I have just upgraded two of our samba boxes to 2.2.8 and ended up with
partially broken winbind after the upgrade. The machines are slightly
different, and so are the symptoms, so here goes:
System 1: Was at 2.2.3 compiled from source Feb4/02, using options:
"./configure --with-winbind --with-acl-support --with-quotas".
Running on
RedHat 7.2, installed from SGI's XFS installer to enable ACLs and quotas
with samba on XFS filesystems. System running fine in production for ~500
NT domain users for the past 8 months. All users are on NT domain, using
winbind from user lookups.
After upgrade to 2.2.8, I see the following:
getent passwd shows only local users, no domain users
wbinfo -u and -g report domain users & groups normally
users connecting to smb shares appear as "root" in smbstatus (!)
a nobody share appears browsing the system from an NT box.
As this is a production system, I've had to revert to 2.2.3 so further
testing
may be difficult at this time.
System #2 is a fresh install of RedHat 8 using the SGI XFS installer v1.2,
and had the stock samba 2.2.5 rpm installed, over which I compiled and
installed 2.2.8. Config is essentially the same as system #1 otherwise.
(smb.conf shown at end of message)
This time, wbinfo -t, -u, -g all work as expected.
getent passwd shows local users, then a list of domain user IDs in the
format: (where 106xx is the id)
::0:10646:'::
::0:10647:'::
::0:10648:'::
getent group shows a corrupted group listing as follows, "webalizer"
is the
last entry in /etc/group, and the correct domain name is "SHAWNIGAN -
notice it is mangled in various places:
webalizer:x:67:
hHAWNIGAN+AP French:aminx:1280532334:??
::1852728681:WNIGAN+abehennah,SHAWNIGAN+adeane,SHAWNIGAN+
dew,SHAWNIGAN+gperry,SH
AWNIGAN+jrc,SHAWNIGAN+rfilgate,SHAWNIGAN+jcs
===========Here is what the above should look like (and does on the other box
running
2.2.3):
SHAWNIGAN+AP French:x:10023:
SHAWNIGAN+Dept-
English:x:10024:SHAWNIGAN+abehennah,SHAWNIGAN+adeane,SHAWN
IGAN+dew,SH
AWNIGAN+gperry,SHAWNIGAN+jrc,SHAWNIGAN+rfilgate,SHAWNIGAN+j
cs
Any ideas? Below is a copy of the smb.conf, essentially the same on both
boxes:
smb.conf:
======[global]
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/student/%U
template shell = /bin/false
create mask = 0700
directory mask = 0700
#force group = 10000
inherit permissions = yes
domain admin group = @root
workgroup = SHAWNIGAN
server string = Student Home Server
hosts allow = 10. 139.142.66. 127.
security = domain
password server =admin2
socket options = TCP_NODELAY IPTOS_LOWDELAY
SO_RCVBUF=16384 SO_SNDBUF=16384
write raw = yes
read raw = yes
oplocks = yes
max xmit = 65535
dead time = 15
getwd cache = yes
dns proxy = no
unix password sync = no
encrypt passwords = yes
map to guest = never
password level = 0
null passwords = no
allow hosts = 139.142.66. 10.
# deny hosts os level = 0
preferred master = no
domain master = no
wins support = no
wins server = 139.142.66.2
dead time = 0
debug level = 0
log level = 1
[homes]
comment = Home Directories
browseable = no
writable = yes
available = yes
public = no
# only user = yes
nt acl support = no
force group = 10000
# force security mode = 0777
# path=/home/student/%U
[home]
comment = Student Homes
browseable = yes
writable = yes
available = yes
public = no
only user = no
path=/home
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, Systems Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca
Ok, stupid me. Somehow I missed updating /lib/libnss_winbind.so on both these machines. Presumably this would have also caused corruption of the winbind idmap? Since winbind is now installed with a "make install", would it not be a good idea to also install libnss_winbind.so also? Or at least provide some version checking in winbind so that it will fail to start and report an error if it encounters the wrong version of libnss_winbind.so? It seems that the idmap file is a very weak link in samba right now, so every effort should be made to prevent corruption during upgrades, etc. In our case, I was able to re-apply acls for 400 users, but quota information for a large shared file volume was lost, as I could not re-map the ids, and had to reset file ownerships to avoid users having incorrect quota assignments. On 25 Mar 2003 at 10:32, samba@lists.samba.org wrote:> I have just upgraded two of our samba boxes to 2.2.8 and ended up with > partially broken winbind after the upgrade. The machines are slightly > different, and so are the symptoms, so here goes: > > System 1: Was at 2.2.3 compiled from source Feb4/02, using options: > "./configure --with-winbind --with-acl-support --with-quotas". Running on > RedHat 7.2, installed from SGI's XFS installer to enable ACLs and quotas > with samba on XFS filesystems. System running fine in production for ~500 > NT domain users for the past 8 months. All users are on NT domain, using > winbind from user lookups. > After upgrade to 2.2.8, I see the following: > > getent passwd shows only local users, no domain users > wbinfo -u and -g report domain users & groups normally > users connecting to smb shares appear as "root" in smbstatus (!) > a nobody share appears browsing the system from an NT box. > As this is a production system, I've had to revert to 2.2.3 so further testing > may be difficult at this time. > > System #2 is a fresh install of RedHat 8 using the SGI XFS installer v1.2, > and had the stock samba 2.2.5 rpm installed, over which I compiled and > installed 2.2.8. Config is essentially the same as system #1 otherwise. > (smb.conf shown at end of message) > > This time, wbinfo -t, -u, -g all work as expected. > getent passwd shows local users, then a list of domain user IDs in the > format: (where 106xx is the id) > > ::0:10646:':: > ::0:10647:':: > ::0:10648:':: > > getent group shows a corrupted group listing as follows, "webalizer" is the > last entry in /etc/group, and the correct domain name is "SHAWNIGAN - > notice it is mangled in various places: > > webalizer:x:67: > hHAWNIGAN+AP French:aminx:1280532334:?? > ::1852728681:WNIGAN+abehennah,SHAWNIGAN+adeane,SHAWNIGAN+ > dew,SHAWNIGAN+gperry,SH > AWNIGAN+jrc,SHAWNIGAN+rfilgate,SHAWNIGAN+jcs > > ===========> Here is what the above should look like (and does on the other box running > 2.2.3): > > SHAWNIGAN+AP French:x:10023: > SHAWNIGAN+Dept- > English:x:10024:SHAWNIGAN+abehennah,SHAWNIGAN+adeane,SHAWN > IGAN+dew,SH > AWNIGAN+gperry,SHAWNIGAN+jrc,SHAWNIGAN+rfilgate,SHAWNIGAN+j > cs >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, Systems Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca