winbind stop working

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

winbind stop working

Daniele
Hi, I am trying to use squid proxy with validation on win 2003 active
directory to filter internet navigation and for it I installed an ubuntu
10.04 server 64 bit with samba.
My installation looks ok, the server is joined to the AD, ntlm is able
to validate user, wbinfo report corret information and squid works good.
The problem arise after some hours: winbind become not able to resolv
info for users and to retrieve info for groups, so squid become not able
to know id a user belong to a group allowed to navigate and refuse
connection.
Restarting winbind solve the problem for some hours.
wbinfo report no particular problem; just give back messages like "could
not get info for user xx" and also setting debuglevel to various numbers
reports (to me) no significant clues.
I made a workaround scheduling a restart of winbind service at every
half hour and it works, but is not so elegant ...
Do you have any suggestion to solve this problem?
Thank you
Daniele

samba/winbind version is 3.4.7
squid is 2.7.STABLE7
os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux

smb.conf:
[global]
     workgroup = CED
     realm = CED.AOS
     server string = Samba Server Version %v
     security = ADS
     password server = 172.18.10.24 172.18.10.23
     name resolve order = lmhosts host bcast
     ldap ssl = no
     idmap uid = 15000-25000
     idmap gid = 15000-25000
     winbind separator = +
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     cups options = raw
[homes]
     comment = Home Directories
     read only = No
     browseable = No
     browsable = No

[printers]
     comment = All Printers
     path = /var/spool/samba
     printable = Yes
     browseable = No
     browsable = No


----
Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso in cui questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione e' contraria alla legge, pertanto Vi preghiamo di darci prontamente avviso e di cancellare quanto ricevuto.
Grazie.

This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message.
Thank you.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Kevin Elliott
We're also seeing similar symptoms with our Squid proxy's winbindd as well.

After an indeterminate amount of time (sometimes an hour, sometimes a day) the winbind process will lose the ability to resolve UID/GIDs to SIDS and authentication to the proxy will fail:

[2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.


If we try doing a winbind -p we get a sucessful return however trying to lookup a SID from UID/GID fails.

We're on Debian 6.0.4 and Samba 2.3.5.6.


Has anyone else seen this issue? Any possible workarounds or patches?




Here's an the debugging output for a particular user:

[2012/04/27 11:04:52.217018,  3] smbd/process.c:1294(switch_message)
  switch message SMBtconX (pid 15651) conn 0x0
[2012/04/27 11:04:52.217041,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/04/27 11:04:52.217062,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)
[2012/04/27 11:04:52.217085,  5] auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/04/27 11:04:52.217132,  5] smbd/uid.c:369(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/04/27 11:04:52.217169,  4] smbd/reply.c:786(reply_tcon_and_X)
  Client requested device type [?????] for share [FTP]
[2012/04/27 11:04:52.217209,  5] smbd/service.c:1227(make_connection)
  making a connection to 'normal' service ftp
[2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
[2012/04/27 11:04:52.217268,  5] smbd/password.c:423(user_in_netgroup)
  Unable to get default yp domain, let's try without specifying it
[2012/04/27 11:04:52.217289,  5] smbd/password.c:430(user_in_netgroup)
  looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users
[2012/04/27 11:04:52.217316,  5] smbd/password.c:453(user_in_netgroup)
  looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users
[2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
  lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain users (name)
[2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
  lookup_name: flags = 0x077
[2012/04/27 11:04:52.217841, 10] passdb/util_wellknown.c:152(lookup_wellknown_name)
  map_name_to_wellknown_sid: looking up domain users
[2012/04/27 11:04:52.217890,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/04/27 11:04:52.217921,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/04/27 11:04:52.217945,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/04/27 11:04:52.217966,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)
[2012/04/27 11:04:52.217987,  5] auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/04/27 11:04:52.218079,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/04/27 11:04:52.219317,  5] smbd/share_access.c:117(token_contains_name)
  lookup_name CBJ_NT+domain users failed
[2012/04/27 11:04:52.219365, 10] smbd/share_access.c:216(user_ok_token)
  User CBJ_NT+kevin_miller not in 'valid users'
[2012/04/27 11:04:52.219394,  2] smbd/service.c:598(create_connection_server_info)
  user 'CBJ_NT+kevin_miller' (from session setup) not permitted to access this share (ftp)
[2012/04/27 11:04:52.219420,  1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/04/27 11:04:52.219452,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


Here's the debugging output from the winbindd-idmap.old log:

2012/04/27 10:58:37.616201, 10] winbindd/idmap_util.c:115(idmap_gid_to_sid)
  idmap_gid_to_sid: gid = [1004], domain = ''
[2012/04/27 10:58:37.616243, 10] lib/gencache.c:334(gencache_get_data_blob)
  Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
[2012/04/27 10:58:37.616265, 10] winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
  idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
[2012/04/27 10:58:37.616331, 10] winbindd/idmap.c:475(idmap_find_domain)
  idmap_find_domain called for domain ''
[2012/04/27 10:58:37.616352,  5] winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
  Requested id (1004) out of range (10000 - 79999). Filtered!
[2012/04/27 10:58:37.616380, 10] lib/gencache.c:180(gencache_set_data_blob)
  Adding cache entry with key = IDMAP/UID2SID/1004 and timeout = Fri Apr 27 11:00:37 2012
   (120 seconds ahead)
[2012/04/27 10:58:37.616436, 10] winbindd/idmap_util.c:151(idmap_gid_to_sid)
  gid [1004] not mapped
[2012/04/27 10:58:37.616456,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
       wbint_Gid2Sid: struct wbint_Gid2Sid
          out: struct wbint_Gid2Sid
              sid                      : *
                  sid                      : S-0-0
              result                   : NT_STATUS_NONE_MAPPED


--
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 




> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Daniele
> Sent: Sunday, April 29, 2012 11:50 PM
> To: [hidden email]
> Subject: [Samba] winbind stop working
>
> Hi, I am trying to use squid proxy with validation on win
> 2003 active directory to filter internet navigation and for
> it I installed an ubuntu
> 10.04 server 64 bit with samba.
> My installation looks ok, the server is joined to the AD,
> ntlm is able to validate user, wbinfo report corret
> information and squid works good.
> The problem arise after some hours: winbind become not able
> to resolv info for users and to retrieve info for groups, so
> squid become not able to know id a user belong to a group
> allowed to navigate and refuse connection.
> Restarting winbind solve the problem for some hours.
> wbinfo report no particular problem; just give back messages
> like "could not get info for user xx" and also setting
> debuglevel to various numbers reports (to me) no significant clues.
> I made a workaround scheduling a restart of winbind service
> at every half hour and it works, but is not so elegant ...
> Do you have any suggestion to solve this problem?
> Thank you
> Daniele
>
> samba/winbind version is 3.4.7
> squid is 2.7.STABLE7
> os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
>
> smb.conf:
> [global]
>      workgroup = CED
>      realm = CED.AOS
>      server string = Samba Server Version %v
>      security = ADS
>      password server = 172.18.10.24 172.18.10.23
>      name resolve order = lmhosts host bcast
>      ldap ssl = no
>      idmap uid = 15000-25000
>      idmap gid = 15000-25000
>      winbind separator = +
>      winbind enum users = Yes
>      winbind enum groups = Yes
>      winbind use default domain = Yes
>      cups options = raw
> [homes]
>      comment = Home Directories
>      read only = No
>      browseable = No
>      browsable = No
>
> [printers]
>      comment = All Printers
>      path = /var/spool/samba
>      printable = Yes
>      browseable = No
>      browsable = No
>
>
> ----
> Le informazioni contenute in questa comunicazione e gli
> eventuali documenti allegati hanno carattere confidenziale e
> sono ad uso esclusivo del destinatario. Nel caso in cui
> questa comunicazione Vi sia pervenuta per errore, Vi
> informiamo che la sua diffusione e riproduzione e' contraria
> alla legge, pertanto Vi preghiamo di darci prontamente avviso
> e di cancellare quanto ricevuto.
> Grazie.
>
> This e-mail message and any files transmitted with it contain
> confidential information intended only for the person(s) to
> whom it is addressed. If you are not the intended recipient,
> you are hereby notified that any use or distribution of this
> e-mail is strictly prohibited: please notify the sender and
> delete the original message.
> Thank you.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Kevin Elliott
Correction. I was reading the Debian versioning numbers.

