Information:
> Debian Release: wheezy/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-Cool
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages winbind depends on:
> ii adduser 3.113
> ii libc6 2.13-21
> ii libcap2 1:2.22-1
> ii libcomerr2 1.42-1
> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
> ii libk5crypto3 1.10+dfsg~alpha1-6
> ii libkrb5-3 1.10+dfsg~alpha1-6
> ii libldap-2.4-2 2.4.25-4+b1
> ii libpam0g 1.1.3-6
> ii libpopt0 1.16-1
> ii libtalloc2 2.0.7-3
> ii libtdb1 1.2.9-4+b1
> ii libwbclient0 2:3.6.1-3
> ii lsb-base 3.2-28
> ii samba-common 2:3.6.1-3
> ii zlib1g 1:1.2.3.4.dfsg-3
>
> Versions of packages winbind recommends:
> ii libpam-winbind 2:3.6.1-3
>
> winbind suggests no packages.
>
> -- no debconf information
>
> </Quote>
>
> I also have this error, and reported as follows:
>
> Robert,
>
> Same problem here, and I have not seen anyone mention this on the Samba
> list. Systems are fully updated and testparm does not return any
> errors. idmap backend is rid notated in the new format. All deprecated
> parameters have been removed.
>
> On my systems, I have found that full functionality returns after a
> reboot; however, if samba/winbind processes are restarted for any
> reason, AD authentication again no longer works. As with you, wbinfo
> -u/-g continues to work, as does getent passwd. getent group only
> returns linux groups. Another reboot will return winbind once again to
> full functionality.
>
> Even at log level 10, error messages have been hard to find among the
> many winbind logs. At the time of failure, the one I consistently find
> is in syslog:
> winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
>
> ------------------------------**------------------------------**--
>
> This morning, I recreated the error by restarting Samba/winbind at 07:47.
> The only suspicious level 10 log entries found from that timeframe are:
>
> <syslog>
> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
> 0] winbindd/winbindd_ads.c:1068(**lookup_groupmem)
> Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed
> with: Time limit exceeded
>
> <smbd>
> [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_**deregister)
> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_**child_pid)
> Could not remove pid 3491 from serverid.tdb
> [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_**child_pid)
> Could not find child 3491 -- ignoring
>
> [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_**deregister)
> Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
> [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_**child_pid)
> Could not remove pid 3499 from serverid.tdb
> [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_**child_pid)
> Could not find child 3499 -- ignoring
>
> "net ads testjoin" indicates that the join is good.
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.COM
> server string = %h server
> security = ADS
> map untrusted to domain = Yes
> allow trusted domains = No
> map to guest = Bad User
> obey pam restrictions = Yes
> password server = *
> passdb backend = tdbsam
> username map = /etc/samba/users.map
> lanman auth = No
> log level = 10
> log file =/var/log/samba/%m
> name resolve order = wins hosts bcast
> deadtime = 15
> printcap name = cups
> preferred master = No
> wins server = 192.168.1.xyz
> panic action = /usr/share/samba/panic-action %d
> ldap ssl = No
> #
> idmap config * : backend = tdb
> idmap config * : range = 1000000 - 20000000
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 1000 - 99999
> template homedir =/home/domain/%U
> template shell = /bin/bash
> winbind cache time = 10
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind offline logon = Yes
> #
> printing = cups
> print command =
> lpq command = %p
> lprm command =
> veto oplock files = /*.doc/*.xls/*.mdb/
> map archive = No
> map readonly = no
> store dos attributes = Yes
> ea support = Yes
> admin users = root, "@domain admins"
>
>
> I have seen numerous 3.6.x winbind problems reported, but do not recall
> seeing this one.
> Does this look like a Samba bug or is it Debian-specific? winbind fixing
> itself after a reboot is particularly puzzling.
> Any and all suggestions appreciated.
>
> Dale
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Back to top
Dale Schroeder
External


Since: May 26, 2006
Posts: 89



PostPosted: Thu Dec 22, 2011 3:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: per prev. post (more info?)

Back to top
David Roid
External


Since: Sep 07, 2010
Posts: 8



PostPosted: Thu Dec 22, 2011 4:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: per prev. post (more info?)

Back to top
Dale Schroeder
External


Since: May 26, 2006
Posts: 89



PostPosted: Thu Dec 22, 2011 5:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: per prev. post (more info?)

Back to top
Dale Schroeder
External


Since: May 26, 2006
Posts: 89



PostPosted: Thu Dec 22, 2011 6:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: per prev. post (more info?)

Back to top
Robert LeBlanc
External


Since: May 21, 2009
Posts: 19



PostPosted: Wed Dec 28, 2011 10:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: per prev. post (more info?)

Back to top
Robert LeBlanc
External


Since: May 21, 2009
Posts: 19



PostPosted: Wed Dec 28, 2011 10:10 pm    Post subject: Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Archived from groups: per prev. post (more info?)

Back to top
Advertisement
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Samba
Page 1 of 1

 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum