Hello, I have Samba 4.6 as AD domain member and sometime the users fails to login, the issue disappear after some minutes. I have enabled log leve 10 and I can see the following errors: 2019/03/12 09:20:32.280799, 5, pid=15466, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user BITINTRA\U002489 [2019/03/12 09:20:32.281111, 5, pid=15466, effective(0, 0), real(0, 0)] ../source3/lib/username.c:128(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is BITINTRA\U002489 [2019/03/12 09:20:32.281222, 5, pid=15466, effective(0, 0), real(0, 0)] ../source3/lib/username.c:153(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [BITINTRA\U002489]! [2019/03/12 09:20:32.282015, 3, pid=15466, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) get_user_from_kerberos_info: Username BITINTRA\U002489 is invalid on this system [2019/03/12 09:20:32.282043, 3, pid=15466, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac) auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2019/03/12 09:20:32.282196, 3, pid=15466, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134 my understanding of the code is that getpwnam fails, which is supposed to query winbindd. In the log file log.wb-BITINTRA I can see the following error: [2019/03/12 09:20:24.540456, 10, pid=15439, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1014(cm_prepare_connection) cm_prepare_connection: connecting to DC WG101SC0002.BITIntra.de for domain BITINTRA [2019/03/12 09:21:04.540067, 5, pid=15439, effective(0, 0), real(0, 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) tdb(/opt/samba/var/lock/mutex.tdb): tdb_brlock failed (fd=22) at offset 592 rw_type=2 flags=1 len=1 [2019/03/12 09:21:04.540189, 1, pid=15439, effective(0, 0), real(0, 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) tdb(/opt/samba/var/lock/mutex.tdb): tdb_lock failed on list 106 ltype=2 (Interrupted system call) [2019/03/12 09:21:04.540219, 0, pid=15439, effective(0, 0), real(0, 0)] ../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal) tdb_chainlock_with_timeout_internal: alarm (40) timed out for key WG101SC0002.BITIntra.de in tdb /opt/samba/var/lock/mutex.tdb [2019/03/12 09:21:04.540384, 1, pid=15439, effective(0, 0), real(0, 0)] ../source3/lib/server_mutex.c:97(grab_named_mutex) Could not get the lock for WG101SC0002.BITIntra.de [2019/03/12 09:21:04.540508, 0, pid=15439, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection) cm_prepare_connection: mutex grab failed for WG101SC0002.BITIntra.de [2019/03/12 09:21:04.540667, 1, pid=15439, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1320(cm_prepare_connection) Failed to prepare SMB connection to WG101SC0002.BITIntra.de: NT_STATUS_POSSIBLE_DEADLOCK my understanding is that it was hanging locking an offset in the file /opt/samba/var/lock/mutex.tdb, so when the timeout elapsed the process was interrupted (I guess the offset was that of the mutex for WG101SC0002.BITIntra.de) Could it be a corrupted mutex.tdb file? A slow responding DC? Any other suggestion? Thanks Andrea
On Tue, 12 Mar 2019 11:32:46 +0100 Andrea Cucciarre' via samba <samba at lists.samba.org> wrote:> Hello, > > I have Samba 4.6 as AD domain member and sometime the users fails to > login, the issue disappear after some minutes. > I have enabled log leve 10 and I can see the following errors: > > 2019/03/12 09:20:32.280799, 5, pid=15466, effective(0, 0), real(0, > 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) > Finding user BITINTRA\U002489 > [2019/03/12 09:20:32.281111, 5, pid=15466, effective(0, 0), real(0, > 0)] ../source3/lib/username.c:128(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as given is BITINTRA\U002489 > [2019/03/12 09:20:32.281222, 5, pid=15466, effective(0, 0), real(0, > 0)] ../source3/lib/username.c:153(Get_Pwnam_internals) > Get_Pwnam_internals didn't find user [BITINTRA\U002489]! > [2019/03/12 09:20:32.282015, 3, pid=15466, effective(0, 0), real(0, > 0), > class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > get_user_from_kerberos_info: Username BITINTRA\U002489 is invalid on > this system [2019/03/12 09:20:32.282043, 3, pid=15466, effective(0, > 0), real(0, > 0)] ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac) > auth3_generate_session_info_pac: Failed to map kerberos principal to > system user (NT_STATUS_LOGON_FAILURE) [2019/03/12 09:20:32.282196, > 3, pid=15466, effective(0, 0), real(0, > 