samba - Dec 2013 - [Samba 3, Debian wheezy] All of a sudden, resolving ADS user fails completely

Hello everybody.

since this morning I've got a massive problem.

My fileserver (Debian wheezy, Samba 3, everything up-to-date) is an ADS 
member server and was running flawlessly for two weeks. Since a few days 
I began to move users to this server from an old one, and since this 
morning nothing works anymore.

The symptoms are: User get "wrong password" when trying to mount
shares.
On the server itself users are not being resolved, too:

root at fileserver3:/home/remroot# ls -l /srv1
drwx------ 15 10039 root  4096 Jan 17  2013 user1
drwx------ 12 10030 root  4096 Nov  5 10:45 user2
drwx------ 11 10056 root  4096 Jun 27  2012 user3

Normally this should be like that (and like it was):

root at fileserver3:/home/remroot# ls -l /srv1
drwx------ 15 user1 root  4096 Jan 17  2013 user1
drwx------ 12 user2 root  4096 Nov  5 10:45 user2
drwx------ 11 user3 root  4096 Jun 27  2012 user3

Same thing when trying to chown (my winbind seperator is "#"):

root at fileserver3:/# chown -vR ad#user1 /srv1/user1
chown: ung?ltiger Benutzer: "ad#user1"

As said before, this worked yesterday, too.

/What/ works are the usual diagnosis things like wbinfo, wbinfo -g, 
wbinfo -a username%password, net ads testjoin... Rejoining the ADS 
didn't solve the problem either.

One more time: Since yesterday everything worked fine. Even more: The 
same config is still working fine on three other servers.

Does anyone have any idea where I could look after? At the moment, I'm 
at my wit's end.

Thanks in advance and kind regards, Patrick

On Tue, 2013-12-10 at 13:39 +0100, Patrick G. Stoesser wrote:
> 
> Does anyone have any idea where I could look after?
nss is failing. What do you have in:
/etc/nsswitch.conf
and is the service for passwd running (could be winbind, sss,
ldap. . .) 

What does /smb.conf look like?

IOW, not enough info 2 b able 2 help further. . .

Steve

On 18:48:34 wrote Patrick G. Stoesser:
> Hello everybody.
> 
> since this morning I've got a massive problem.
> 
> My fileserver (Debian wheezy, Samba 3, everything up-to-date) is an
> ADS member server and was running flawlessly for two weeks. Since a
> few days I began to move users to this server from an old one, and
> since this morning nothing works anymore.
> 
> The symptoms are: User get "wrong password" when trying to mount
> shares. On the server itself users are not being resolved, too:
> 
> root at fileserver3:/home/remroot# ls -l /srv1
> drwx------ 15 10039 root  4096 Jan 17  2013 user1
> drwx------ 12 10030 root  4096 Nov  5 10:45 user2
> drwx------ 11 10056 root  4096 Jun 27  2012 user3
> 
> Normally this should be like that (and like it was):
> 
> root at fileserver3:/home/remroot# ls -l /srv1
> drwx------ 15 user1 root  4096 Jan 17  2013 user1
> drwx------ 12 user2 root  4096 Nov  5 10:45 user2
> drwx------ 11 user3 root  4096 Jun 27  2012 user3
> 
> Same thing when trying to chown (my winbind seperator is "#"):
> 
> root at fileserver3:/# chown -vR ad#user1 /srv1/user1
> chown: ung?ltiger Benutzer: "ad#user1"
> 
> As said before, this worked yesterday, too.
> 
> /What/ works are the usual diagnosis things like wbinfo, wbinfo -g,
> wbinfo -a username%password, net ads testjoin... Rejoining the ADS
> didn't solve the problem either.
> 
> One more time: Since yesterday everything worked fine. Even more: The
> same config is still working fine on three other servers.
> 
> Does anyone have any idea where I could look after? At the moment,
> I'm at my wit's end.
I have had a similiarly problem with one machine which has done an auto 
update yesterday evening. Update was from samba_3.6.6-6+deb7u1 to 
samba_3.6.6-6+deb7u2. Package server is ftp.de.debian.org

The package.list files in /var/lib/dpkg/info/ did _not_ list any 
binaries :-( . And yes, no smbd, nmbd or winbindd was in /usr/sbin/

So I downgraded to samba_3.6.6-6+deb7u1 which doesn't help, but sets the 
apt database to the last known good version. Then I have downloaded all 
packages manually via wget and installed them via dpkg -i package.deb

The required packages for this installation are:
samba-tools_3.6.6-6+deb7u1_i386.deb
libsmbclient_3.6.6-6+deb7u1_i386.deb
samba_3.6.6-6+deb7u1_i386.deb
smbclient_3.6.6-6+deb7u1_i386.deb
libwbclient0_3.6.6-6+deb7u1_i386.deb
samba-common-bin_3.6.6-6+deb7u1_i386.deb
winbind_3.6.6-6+deb7u1_i386.deb

Today at 23:00 cet the next update is scheduled. I hope that this does 
not happen again. Otherwise I will force apt to stay on samba version 
3.6.6-6+deb7u1.
> 
> Thanks in advance and kind regards, Patrick

-- 

regards
	Harry Jede

Hello everybody,

thanks a lot everybody helping me to find the error.

My idmap uid and gid were set to 10000-20000. After years of running, 
ist is no more reproducible why they were set to that.

The defaults now are 10000-95000. And as Michael said, "If you have user 
or primary group with a uid/gid outside configured range, it will 
silently break and not resolve a user."

And that was it! After setting uid and gid idmap to 10000-95000, 
everything worked fine again - and that with "my" config. And also
with
the new updated samba components.

So I guess, the small uid and gid range was somehow tolerated in 
*deb7u1, but no more in *deb7u2.

Nevertheless, I will ASAP switch to the new notation (idmap config 
DOMAINNAME:schema_mode = rfc2307 etc.).

One again, thanks very much for helping me out.

Kind regards, Patrick