Dale Schroeder
2011-Dec-21 19:50 UTC
[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Originally filed by Robert LeBlanc as Debian Bug # 652679 -
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
<Quote>
Package: winbind
Version: 2:3.6.1-3
Severity: important
Dear Maintainer,
After upgrading to 3.6.1 I am no longer able to login to Debian using my Active
Directory account.
'winbind -u', 'winbind -g', 'winbind -t' and many others
work fine, but 'winbind -i user' returns
'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for
user user'. Changing
the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
(fork_domain_child) fork_domain_child
called without domain.'. The previous wbint_Sid2Uid struct printout shows
that dom_name is NULL,
but has the correct domain SID. I believe the problem may exist around there. I
did upgrade the
'idmap backend = hash' to the new format 'idmap config * : backend =
hash' as specifed in the man
page without any luck. Name to SID and SID to name works along with
user-domgroups, but user-groups
does not work. 'wbinifo --group-info=group' fails with a similar error
as 'wbinfo -i user'. I'm
going to try to get back to 3.5.11.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages winbind depends on:
ii adduser 3.113
ii libc6 2.13-21
ii libcap2 1:2.22-1
ii libcomerr2 1.42-1
ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
ii libk5crypto3 1.10+dfsg~alpha1-6
ii libkrb5-3 1.10+dfsg~alpha1-6
ii libldap-2.4-2 2.4.25-4+b1
ii libpam0g 1.1.3-6
ii libpopt0 1.16-1
ii libtalloc2 2.0.7-3
ii libtdb1 1.2.9-4+b1
ii libwbclient0 2:3.6.1-3
ii lsb-base 3.2-28
ii samba-common 2:3.6.1-3
ii zlib1g 1:1.2.3.4.dfsg-3
Versions of packages winbind recommends:
ii libpam-winbind 2:3.6.1-3
winbind suggests no packages.
-- no debconf information
</Quote>
I also have this error, and reported as follows:
Robert,
Same problem here, and I have not seen anyone mention this on the Samba
list. Systems are fully updated and testparm does not return any
errors. idmap backend is rid notated in the new format. All deprecated
parameters have been removed.
On my systems, I have found that full functionality returns after a
reboot; however, if samba/winbind processes are restarted for any
reason, AD authentication again no longer works. As with you, wbinfo
-u/-g continues to work, as does getent passwd. getent group only
returns linux groups. Another reboot will return winbind once again to
full functionality.
Even at log level 10, error messages have been hard to find among the
many winbind logs. At the time of failure, the one I consistently find
is in syslog:
winbindd[4186]: ads_ranged_search failed with: Time limit exceeded.
--------------------------------------------------------------
This morning, I recreated the error by restarting Samba/winbind at 07:47.
The only suspicious level 10 log entries found from that timeframe are:
<syslog>
Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769, 0]
winbindd/winbindd_ads.c:1068(lookup_groupmem)
Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed with:
Time limit exceeded
<smbd>
[2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_deregister)
Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
[2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_child_pid)
Could not remove pid 3491 from serverid.tdb
[2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_child_pid)
Could not find child 3491 -- ignoring
[2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_deregister)
Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND
[2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_child_pid)
Could not remove pid 3499 from serverid.tdb
[2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_child_pid)
Could not find child 3499 -- ignoring
"net ads testjoin" indicates that the join is good.
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = %h server
security = ADS
map untrusted to domain = Yes
allow trusted domains = No
map to guest = Bad User
obey pam restrictions = Yes
password server = *
passdb backend = tdbsam
username map = /etc/samba/users.map
lanman auth = No
log level = 10
log file =/var/log/samba/%m
name resolve order = wins hosts bcast
deadtime = 15
printcap name = cups
preferred master = No
wins server = 192.168.1.xyz
panic action = /usr/share/samba/panic-action %d
ldap ssl = No
#
idmap config * : backend = tdb
idmap config * : range = 1000000 - 20000000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 1000 - 99999
template homedir =/home/domain/%U
template shell = /bin/bash
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = Yes
#
printing = cups
print command lpq command = %p
lprm command veto oplock files = /*.doc/*.xls/*.mdb/
map archive = No
map readonly = no
store dos attributes = Yes
ea support = Yes
admin users = root, "@domain admins"
I have seen numerous 3.6.x winbind problems reported, but do not recall
seeing this one.
Does this look like a Samba bug or is it Debian-specific? winbind
fixing itself after a reboot is particularly puzzling.
Any and all suggestions appreciated.
