On 2016-06-08 at 16:00 -0400, Dennis Xu wrote:> Hi, I am checking again if there are any other suggestions. > > The Samba server is joined to AD successfully. I can > authenticate a user using "wbinfo -a" but "wbinfo -u" and > "wbinfo -g" commands give no output. > > Any ideas?So you say the machine is cloned from another one. Did you just copy the config or really clone it all? Did you join this separately? If you cloned, did you change the local sid? ... So I hope you just copied the config. :-) But for our purposes, also the caches that you might have copied, make a difference. Please check whether /var/cache/samba/winbindd_cache.tdb exists (or /var/lib/samba/winbindd_cache.tdb), and if it does, stop winbind and remove this file and start winbind again. At least this could affect you if you are using 'winbind offline logons = yes'. If you had not mentioned the other identical servers without problems, I would have suspected that you have a very large domain (several 100,000 objects) which may cause wbinfo -u /-g to time out. But that does not seem to be the issue then... If clearing the caches above does not help, we'd need to see your smb.conf and the logs of winbind at level 10 right from starting winbind to completion of wbinfo -u right as the first command. Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20160608/20fc33f2/signature.sig>
Hi Michael, Thank you for your suggestion. I did clone the server. After the clone, the server was not join to domain automatically, then I join the server to the domain separately. I did not change the local sid. Should I change that? Actually I followed this process to clone the first server and that server did not have the wbinfo -u issue. Then I tried to clone other servers then I started to see this issue. I also recently did a fresh install for a server and I have the same issue for that server as well. I have attached the smb.conf and winbind logs(in debug level 10 and after "wbinfo -u" was issued). I use Samba for FreeRADIUS integration to authenticate PEAP MS-CHAP2 wireless authentications against AD. The server seems still can authenticate users. I am not sure if this "wbinfo -u" issue will cause any authentication issues. Dennis ----- Original Message ----- From: "Michael Adam" <obnox at samba.org> To: "Dennis Xu" <dxu at uoguelph.ca> Cc: "samba" <samba at lists.samba.org> Sent: Wednesday, June 8, 2016 5:54:31 PM Subject: Re: [Samba] wbinfo -u and -g gives no output On 2016-06-08 at 16:00 -0400, Dennis Xu wrote:> Hi, I am checking again if there are any other suggestions. > > The Samba server is joined to AD successfully. I can > authenticate a user using "wbinfo -a" but "wbinfo -u" and > "wbinfo -g" commands give no output. > > Any ideas?So you say the machine is cloned from another one. Did you just copy the config or really clone it all? Did you join this separately? If you cloned, did you change the local sid? ... So I hope you just copied the config. :-) But for our purposes, also the caches that you might have copied, make a difference. Please check whether /var/cache/samba/winbindd_cache.tdb exists (or /var/lib/samba/winbindd_cache.tdb), and if it does, stop winbind and remove this file and start winbind again. At least this could affect you if you are using 'winbind offline logons = yes'. If you had not mentioned the other identical servers without problems, I would have suspected that you have a very large domain (several 100,000 objects) which may cause wbinfo -u /-g to time out. But that does not seem to be the issue then... If clearing the caches above does not help, we'd need to see your smb.conf and the logs of winbind at level 10 right from starting winbind to completion of wbinfo -u right as the first command. Cheers - Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log.winbindd-dc-connect.txt URL: <http://lists.samba.org/pipermail/samba/attachments/20160609/1a81039f/log.winbindd-dc-connect.txt> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log.winbindd.txt URL: <http://lists.samba.org/pipermail/samba/attachments/20160609/1a81039f/log.winbindd.txt>
On 2016-06-09 at 10:17 -0400, Dennis Xu wrote:> Hi Michael, > > Thank you for your suggestion. > > I did clone the server. After the clone, the server was not > join to domain automatically, then I join the server to the > domain separately. I did not change the local sid. Should I > change that?Not necessarily: It is rather cosmetic and probably not the cause for your issue.> Actually I followed this process to clone the first server and > that server did not have the wbinfo -u issue. Then I tried to > clone other servers then I started to see this issue. I also > recently did a fresh install for a server and I have the same > issue for that server as well. > > I have attached the smb.confNote: the line 'idmap config ad' is not a correct samba option. But also this would not cause your issue.> and winbind logs(in debug level 10 and after "wbinfo -u" was issued).I'd also need to see log.wb-* (corresponding). But I can already see that the attempts to get the user's list times out. See below:> I use Samba for FreeRADIUS integration to authenticate PEAP > MS-CHAP2 wireless authentications against AD. The server seems > still can authenticate users. I am not sure if this "wbinfo -u" > issue will cause any authentication issues.Likely not. Here the important part from log.winbindd:> [2016/06/09 10:04:31.071983, 10, pid=11846, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:725(process_request) > process_request: Handling async request 11852:LIST_USERS > [2016/06/09 10:04:31.072016, 3, pid=11846, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:58(winbindd_list_users_send) > list_users CFSMain winbind is asking the CFS child to list the CFS domain users.> [2016/06/09 10:04:31.072059, 1, pid=11846, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) > wbint_QueryUserList: struct wbint_QueryUserList > in: struct wbint_QueryUserList > [2016/06/09 10:04:32.047364, 10, pid=11846, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:252(messaging_recv_cb) > messaging_recv_cb: Received message 0x40c len 4 (num_fds:0) from 11847 > [2016/06/09 10:04:32.047421, 10, pid=11846, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:364(winbind_msg_domain_offline) > Domain CFS is marked as offline now.Here I need to see the log.wb-CFS file, to see what the domain child is up to. But I suspect that the domain child can't contact any DCs and marks itself offline.> [2016/06/09 10:04:32.048320, 1, pid=11846, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) > wbint_QueryUserList: struct wbint_QueryUserList > out: struct wbint_QueryUserList > users : * > users: struct wbint_userinfos > num_userinfos : 0x00000000 (0) > userinfos: ARRAY(0) > result : NT_STATUS_IO_TIMEOUTThe list users request to the CFS domain times out.> [2016/06/09 10:04:32.048409, 10, pid=11846, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:128(winbindd_list_users_done) > Domain CFS returned 0 users > [2016/06/09 10:04:32.048434, 10, pid=11846, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:134(winbindd_list_users_done) > List_users for domain CFS failed > [2016/06/09 10:04:32.048458, 10, pid=11846, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:787(wb_request_done) > wb_request_done[11852:LIST_USERS]: NT_STATUS_OKSo my guess is that there is some issue with finding and/or contacting domain controllers. More after we get the other log. Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20160609/b367cba4/signature.sig>