samba - Jun 2012 - Winbind Daemon fails to start, group shares no longer functioning

Hello All,

I am currently having an issue with my samba PDC. I have recently updated
to 3.6.5 Samba, and have made what i believe to be the correct changes in
my config to account for the changes to the idmap system. My setup is as
follows, SAMBA PDC on RHEL 6.2, which authenticates passwords through
Kerberos, and Deals with user profiles via LDAP. I had about 25 Windows
clients which were able to connect, receive their profiles and have full
access to their personal and group shares. Recently I have had complaints
that no users are able to access their group shares. Upon troubleshooting I
notice the winbind daemon had failed.

It will not restart, I do not see any configuration issues that would be
causing problems. I had thoroughly tested for about a month in a lab
environment, this issue never arross. I began using winbind to allow for
direct accessing of posix account values in LDAP from samba, without the
need for the smbldap-tools scripts. I am able to join machines to the
domain, add users, remove users and machines etc. I am not sure what could
be causing the issue which does not allow users to access group shares, but
even more importantly I cannot figure out what is wrong with winbind.
Attached to this email I have the winbind stack trace, winbind daemon
stdout which is shown on terminal, and my samba config. I feel it also
important to note that this PDC replace a much older 3.5.3 PDC, which
utilized the 3rd party smbldap tools scripts and did not need winbind. This
is new territory for me.

I am sure there is something that I am missing, though i am not sure what.
If anyone could please take a look and if possible shed a bit of light on
what it might be i would greatly appreciate it.


If anymore information is needed, please let me know and I shall provide it.

Thank You

-- 
Anthony Boccia
Afilias Canada Corp
Systems Administrator
Production Control - Infrastructure
-------------- next part --------------
==============================================================INTERNAL ERROR:
Signal 11 in pid 1493 (3.6.5-1.el6)
Please read the Trouble-Shooting section of the Samba3-HOWTO