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || > at ../source3/smbd/smb2_sesssetup.c:134 > > my understanding of the code is that getpwnam fails, which is > supposed to query winbindd. > In the log file log.wb-BITINTRA I can see the following error: > > [2019/03/12 09:20:24.540456, 10, pid=15439, effective(0, 0), real(0, > 0), > class=winbind] ../source3/winbindd/winbindd_cm.c:1014(cm_prepare_connection) > cm_prepare_connection: connecting to DC WG101SC0002.BITIntra.de for > domain BITINTRA [2019/03/12 09:21:04.540067, 5, pid=15439, > effective(0, 0), real(0, > 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) > tdb(/opt/samba/var/lock/mutex.tdb): tdb_brlock failed (fd=22) at > offset 592 rw_type=2 flags=1 len=1 [2019/03/12 09:21:04.540189, 1, > pid=15439, effective(0, 0), real(0, > 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) > tdb(/opt/samba/var/lock/mutex.tdb): tdb_lock failed on list 106 > ltype=2 (Interrupted system call) [2019/03/12 09:21:04.540219, 0, > pid=15439, effective(0, 0), real(0, > 0)] ../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal) > tdb_chainlock_with_timeout_internal: alarm (40) timed out for key > WG101SC0002.BITIntra.de in tdb /opt/samba/var/lock/mutex.tdb > [2019/03/12 09:21:04.540384, 1, pid=15439, effective(0, 0), real(0, > 0)] ../source3/lib/server_mutex.c:97(grab_named_mutex) Could not get > the lock for WG101SC0002.BITIntra.de [2019/03/12 09:21:04.540508, 0, > pid=15439, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection) > cm_prepare_connection: mutex grab failed for WG101SC0002.BITIntra.de > [2019/03/12 09:21:04.540667, 1, pid=15439, effective(0, 0), real(0, > 0), > class=winbind] ../source3/winbindd/winbindd_cm.c:1320(cm_prepare_connection) > Failed to prepare SMB connection to WG101SC0002.BITIntra.de: > NT_STATUS_POSSIBLE_DEADLOCK > > my understanding is that it was hanging locking an offset in the file > /opt/samba/var/lock/mutex.tdb, so when the timeout elapsed the > process was interrupted (I guess the offset was that of the mutex for > WG101SC0002.BITIntra.de) > Could it be a corrupted mutex.tdb file? A slow responding DC? > Any other suggestion?Can you please post your smb.conf. What OS ? What is your AD DC ? Rowland
The OS is OmniOS, the DC is Windows Server (not sure about the release), and below the smb.conf. I have also noted that they have more trusted domains, but since they configured ad idmap only for one domain, then all the other domains use tdb idmap [global] client ldap sasl wrapping = plain dedicated keytab file = /etc/krb5.keytab disable spoolss = yes host msdfs = no idmap config * : backend = tdb idmap config * : range = 30000-40000 idmap config * : schema_mode = rfc2307 idmap config BITINTRA : backend = ad idmap config BITINTRA : range = 10000-3001000 idmap config BITINTRA : schema_mode = rfc2307 kerberos method = secrets and keytab load printers = no local master = no log file = /opt/samba/log/%m.log log level = 10 map acl inherit = Yes map to guest = bad user os level = 3 preferred master = no realm = bitintra.de security = ads server string = Data %h store dos attributes = Yes vfs objects = zfsacl winbind enum groups = yes winbind enum users = yes winbind expand groups = 4 winbind normalize names = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind use default domain = no workgroup = BITINTRA Thanks Andrea Il 3/12/2019 11:48 AM, Rowland Penny via samba ha scritto:> On Tue, 12 Mar 2019 11:32:46 +0100 > Andrea Cucciarre' via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I have Samba 4.6 as AD domain member and sometime the users fails to >> login, the issue disappear after some minutes. >> I have enabled log leve 10 and I can see the following errors: >> >> 2019/03/12 09:20:32.280799, 5, pid=15466, effective(0, 0), real(0, >> 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) >> Finding user BITINTRA\U002489 >> [2019/03/12 09:20:32.281111, 5, pid=15466, effective(0, 0), real(0, >> 0)] ../source3/lib/username.c:128(Get_Pwnam_internals) >> Trying _Get_Pwnam(), username as given is BITINTRA\U002489 >> [2019/03/12 09:20:32.281222, 5, pid=15466, effective(0, 0), real(0, >> 0)] ../source3/lib/username.c:153(Get_Pwnam_internals) >> Get_Pwnam_internals didn't find user [BITINTRA\U002489]! >> [2019/03/12 09:20:32.282015, 3, pid=15466, effective(0, 0), real(0, >> 0), >> class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) >> get_user_from_kerberos_info: Username BITINTRA\U002489 is invalid on >> this system [2019/03/12 09:20:32.282043, 3, pid=15466, effective(0, >> 0), real(0, >> 0)] ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac) >> auth3_generate_session_info_pac: Failed to map kerberos principal to >> system user (NT_STATUS_LOGON_FAILURE) [2019/03/12 09:20:32.282196, >> 3, pid=15466, effective(0, 0), real(0, >> 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] >> status[NT_STATUS_ACCESS_DENIED] || >> at ../source3/smbd/smb2_sesssetup.c:134 >> >> my understanding of the code is that getpwnam fails, which is >> supposed to query winbindd. >> In the log file log.wb-BITINTRA I can see the following error: >> >> [2019/03/12 09:20:24.540456, 10, pid=15439, effective(0, 0), real(0, >> 0), >> class=winbind] ../source3/winbindd/winbindd_cm.c:1014(cm_prepare_connection) >> cm_prepare_connection: connecting to DC WG101SC0002.BITIntra.de for >> domain BITINTRA [2019/03/12 09:21:04.540067, 5, pid=15439, >> effective(0, 0), real(0, >> 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) >> tdb(/opt/samba/var/lock/mutex.tdb): tdb_brlock failed (fd=22) at >> offset 592 rw_type=2 flags=1 len=1 [2019/03/12 09:21:04.540189, 1, >> pid=15439, effective(0, 0), real(0, >> 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) >> tdb(/opt/samba/var/lock/mutex.tdb): tdb_lock failed on list 106 >> ltype=2 (Interrupted system call) [2019/03/12 09:21:04.540219, 0, >> pid=15439, effective(0, 0), real(0, >> 0)] ../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal) >> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key >> WG101SC0002.BITIntra.de in tdb /opt/samba/var/lock/mutex.tdb >> [2019/03/12 09:21:04.540384, 1, pid=15439, effective(0, 0), real(0, >> 0)] ../source3/lib/server_mutex.c:97(grab_named_mutex) Could not get >> the lock for WG101SC0002.BITIntra.de [2019/03/12 09:21:04.540508, 0, >> pid=15439, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection) >> cm_prepare_connection: mutex grab failed for WG101SC0002.BITIntra.de >> [2019/03/12 09:21:04.540667, 1, pid=15439, effective(0, 0), real(0, >> 0), >> class=winbind] ../source3/winbindd/winbindd_cm.c:1320(cm_prepare_connection) >> Failed to prepare SMB connection to WG101SC0002.BITIntra.de: >> NT_STATUS_POSSIBLE_DEADLOCK >> >> my understanding is that it was hanging locking an offset in the file >> /opt/samba/var/lock/mutex.tdb, so when the timeout elapsed the >> process was interrupted (I guess the offset was that of the mutex for >> WG101SC0002.BITIntra.de) >> Could it be a corrupted mutex.tdb file? A slow responding DC? >> Any other suggestion? > Can you please post your smb.conf. > What OS ? > What is your AD DC ? > > Rowland > >
First few i noticed.> map to guest = bad user > idmap config * : range = 30000-40000 > idmap config BITINTRA : range = 10000-3001000* and BITINTRA my not overlap with its ranges. Map to guest = bad user in a server setup? Remove that.> realm = bitintra.deShould be realm = BITINTRA.DE> winbind enum groups = yes > winbind enum users = yesSet to no, these only slowdown you server. And then use : getent passwd username I suggest start with these and you might want to read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andrea Cucciarre' via samba > Verzonden: dinsdag 12 maart 2019 12:01 > Aan: Rowland Penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] sometimes users fails to login > > The OS is OmniOS, the DC is Windows Server (not sure about > the release), > and below the smb.conf. > I have also noted that they have more trusted domains, but since they > configured ad idmap only for one domain, then all the other > domains use > tdb idmap > > [global] > client ldap sasl wrapping = plain > dedicated keytab file = /etc/krb5.keytab > disable spoolss = yes > host msdfs = no > idmap config * : backend = tdb > idmap config * : range = 30000-40000 > idmap config * : schema_mode = rfc2307 > idmap config BITINTRA : backend = ad > idmap config BITINTRA : range = 10000-3001000 > idmap config BITINTRA : schema_mode = rfc2307 > kerberos method = secrets and keytab > load printers = no > local master = no > log file = /opt/samba/log/%m.log > log level = 10 > map acl inherit = Yes > map to guest = bad user > os level = 3 > preferred master = no > realm = bitintra.de > security = ads > server string = Data %h > store dos attributes = Yes > vfs