Dale
David Roid
2011-Dec-22 00:33 UTC
[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
Been there, you can try to add either "idmap config DOMAIN : default yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap gid = ..." to replace "idmap config * : ...", I don't know which one actually fixed it. 2011/12/22 Dale Schroeder <dale at briannassaladdressing.com>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - < > http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679> > > > > <Quote> > > Package: winbind > Version: 2:3.6.1-3 > Severity: important > > Dear Maintainer, > > After upgrading to 3.6.1 I am no longer able to login to Debian using my > Active Directory account. > 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but > 'winbind -i user' returns > 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info > for user user'. Changing > the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306 > (fork_domain_child) fork_domain_child > called without domain.'. The previous wbint_Sid2Uid struct printout shows > that dom_name is NULL, > but has the correct domain SID. I believe the problem may exist around > there. I did upgrade the > 'idmap backend = hash' to the new format 'idmap config * : backend = hash' > as specifed in the man > page without any luck. Name to SID and SID to name works along with > user-domgroups, but user-groups > does not work. 'wbinifo --group-info=group' fails with a similar error as > 'wbinfo -i user'. I'm > going to try to get back to 3.5.11. > > -- System Information: > Debian Release: wheezy/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages winbind depends on: > ii adduser 3.113 > ii libc6 2.13-21 > ii libcap2 1:2.22-1 > ii libcomerr2 1.42-1 > ii libgssapi-krb5-2 1.10+dfsg~alpha1-6 > ii libk5crypto3 1.10+dfsg~alpha1-6 > ii libkrb5-3 1.10+dfsg~alpha1-6 > ii libldap-2.4-2 2.4.25-4+b1 > ii libpam0g 1.1.3-6 > ii libpopt0 1.16-1 > ii libtalloc2 2.0.7-3 > ii libtdb1 1.2.9-4+b1 > ii libwbclient0 2:3.6.1-3 > ii lsb-base 3.2-28 > ii samba-common 2:3.6.1-3 > ii zlib1g 1:1.2.3.4.dfsg-3 > > Versions of packages winbind recommends: > ii libpam-winbind 2:3.6.1-3 > > winbind suggests no packages. > > -- no debconf information > > </Quote> > > I also have this error, and reported as follows: > > Robert, > > Same problem here, and I have not seen anyone mention this on the Samba > list. Systems are fully updated and testparm does not return any > errors. idmap backend is rid notated in the new format. All deprecated > parameters have been removed. > > On my systems, I have found that full functionality returns after a > reboot; however, if samba/winbind processes are restarted for any > reason, AD authentication again no longer works. As with you, wbinfo > -u/-g continues to work, as does getent passwd. getent group only > returns linux groups. Another reboot will return winbind once again to > full functionality. > > Even at log level 10, error messages have been hard to find among the > many winbind logs. At the time of failure, the one I consistently find > is in syslog: > winbindd[4186]: ads_ranged_search failed with: Time limit exceeded. > > ------------------------------**------------------------------**-- > > This morning, I recreated the error by restarting Samba/winbind at 07:47. > The only suspicious level 10 log entries found from that timeframe are: > > <syslog> > Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769, > 0] winbindd/winbindd_ads.c:1068(**lookup_groupmem) > Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed > with: Time limit exceeded > > <smbd> > [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_**deregister) > Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND > [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_**child_pid) > Could not remove pid 3491 from serverid.tdb > [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_**child_pid) > Could not find child 3491 -- ignoring > > [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_**deregister) > Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND > [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_**child_pid) > Could not remove pid 3499 from serverid.tdb > [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_**child_pid) > Could not find child 3499 -- ignoring > > "net ads testjoin" indicates that the join is good. > > [global] > workgroup = DOMAIN > realm = DOMAIN.COM > server string = %h server > security = ADS > map untrusted to domain = Yes > allow trusted domains = No > map to guest = Bad User > obey pam restrictions = Yes > password server = * > passdb backend = tdbsam > username map = /etc/samba/users.map > lanman auth = No > log level = 10 > log file =/var/log/samba/%m > name resolve order = wins hosts bcast > deadtime = 15 > printcap name = cups > preferred master = No > wins server = 192.168.1.xyz > panic action = /usr/share/samba/panic-action %d > ldap ssl = No > # > idmap config * : backend = tdb > idmap config * : range = 1000000 - 20000000 > idmap config DOMAIN : backend = rid > idmap config DOMAIN : range = 1000 - 99999 > template homedir =/home/domain/%U > template shell = /bin/bash > winbind cache time = 10 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind offline logon = Yes > # > printing = cups > print command > lpq command = %p > lprm command > veto oplock files = /*.doc/*.xls/*.mdb/ > map archive = No > map readonly = no > store dos attributes = Yes > ea support = Yes > admin users = root, "@domain admins" > > > I have seen numerous 3.6.x winbind problems reported, but do not recall > seeing this one. > Does this look like a Samba bug or is it Debian-specific? winbind fixing > itself after a reboot is particularly puzzling. > Any and all suggestions appreciated. > > Dale > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba> >