From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
==============================================================PANIC (pid 1493):
internal error
BACKTRACE: 13 stack frames:
 #0 winbindd(log_stack_trace+0x1a) [0x7f6fc31b120a]
 #1 winbindd(smb_panic+0x2b) [0x7f6fc31b12db]
 #2 winbindd(+0x1940a4) [0x7f6fc31a20a4]
 #3 /lib64/libc.so.6(+0x31fbc32900) [0x7f6fc0402900]
 #4 winbindd(dom_sid_compare+0x28) [0x7f6fc31dd7c8]
 #5 winbindd(add_sid_to_array_unique+0x43) [0x7f6fc31df7a3]
 #6 winbindd(create_token_from_username+0x563) [0x7f6fc3134a83]
 #7 winbindd(create_local_token+0x55) [0x7f6fc3132285]
 #8 winbindd(make_serverinfo_from_username+0x80) [0x7f6fc3132700]
 #9 winbindd(init_system_info+0x5e) [0x7f6fc31330de]
 #10 winbindd(main+0x5ab) [0x7f6fc30dd48b]
 #11 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f6fc03eecdd]
 #12 winbindd(+0xccf19) [0x7f6fc30daf19]
dumping core in /var/log/samba/cores/winbindd
Aborted (core dumped)
-------------- next part --------------
pm_process() returned Yes
adding IPC service
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::250:56ff:fe9a:d14%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.10.32.88 bcast=10.10.39.255 netmask=255.255.248.0
Netbios name list:-
my_netbios_names[0]="SAMBA"
added interface eth0 ip=fe80::250:56ff:fe9a:d14%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.10.32.88 bcast=10.10.39.255 netmask=255.255.248.0
TimeInit: Serverzone is 0
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Overriding messaging pointer for type 1 - private_data=(nil)
Added domain BUILTIN  S-1-5-32
Added domain domain  S-1-5-21-408791004-3275982270-559079837
Finding user sambaadmin
Trying _Get_Pwnam(), username as lowercase is sambaadmin
Get_Pwnam_internals did find user [sambaadmin]!
Finding user sambaadmin
Trying _Get_Pwnam(), username as lowercase is sambaadmin
Get_Pwnam_internals did find user [sambaadmin]!
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
gid_to_sid: winbind failed to find a sid for gid 0
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to find a passdb backend to match
ldapsam:"ldap://kerberos-ldap-server ldap://ldapserver1 ldap://ldapserver2
" (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=domain))]
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=domain))], scope => [2]
Substituting charset 'UTF-8' for LOCALE
The connection to the LDAP server was closed
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
pdb backend ldapsam:"ldap://kerberos-ldap-server ldap://ldapserver1
ldap://ldapserver2 " has a valid init
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(gidNumber=0)(objectClass=sambaGroupMapping))], scope => [2]
ERROR: Got 0 entries for gid 0, expected one
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(gidNumber=0)(objectClass=sambaGroupMapping))], scope => [2]
ERROR: Got 0 entries for gid 0, expected one
Forcing Primary Group to 'Domain Users' for sambaadmin
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(objectClass=posixGroup)(|(memberUid=sambaadmin)(gidNumber=0)))], scope
=> [2]
primary group of [sambaadmin] not found
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(uid=sambaadmin)(objectclass=sambaSamAccount))], scope => [2]
init_sam_from_ldap: Entry found for user: sambaadmin
smbldap_search_ext: base => [sambaDomainName=domain,dc=domain,dc=info],
filter => [(objectClass=sambaDomain)], scope => [0]
gid_to_sid: winbind failed to find a sid for gid 0
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(gidNumber=0)(objectClass=sambaGroupMapping))], scope => [2]
ERROR: Got 0 entries for gid 0, expected one
gid_to_sid: winbind failed to find a sid for gid 0
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(gidNumber=0)(objectClass=sambaGroupMapping))], scope => [2]
ERROR: Got 0 entries for gid 0, expected one
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(gidNumber=0)(objectClass=sambaGroupMapping))], scope => [2]
ERROR: Got 0 entries for gid 0, expected one
Forcing Primary Group to 'Domain Users' for sambaadmin
Opening cache file at /var/lib/samba/login_cache.tdb
smbldap_search_ext: base => [sambaDomainName=domain,dc=domain,dc=info],
filter => [(objectClass=sambaDomain)], scope => [0]
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(sambaSID=S-1-5-21-408791004-3275982270-559079837-500)(objectclass=sambaSamAccount))],
scope => [2]
init_sam_from_ldap: Entry found for user: sambaadmin
gid_to_sid: winbind failed to find a sid for gid 0
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(gidNumber=0)(objectClass=sambaGroupMapping))], scope => [2]
ERROR: Got 0 entries for gid 0, expected one
gid_to_sid: winbind failed to find a sid for gid 0
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(gidNumber=0)(objectClass=sambaGroupMapping))], scope => [2]
ERROR: Got 0 entries for gid 0, expected one
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(gidNumber=0)(objectClass=sambaGroupMapping))], scope => [2]
ERROR: Got 0 entries for gid 0, expected one
Forcing Primary Group to 'Domain Users' for sambaadmin
smbldap_search_ext: base => [dc=domain,dc=info], filter =>
[(&(objectClass=posixGroup)(|(memberUid=sambaadmin)(gidNumber=0)))], scope
=> [2]
primary group of [sambaadmin] not found
===============================================================

On Wed, Jun 20, 2012 at 02:19:46PM -0400, Anthony Boccia
wrote:
> ==============================================================> INTERNAL
ERROR: Signal 11 in pid 1493 (3.6.5-1.el6)
> Please read the Trouble-Shooting section of the Samba3-HOWTO
> 
> From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
> ==============================================================> PANIC
(pid 1493): internal error
> BACKTRACE: 13 stack frames:
>  #0 winbindd(log_stack_trace+0x1a) [0x7f6fc31b120a]
>  #1 winbindd(smb_panic+0x2b) [0x7f6fc31b12db]
>  #2 winbindd(+0x1940a4) [0x7f6fc31a20a4]
>  #3 /lib64/libc.so.6(+0x31fbc32900) [0x7f6fc0402900]
>  #4 winbindd(dom_sid_compare+0x28) [0x7f6fc31dd7c8]
This very much looks like
https://bugzilla.samba.org/show_bug.cgi?id=8567. The patch
that fixes the crash will be included in 3.6.6, due Monday,
June 25.

