thr3ads.net - samba - [Samba] winbind stop working [Apr 2012]

If this information is useful, please help other people find it:
Share via:

Daniele

2012-Apr-30 07:50 UTC

[Samba] winbind stop working

Hi, I am trying to use squid proxy with validation on win 2003 active 
directory to filter internet navigation and for it I installed an ubuntu 
10.04 server 64 bit with samba.
My installation looks ok, the server is joined to the AD, ntlm is able 
to validate user, wbinfo report corret information and squid works good.
The problem arise after some hours: winbind become not able to resolv 
info for users and to retrieve info for groups, so squid become not able 
to know id a user belong to a group allowed to navigate and refuse 
connection.
Restarting winbind solve the problem for some hours.
wbinfo report no particular problem; just give back messages like "could 
not get info for user xx" and also setting debuglevel to various numbers 
reports (to me) no significant clues.
I made a workaround scheduling a restart of winbind service at every 
half hour and it works, but is not so elegant ...
Do you have any suggestion to solve this problem?
Thank you
Daniele

samba/winbind version is 3.4.7
squid is 2.7.STABLE7
os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux

smb.conf:
[global]
     workgroup = CED
     realm = CED.AOS
     server string = Samba Server Version %v
     security = ADS
     password server = 172.18.10.24 172.18.10.23
     name resolve order = lmhosts host bcast
     ldap ssl = no
     idmap uid = 15000-25000
     idmap gid = 15000-25000
     winbind separator = +
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     cups options = raw
[homes]
     comment = Home Directories
     read only = No
     browseable = No
     browsable = No

[printers]
     comment = All Printers
     path = /var/spool/samba
     printable = Yes
     browseable = No
     browsable = No


----
Le informazioni contenute in questa comunicazione e gli eventuali documenti
allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario.
Nel caso in cui questa comunicazione Vi sia pervenuta per errore, Vi informiamo
che la sua diffusione e riproduzione e' contraria alla legge, pertanto Vi
preghiamo di darci prontamente avviso e di cancellare quanto ricevuto.
Grazie.

This e-mail message and any files transmitted with it contain confidential
information intended only for the person(s) to whom it is addressed. If you are
not the intended recipient, you are hereby notified that any use or distribution
of this e-mail is strictly prohibited: please notify the sender and delete the
original message.
Thank you.

Kevin Elliott

2012-Apr-30 17:51 UTC

head link

[Samba] winbind stop working

We're also seeing similar symptoms with our Squid proxy's winbindd as
well.

After an indeterminate amount of time (sometimes an hour, sometimes a day) the
winbind process will lose the ability to resolve UID/GIDs to SIDS and
authentication to the proxy will fail:

[2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.


If we try doing a winbind -p we get a sucessful return however trying to lookup
a SID from UID/GID fails.

We're on Debian 6.0.4 and Samba 2.3.5.6.


Has anyone else seen this issue? Any possible workarounds or patches?




Here's an the debugging output for a particular user:

[2012/04/27 11:04:52.217018,  3] smbd/process.c:1294(switch_message)
  switch message SMBtconX (pid 15651) conn 0x0
[2012/04/27 11:04:52.217041,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/04/27 11:04:52.217062,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)
[2012/04/27 11:04:52.217085,  5] auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/04/27 11:04:52.217132,  5] smbd/uid.c:369(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/04/27 11:04:52.217169,  4] smbd/reply.c:786(reply_tcon_and_X)
  Client requested device type [?????] for share [FTP]
[2012/04/27 11:04:52.217209,  5] smbd/service.c:1227(make_connection)
  making a connection to 'normal' service ftp
[2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
[2012/04/27 11:04:52.217268,  5] smbd/password.c:423(user_in_netgroup)
  Unable to get default yp domain, let's try without specifying it
[2012/04/27 11:04:52.217289,  5] smbd/password.c:430(user_in_netgroup)
  looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain
users
[2012/04/27 11:04:52.217316,  5] smbd/password.c:453(user_in_netgroup)
  looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain
users
[2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
  lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain users (name)
[2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
  lookup_name: flags = 0x077
[2012/04/27 11:04:52.217841, 10]
passdb/util_wellknown.c:152(lookup_wellknown_name)
  map_name_to_wellknown_sid: looking up domain users
[2012/04/27 11:04:52.217890,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/04/27 11:04:52.217921,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/04/27 11:04:52.217945,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/04/27 11:04:52.217966,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)
[2012/04/27 11:04:52.217987,  5] auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/04/27 11:04:52.218079,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/04/27 11:04:52.219317,  5] smbd/share_access.c:117(token_contains_name)
  lookup_name CBJ_NT+domain users failed
[2012/04/27 11:04:52.219365, 10] smbd/share_access.c:216(user_ok_token)
  User CBJ_NT+kevin_miller not in 'valid users'
[2012/04/27 11:04:52.219394,  2]
smbd/service.c:598(create_connection_server_info)
  user 'CBJ_NT+kevin_miller' (from session setup) not permitted to
access this share (ftp)
[2012/04/27 11:04:52.219420,  1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/04/27 11:04:52.219452,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


Here's the debugging output from the winbindd-idmap.old log:

2012/04/27 10:58:37.616201, 10] winbindd/idmap_util.c:115(idmap_gid_to_sid)
  idmap_gid_to_sid: gid = [1004], domain = ''
[2012/04/27 10:58:37.616243, 10] lib/gencache.c:334(gencache_get_data_blob)
  Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
[2012/04/27 10:58:37.616265, 10]
winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
  idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
[2012/04/27 10:58:37.616331, 10] winbindd/idmap.c:475(idmap_find_domain)
  idmap_find_domain called for domain ''
[2012/04/27 10:58:37.616352,  5] winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
  Requested id (1004) out of range (10000 - 79999). Filtered!
[2012/04/27 10:58:37.616380, 10] lib/gencache.c:180(gencache_set_data_blob)
  Adding cache entry with key = IDMAP/UID2SID/1004 and timeout = Fri Apr 27
11:00:37 2012
   (120 seconds ahead)
[2012/04/27 10:58:37.616436, 10] winbindd/idmap_util.c:151(idmap_gid_to_sid)
  gid [1004] not mapped
[2012/04/27 10:58:37.616456,  1]
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
       wbint_Gid2Sid: struct wbint_Gid2Sid
          out: struct wbint_Gid2Sid
              sid                      : *
                  sid                      : S-0-0
              result                   : NT_STATUS_NONE_MAPPED


-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 



> -----Original Message-----
> From: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Daniele
> Sent: Sunday, April 29, 2012 11:50 PM
> To: samba at lists.samba.org
> Subject: [Samba] winbind stop working
> 
> Hi, I am trying to use squid proxy with validation on win 
> 2003 active directory to filter internet navigation and for 
> it I installed an ubuntu
> 10.04 server 64 bit with samba.
> My installation looks ok, the server is joined to the AD, 
> ntlm is able to validate user, wbinfo report corret 
> information and squid works good.
> The problem arise after some hours: winbind become not able 
> to resolv info for users and to retrieve info for groups, so 
> squid become not able to know id a user belong to a group 
> allowed to navigate and refuse connection.
> Restarting winbind solve the problem for some hours.
> wbinfo report no particular problem; just give back messages 
> like "could not get info for user xx" and also setting 
> debuglevel to various numbers reports (to me) no significant clues.
> I made a workaround scheduling a restart of winbind service 
> at every half hour and it works, but is not so elegant ...
> Do you have any suggestion to solve this problem?
> Thank you
> Daniele
> 
> samba/winbind version is 3.4.7
> squid is 2.7.STABLE7
> os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
> 
> smb.conf:
> [global]
>      workgroup = CED
>      realm = CED.AOS
>      server string = Samba Server Version %v
>      security = ADS
>      password server = 172.18.10.24 172.18.10.23
>      name resolve order = lmhosts host bcast
>      ldap ssl = no
>      idmap uid = 15000-25000
>      idmap gid = 15000-25000
>      winbind separator = +
>      winbind enum users = Yes
>      winbind enum groups = Yes
>      winbind use default domain = Yes
>      cups options = raw
> [homes]
>      comment = Home Directories
>      read only = No
>      browseable = No
>      browsable = No
> 
> [printers]
>      comment = All Printers
>      path = /var/spool/samba
>      printable = Yes
>      browseable = No
>      browsable = No
> 
> 
> ----
> Le informazioni contenute in questa comunicazione e gli 
> eventuali documenti allegati hanno carattere confidenziale e 
> sono ad uso esclusivo del destinatario. Nel caso in cui 
> questa comunicazione Vi sia pervenuta per errore, Vi 
> informiamo che la sua diffusione e riproduzione e' contraria 
> alla legge, pertanto Vi preghiamo di darci prontamente avviso 
> e di cancellare quanto ricevuto.
> Grazie.
> 
> This e-mail message and any files transmitted with it contain 
> confidential information intended only for the person(s) to 
> whom it is addressed. If you are not the intended recipient, 
> you are hereby notified that any use or distribution of this 
> e-mail is strictly prohibited: please notify the sender and 
> delete the original message.
> Thank you.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

sigunas

2012-May-10 09:21 UTC

head link

[Samba] winbind stop working

We have similar problem to with samba file server, serving about 800 users.
After server restart samba/winbind works as intended. After some time (it
may be couple of weeks, or it may be 1 day) server does not authenticate new
connections. Old connections work.
For example: I don't turn off my computer, and next day I can access samba
shares, reade/create/delete files and directories as usual. Users who just
started computers and try to access shares are rejected with unknown
user/password. After winbind restart (don't need to restart samba)
everything works as intended again for day or sometimes for couple of weeks.

Server configuration:
security=ADS
realm=our.domain.com
client schanel=no
wins support=no
domain logons=no
domain master=auto
password server=dc.our.domain.com
server string=failai
local master=yes
idmap uid=10000-20000
idmap gid=10000-20000
winbind enum users=yes
winbind enum groups=yes
encrypt password=true
keepalive=600
socket options=TCP_NODELAY
dns proxy=no
log level=1
large readwrite=yes

When users can't connect I see in log file:
[2012/05/10] 00:59:59.024569, 1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/05/10] 00:59:59.025649, 1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
.......

What's interesting, some users (I would gues 1 from 10) can connect even at
this time, as I see log:
[2012/05/10] 07:48:07.777869, 1] smbd/service.c:678(make_connection_snum)
  __ffff_10.23.15.20 (::ffff:10.23.14.20) connect to service apps initially
as user CENTRAS\nijovizb (uid=10717, guid=10004) (pid 6861)
.......

Than after winbind all users can connect



--
View this message in context:
http://samba.2283325.n4.nabble.com/winbind-stop-working-tp4597615p4622980.html
Sent from the Samba - General mailing list archive at Nabble.com.

sigunas

2012-May-16 05:06 UTC

head link

[Samba] winbind stop working

Lowering idmap cache time from default 604800 to 900 did not helped...
Something different here.

--
View this message in context:
http://samba.2283325.n4.nabble.com/winbind-stop-working-tp4597615p4631620.html
Sent from the Samba - General mailing list archive at Nabble.com.

Seemingly Similar Threads

Search for more reasonably related threads

samba - Apr 2012 - winbind stop working

[Samba] winbind stop working

[Samba] winbind stop working

[Samba] winbind stop working

[Samba] winbind stop working

Seemingly Similar Threads