Alexander List
2003-Sep-08 12:52 UTC
[Samba] winbindd instability, inconsistent handling of Domain name
Hello world, I'm currently experimenting with a new Samba server that is to be integrated in an existing ADS domain. System is Debian Woody, plus samba 3.0.0beta2+3.0.0rc2-1 and necessary dependencies. Kernel is 2.4.21 + Debian patches + XFS ii libc6 2.3.2-5 GNU C Library: Shared libraries and Linux bigberta 2.4.21-4-686-xfs #1 Mon Aug 25 15:44:37 CEST 2003 i686 smbd, nmbd and winbindd are working fine, I could joint the AD Domain in native mode, created partitions using XFS (with ACL support), and wbinfo -u bzw. wbinfo -g list the domain users and groups correctly. My first problem: After a while, wbinfo [-u|-g] returns server:/var/log/samba# wbinfo -g Error looking up domain groups After restarting winbindd, it works again for a while. What's the proper way to produce useful debugging information for the developers? My second problem: I created a directory /mnt/admin with this ACL: # file: . # owner: root # group: root user::rwx user:DOMAIN+username:rwx group::r-x mask::rwx other::r-x When I create the ACL with setfacl -m u:INTERNAL.DOMAIN.COM:username:rwx, only DOMAIN+username (the short NETBIOS name of the domain) is listed in the ACL. I created the following Samba share: [admin] browsable = no path = /mnt/admin public = no write list = DOMAIN+username This won't work. Windows domain user "username" gets "Access denied" when trying to create a file on the share. However, this works: write list = INTERNAL.DOMAIN.COM+username Is this a bug or a configuration problem on my side? Another thing I found in the winbindd log file: [2003/09/07 16:36:26, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(147) user 'MACHINE$' does not exist MACHINE$ is the Windows client I'm using to access the share. Thanks for any hints! Alex -- "UNLESS someone like you cares a whole awful lot, nothing is going to get better. It's not." --Dr. Seuss, fromThe Lorax
Gerald (Jerry) Carter
2003-Sep-08 18:31 UTC
[Samba] winbindd instability, inconsistent handling of Domain name
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 8 Sep 2003, Alexander List wrote:> After a while, wbinfo [-u|-g] returns > > server:/var/log/samba# wbinfo -g > Error looking up domain groupsShould be fixed in RC3 due out later today/tonight.> My second problem: > > I created a directory /mnt/admin with this ACL: > > # file: . > # owner: root > # group: root > user::rwx > user:DOMAIN+username:rwx > group::r-x > mask::rwx > other::r-x > > When I create the ACL with setfacl -m u:INTERNAL.DOMAIN.COM:username:rwx, > only DOMAIN+username (the short NETBIOS name of the domain) is listed in > the ACL.This is because the INTERNAL.DOMAIN.COM:username and DOMAIN+username map to the same SID (assuming that INTERNAL.DOMAIN.COM is the realm and DOMAIN is the short domain name). Therefore winbind always uses the short form of the domain name for specifying users. So the uid -> SID -> name lookup ends up with DOMAIN+username.> I created the following Samba share: > > [admin] > browsable = no > path = /mnt/admin > public = no > write list = DOMAIN+username > > This won't work. Windows domain user "username" gets "Access denied" when > trying to create a file on the share....> However, this works: > > write list = INTERNAL.DOMAIN.COM+usernameCan you send me a level 10 debug log? Thanks. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/XMsIIR7qMdg1EfYRAq+xAJ4/HzYxi/IIMQYMjF5SWDl2gECf+QCfYiCk 06igPvXN/Wb3uh9v50AkcbU=R09F -----END PGP SIGNATURE-----
Alexander List
2003-Sep-10 19:11 UTC
[Samba] RESOLVED: winbindd instability, inconsistent handling of Domain name
On Mon, 8 Sep 2003, Alexander List wrote:> After a while, wbinfo [-u|-g] returns > > server:/var/log/samba# wbinfo -g > Error looking up domain groupswinbindd issue solved in 3.0.0rc3. The problem with smbd persists, will try to debug a little more and post a bug to bugzilla. Alex -- "Life is what happens to you while you're busy making other plans." --John Lennon
Gerald (Jerry) Carter
2003-Sep-20 15:37 UTC
[Samba] winbindd instability, inconsistent handling of Domain name
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander List wrote: | Hello world, | | I'm currently experimenting with a new Samba server that is to be | integrated in an existing ADS domain. | | System is Debian Woody, plus samba 3.0.0beta2+3.0.0rc2-1 and necessary | dependencies. Kernel is 2.4.21 + Debian patches + XFS | | ii libc6 2.3.2-5 GNU C Library: Shared libraries and | Linux bigberta 2.4.21-4-686-xfs #1 Mon Aug 25 15:44:37 CEST 2003 i686 | | smbd, nmbd and winbindd are working fine, I could joint the AD Domain in | native mode, created partitions using XFS (with ACL support), and | wbinfo -u bzw. wbinfo -g list the domain users and groups correctly. | | My first problem: | | After a while, wbinfo [-u|-g] returns | | server:/var/log/samba# wbinfo -g | Error looking up domain groups | | After restarting winbindd, it works again for a while. What's the proper | way to produce useful debugging information for the developers? I think this has already been fixed in our CVS tree. The bedian packaging script should be fine for RC4 so you might just want to build your own package from that tree and see if things work better for you. | I created a directory /mnt/admin with this ACL: | | # file: . | # owner: root | # group: root | user::rwx | user:DOMAIN+username:rwx | group::r-x | mask::rwx | other::r-x | | When I create the ACL with setfacl -m u:INTERNAL.DOMAIN.COM:username:rwx, | only DOMAIN+username (the short NETBIOS name of the domain) is listed in | the ACL. Haven't we already talked about this one? I'm having serious deja vu here. winbindd mostly operates on the short name of the do9main. | [admin] | browsable = no | path = /mnt/admin | public = no | write list = DOMAIN+username | | This won't work. Windows domain user "username" gets "Access denied" when | trying to create a file on the share. | | However, this works: | | write list = INTERNAL.DOMAIN.COM+username | | Is this a bug or a configuration problem on my side? did you define the workgroup and realm in smb.conf? cheers, jerry - ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "You can never go home again, Oatman, but I guess you can shop there." ~ --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/bHQlIR7qMdg1EfYRAoAaAKCRFtI2IlVBu0dUMyZotZuupdyu9ACgkpkC qN/N7CKFidvRp68XUFMyD0Y=qk9+ -----END PGP SIGNATURE-----