3.6.6 will however still require you to add an entry to your
LDAP tree, please read the bug report for details.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

Ah, that is great news. As for the entry, are you referring to
sambaGroupMapping to the posix group?

Thank You

On Thu, Jun 21, 2012 at 6:30 AM, Volker Lendecke
<Volker.Lendecke at sernet.de>wrote:
> On Wed, Jun 20, 2012 at 02:19:46PM -0400, Anthony Boccia wrote:
> > ==============================================================>
> INTERNAL ERROR: Signal 11 in pid 1493 (3.6.5-1.el6)
> > Please read the Trouble-Shooting section of the Samba3-HOWTO
> >
> > From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
> > ==============================================================>
> PANIC (pid 1493): internal error
> > BACKTRACE: 13 stack frames:
> >  #0 winbindd(log_stack_trace+0x1a) [0x7f6fc31b120a]
> >  #1 winbindd(smb_panic+0x2b) [0x7f6fc31b12db]
> >  #2 winbindd(+0x1940a4) [0x7f6fc31a20a4]
> >  #3 /lib64/libc.so.6(+0x31fbc32900) [0x7f6fc0402900]
> >  #4 winbindd(dom_sid_compare+0x28) [0x7f6fc31dd7c8]
>
> This very much looks like
> https://bugzilla.samba.org/show_bug.cgi?id=8567. The patch
> that fixes the crash will be included in 3.6.6, due Monday,
> June 25.
>
> 3.6.6 will however still require you to add an entry to your
> LDAP tree, please read the bug report for details.
>
> With best regards,
>
> Volker Lendecke
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>


-- 
Anthony Boccia
Afilias Canada Corp
Systems Administrator
Production Control - Infrastructure

On Thu, Jun 21, 2012 at 10:31:43AM -0400, Anthony Boccia
wrote:
> Ah, that is great news. As for the entry, are you referring to
> sambaGroupMapping to the posix group?
Yes.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

So in this case, I would apply it to my domain admin group, and change the
gid to 0? Or is there a separate group i should be looking at?

On Thu, Jun 21, 2012 at 11:07:12AM -0400, Anthony Boccia
wrote:
> So in this case, I would apply it to my domain admin group, and change the
> gid to 0? Or is there a separate group i should be looking at?
What you need is a sambaGroupMappingEntry for the primary
group of root, which presumably is 0. What you call it does
not really matter, but changing the mapping for domain
admins sounds reasonable to me without having taken a close
enough look to be sure.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

Ah, thank you very much for clearing that up. I appreciate the help.

As per the second issue i am having, has there been a change to the syntax
for group shares. None of my users can access shares that are to groups
they belong to. I believe i attached my config in the original message.
Does it look okay? or is there a change I need to make to my shares in my
configuration.

Thank You

On Thu, Jun 21, 2012 at 11:37 AM, Anthony Boccia <aboccia at
afilias.info>wrote:
> As per the second issue i am having, has there been a change to the syntax
> for group shares. None of my users can access shares that are to groups
> they belong to. I believe i attached my config in the original message.
> Does it look okay? or is there a change I need to make to my shares in my
> configuration.
>
> Thank You
>
Hello Again,

To follow up on this issues, I am still having a problem accessing group
shares. It seems as though users are able to gain access to shares to which
their unix user has access but not to shares of which their unix group has
access.

If anyone has any thoughts on this, I would appreciate them

Thank You