objects = zfsacl > winbind enum groups = yes > winbind enum users = yes > winbind expand groups = 4 > winbind normalize names = Yes > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind use default domain = no > workgroup = BITINTRA > > Thanks > Andrea > > > > > Il 3/12/2019 11:48 AM, Rowland Penny via samba ha scritto: > > On Tue, 12 Mar 2019 11:32:46 +0100 > > Andrea Cucciarre' via samba <samba at lists.samba.org> wrote: > > > >> Hello, > >> > >> I have Samba 4.6 as AD domain member and sometime the > users fails to > >> login, the issue disappear after some minutes. > >> I have enabled log leve 10 and I can see the following errors: > >> > >> 2019/03/12 09:20:32.280799, 5, pid=15466, effective(0, 0), real(0, > >> 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) > >> Finding user BITINTRA\U002489 > >> [2019/03/12 09:20:32.281111, 5, pid=15466, effective(0, > 0), real(0, > >> 0)] ../source3/lib/username.c:128(Get_Pwnam_internals) > >> Trying _Get_Pwnam(), username as given is BITINTRA\U002489 > >> [2019/03/12 09:20:32.281222, 5, pid=15466, effective(0, > 0), real(0, > >> 0)] ../source3/lib/username.c:153(Get_Pwnam_internals) > >> Get_Pwnam_internals didn't find user [BITINTRA\U002489]! > >> [2019/03/12 09:20:32.282015, 3, pid=15466, effective(0, > 0), real(0, > >> 0), > >> class=auth] > ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > >> get_user_from_kerberos_info: Username BITINTRA\U002489 is > invalid on > >> this system [2019/03/12 09:20:32.282043, 3, pid=15466, > effective(0, > >> 0), real(0, > >> 0)] > ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac) > >> auth3_generate_session_info_pac: Failed to map kerberos > principal to > >> system user (NT_STATUS_LOGON_FAILURE) [2019/03/12 09:20:32.282196, > >> 3, pid=15466, effective(0, 0), real(0, > >> 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) > >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > >> status[NT_STATUS_ACCESS_DENIED] || > >> at ../source3/smbd/smb2_sesssetup.c:134 > >> > >> my understanding of the code is that getpwnam fails, which is > >> supposed to query winbindd. > >> In the log file log.wb-BITINTRA I can see the following error: > >> > >> [2019/03/12 09:20:24.540456, 10, pid=15439, effective(0, > 0), real(0, > >> 0), > >> class=winbind] > ../source3/winbindd/winbindd_cm.c:1014(cm_prepare_connection) > >> cm_prepare_connection: connecting to DC WG101SC0002.BITIntra.de for > >> domain BITINTRA [2019/03/12 09:21:04.540067, 5, pid=15439, > >> effective(0, 0), real(0, > >> 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) > >> tdb(/opt/samba/var/lock/mutex.tdb): tdb_brlock failed (fd=22) at > >> offset 592 rw_type=2 flags=1 len=1 [2019/03/12 09:21:04.540189, 1, > >> pid=15439, effective(0, 0), real(0, > >> 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) > >> tdb(/opt/samba/var/lock/mutex.tdb): tdb_lock failed on list 106 > >> ltype=2 (Interrupted system call) [2019/03/12 09:21:04.540219, 0, > >> pid=15439, effective(0, 0), real(0, > >> 0)] > ../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal) > >> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key > >> WG101SC0002.BITIntra.de in tdb /opt/samba/var/lock/mutex.tdb > >> [2019/03/12 09:21:04.540384, 1, pid=15439, effective(0, > 0), real(0, > >> 0)] ../source3/lib/server_mutex.c:97(grab_named_mutex) > Could not get > >> the lock for WG101SC0002.BITIntra.de [2019/03/12 > 09:21:04.540508, 0, > >> pid=15439, effective(0, 0), real(0, 0), > >> class=winbind] > ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection) > >> cm_prepare_connection: mutex grab failed for > WG101SC0002.BITIntra.de > >> [2019/03/12 09:21:04.540667, 1, pid=15439, effective(0, > 0), real(0, > >> 0), > >> class=winbind] > ../source3/winbindd/winbindd_cm.c:1320(cm_prepare_connection) > >> Failed to prepare SMB connection to WG101SC0002.BITIntra.de: > >> NT_STATUS_POSSIBLE_DEADLOCK > >> > >> my understanding is that it was hanging locking an offset > in the file > >> /opt/samba/var/lock/mutex.tdb, so when the timeout elapsed the > >> process was interrupted (I guess the offset was that of > the mutex for > >> WG101SC0002.BITIntra.de) > >> Could it be a corrupted mutex.tdb file? A slow responding DC? > >> Any other suggestion? > > Can you please post your smb.conf. > > What OS ? > > What is your AD DC ? > > > > Rowland > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >