samba - Aug 2005 - wbinfo can not convert User names and Group name to S ID

Yep. We are dealing with once perfectly fine working 3.0.9 servers to
erratic and weird behaved ones. We believe this is due to changes made my MS
in http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx but thus
far have not been able to confirm.

Commands like: 	net rpc join -S PDC -U <Admin> 

now return "no suitable server found" even though that is the same
command
used when we setup the darn thing and it worked then.

Bottom line is our samba member machines didn't change but "security
updates" to our PDC, master browser, etc. were done last week and that is
when the problems started.

Use of wbinfo is very erratic, most of the time the users and groups list
won't pull down. The -m option doesn't report the primary domain we
belong
to, etc. After a service restart or a machine reboot nobody can access the
shares then after some magical period of time (an hour) you check and then
you can access them but sometimes you can't. Usually I restart winbind and
wait then I can sometimes get into the shares after the second attempt.

-----Original Message-----
From: Todor Genov [mailto:tgenov@gmail.com]
Sent: Wednesday, August 24, 2005 11:21 AM
To: samba@lists.samba.org
Subject: [Samba] wbinfo can not convert User names and Group name to SID


Hi there,

 I've been fighting with winbind for over 4 hours now and read every
related article I found on google to no avail. A server of mine
rebooted due to power outage today and a perfectly running winbind +
AD setup, wbinfo can now no longer convert user names or group names
to SID or vica versa. The weird part is that the built-in groups work
just fine.

[root@ncmfw samba]# wbinfo -n "BUILTIN/System Operators"
S-1-5-32-549 Well-known Group (5)

[root@ncmfw samba]# wbinfo -n Engineers
Could not lookup name Engineers

[root@ncmfw samba]# getent group |grep Engineers
Engineers:x:10018:

[root@ncmfw samba]# wbinfo -G 10018
S-1-5-21-3139104342-3182081393-1008461833-2114

[root@ncmfw samba]# wbinfo -s S-1-5-21-3139104342-3182081393-1008461833-2114
Could not lookup sid S-1-5-21-3139104342-3182081393-1008461833-2114


 After I upgraded samba to 3.0.10 everything seemed to work for a
while, however after I restarted winbind - the problems started again.
 Now user-to-SID and vica versa works fine, but group-to-SID still
does not.

 Has anybody experience a similar problem ?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Wilson wrote:
> Yep. We are dealing with once perfectly fine working 3.0.9 
> servers to erratic and weird behaved ones. We believe this
> is due to changes made my MS
> in http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx 
> but thus far have not been able to confirm.
> 
> Commands like: 	net rpc join -S PDC -U <Admin> 
> 
> now return "no suitable server found" even though that is 
> the same command used when we setup the darn thing and it
> worked then.
You you test 3.0.20 just for kicks?  There have been several
hotfix compatibility issues we've had to work around already.
I'm downloading these hotfixes now and will try to test
things out tomorrow.






cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDcgsIR7qMdg1EfYRAl+zAKCPdJtnDatrtIszgohDy32nqeOdBACgqtBH
JhJlb3WftN5VuFYMlDNKv6g=MmXy
-----END PGP SIGNATURE-----

Nah, we haven't updated our samba installations because they are production
servers and we have no confirmation that the latest and greatest will fix
the problem. 

In a nutshell we get the following:

a power down or service restart doesn't automatically reacquire the domain
membership.

you cannot use the join syntax using PDC I outlined before, you must specify
the DC to use.

wbinfo -u & -g will immediately following joining the domain.

getent passwd & group usually works if the above does but I have a working
server with lists that were updated when the getent commands didn't pull the
lists properly...go figure?

wbinfo -m doesn't report the primary domain even though you just joined it.

wbinfo -t fails intermittently.

initially you can't access the shares then sometimes (after a 1/2 hour or
so) you can but not always.



-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: Thursday, August 25, 2005 8:31 AM
To: Kevin Wilson
Cc: samba@lists.samba.org
Subject: Re: [Samba] wbinfo can not convert User names and Group name to
S ID


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Wilson wrote:
> Yep. We are dealing with once perfectly fine working 3.0.9 
> servers to erratic and weird behaved ones. We believe this
> is due to changes made my MS
> in http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx 
> but thus far have not been able to confirm.
> 
> Commands like: 	net rpc join -S PDC -U <Admin> 
> 
> now return "no suitable server found" even though that is 
> the same command used when we setup the darn thing and it
> worked then.
You you test 3.0.20 just for kicks?  There have been several
hotfix compatibility issues we've had to work around already.
I'm downloading these hotfixes now and will try to test
things out tomorrow.






cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDcgsIR7qMdg1EfYRAl+zAKCPdJtnDatrtIszgohDy32nqeOdBACgqtBH
JhJlb3WftN5VuFYMlDNKv6g=MmXy
-----END PGP SIGNATURE-----