ray klassen
2016-May-19 19:05 UTC
[Samba] Repeat Question with more Info about strange winbind behaviour
<original unanswered message> OS: Debian Jessie Samba version: 2:4.2.10+dfsg-0+deb8u2 strange behaviours before I set "winbind use rpc only = yes" 1) "wbinfo -u" would pause and return nothing2) "getent passwd" would display only the user info in the local files 3) "wbinfo -g" would return list of domain groups4) "wbinfo -i user" would display the user information of one user5) "getent passwd user" would display the user information in passwd format after I set "winbind use rpc only = yes" everything seems to work normally. i.e. the 1 and 2 return a full list.this would seem to indicate to me that winbind was getting incomplete info from ldap on the PDC.I have no idea how this could happen. Other machines on my network do not have this issue. Even one almost identical. It's a mirror on the other end of a VPN. It doesn't seem to need "winbind use rpc only = yes" OpenLDAP had a size limit on lookups. Is there such a thing in the SAMBA 4 ldap backend? Is needing "winbind use rpc only = yes" indicative of something wrong? </original unanswered message> tcpdump/wireshark revealed a strange behaviour. It appears that winbindd is constantly asking the pdc to authenticate as root. to which the pdc replies. (from Wireshark packet decoding) eRR-C-PRINCIPAL-UNKNOWN ... KerberosString: root this request is ongoing, twice a second, in fact.
Jeremy Allison
2016-May-21 00:03 UTC
[Samba] Repeat Question with more Info about strange winbind behaviour
On Thu, May 19, 2016 at 07:05:56PM +0000, ray klassen wrote:> <original unanswered message> > OS: Debian Jessie Samba version: 2:4.2.10+dfsg-0+deb8u2 > strange behaviours > before I set "winbind use rpc only = yes" > 1) "wbinfo -u" would pause and return nothing2) "getent passwd" would display only the user info in the local files > 3) "wbinfo -g" would return list of domain groups4) "wbinfo -i user" would display the user information of one user5) "getent passwd user" would display the user information in passwd format > after I set "winbind use rpc only = yes" everything seems to work normally. i.e. the 1 and 2 return a full list.this would seem to indicate to me that winbind was getting incomplete info from ldap on the PDC.I have no idea how this could happen. Other machines on my network do not have this issue. Even one almost identical. It's a mirror on the other end of a VPN. It doesn't seem to need "winbind use rpc only = yes" OpenLDAP had a size limit on lookups. Is there such a thing in the SAMBA 4 ldap backend? > Is needing "winbind use rpc only = yes" indicative of something wrong?Yes. It forces winbindd to only use the DCE-RPC calls to the AD-DC instead of the LDAP calls. You should not need this.
Rowland penny
2016-May-21 07:07 UTC
[Samba] Repeat Question with more Info about strange winbind behaviour
On 21/05/16 01:03, Jeremy Allison wrote:> On Thu, May 19, 2016 at 07:05:56PM +0000, ray klassen wrote: >> <original unanswered message> >> OS: Debian Jessie Samba version: 2:4.2.10+dfsg-0+deb8u2 >> strange behaviours >> before I set "winbind use rpc only = yes" >> 1) "wbinfo -u" would pause and return nothing2) "getent passwd" would display only the user info in the local files >> 3) "wbinfo -g" would return list of domain groups4) "wbinfo -i user" would display the user information of one user5) "getent passwd user" would display the user information in passwd format >> after I set "winbind use rpc only = yes" everything seems to work normally. i.e. the 1 and 2 return a full list.this would seem to indicate to me that winbind was getting incomplete info from ldap on the PDC.I have no idea how this could happen. Other machines on my network do not have this issue. Even one almost identical. It's a mirror on the other end of a VPN. It doesn't seem to need "winbind use rpc only = yes" OpenLDAP had a size limit on lookups. Is there such a thing in the SAMBA 4 ldap backend? >> Is needing "winbind use rpc only = yes" indicative of something wrong? > Yes. It forces winbindd to only use the DCE-RPC > calls to the AD-DC instead of the LDAP calls. > > You should not need this. >OK, you are using Debian Samba 4.2.10, which is really Samba 4.2.11 (don't ask why), but 4.2.11 has been replaced by Samba 4.2.12 because of regressions caused by the security fixes. This could be your problem, see here for the release notes: https://www.samba.org/samba/history/samba-4.2.12.html Your options to test if this is the case: Wait until Debian releases a 4.2.12 package. Use Sernets 4.2.12 package Compile Samba yourself. Rowland
Reasonably Related Threads
- Repeat Question with more Info about strange winbind behaviour
- Repeat Question with more Info about strange winbind behaviour
- Samba domain member and rfc2307 user IDs
- Samba 4.4.3 for Jessie amd64 (updated to Debian SID version4.4.3+dsfg-4)
- Can't access by NetBIOS Aliases or IP Address