We are on Samba/Winbind: 3.5.6 (Debian package:  2:3.5.6~dfsg-3squeeze6).

--
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 


> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Kevin Elliott
> Sent: Monday, April 30, 2012 9:51 AM
> To: [hidden email]
> Subject: Re: [Samba] winbind stop working
>
> We're also seeing similar symptoms with our Squid proxy's
> winbindd as well.
>
> After an indeterminate amount of time (sometimes an hour,
> sometimes a day) the winbind process will lose the ability to
> resolve UID/GIDs to SIDS and authentication to the proxy will fail:
>
> [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
>   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
>
>
> If we try doing a winbind -p we get a sucessful return
> however trying to lookup a SID from UID/GID fails.
>
> We're on Debian 6.0.4 and Samba 2.3.5.6.
>
>
> Has anyone else seen this issue? Any possible workarounds or patches?
>
>
>
>
> Here's an the debugging output for a particular user:
>
> [2012/04/27 11:04:52.217018,  3] smbd/process.c:1294(switch_message)
>   switch message SMBtconX (pid 15651) conn 0x0
> [2012/04/27 11:04:52.217041,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.217062,  5]
> auth/token_util.c:525(debug_nt_user_token)
>   NT user token: (NULL)
> [2012/04/27 11:04:52.217085,  5]
> auth/token_util.c:551(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2012/04/27 11:04:52.217132,  5] smbd/uid.c:369(change_to_root_user)
>   change_to_root_user: now uid=(0,0) gid=(0,0)
> [2012/04/27 11:04:52.217169,  4] smbd/reply.c:786(reply_tcon_and_X)
>   Client requested device type [?????] for share [FTP]
> [2012/04/27 11:04:52.217209,  5] smbd/service.c:1227(make_connection)
>   making a connection to 'normal' service ftp
> [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
>   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
> [2012/04/27 11:04:52.217268,  5] smbd/password.c:423(user_in_netgroup)
>   Unable to get default yp domain, let's try without specifying it
> [2012/04/27 11:04:52.217289,  5] smbd/password.c:430(user_in_netgroup)
>   looking for user CBJ_NT+kevin_miller of domain (ANY) in
> netgroup CBJ_NT+domain users
> [2012/04/27 11:04:52.217316,  5] smbd/password.c:453(user_in_netgroup)
>   looking for user cbj_nt+kevin_miller of domain (ANY) in
> netgroup CBJ_NT+domain users
> [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
>   lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain
> users (name)
> [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
>   lookup_name: flags = 0x077
> [2012/04/27 11:04:52.217841, 10]
> passdb/util_wellknown.c:152(lookup_wellknown_name)
>   map_name_to_wellknown_sid: looking up domain users
> [2012/04/27 11:04:52.217890,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2012/04/27 11:04:52.217921,  3] smbd/uid.c:429(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.217945,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2012/04/27 11:04:52.217966,  5]
> auth/token_util.c:525(debug_nt_user_token)
>   NT user token: (NULL)
> [2012/04/27 11:04:52.217987,  5]
> auth/token_util.c:551(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2012/04/27 11:04:52.218079,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.219317,  5]
> smbd/share_access.c:117(token_contains_name)
>   lookup_name CBJ_NT+domain users failed
> [2012/04/27 11:04:52.219365, 10]
> smbd/share_access.c:216(user_ok_token)
>   User CBJ_NT+kevin_miller not in 'valid users'
> [2012/04/27 11:04:52.219394,  2]
> smbd/service.c:598(create_connection_server_info)
>   user 'CBJ_NT+kevin_miller' (from session setup) not
> permitted to access this share (ftp)
> [2012/04/27 11:04:52.219420,  1]
> smbd/service.c:678(make_connection_snum)
>   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
> [2012/04/27 11:04:52.219452,  3] smbd/error.c:80(error_packet_set)
>   error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
>
>
> Here's the debugging output from the winbindd-idmap.old log:
>
> 2012/04/27 10:58:37.616201, 10]
> winbindd/idmap_util.c:115(idmap_gid_to_sid)
>   idmap_gid_to_sid: gid = [1004], domain = ''
> [2012/04/27 10:58:37.616243, 10]
> lib/gencache.c:334(gencache_get_data_blob)
>   Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
> [2012/04/27 10:58:37.616265, 10]
> winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
>   idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
> [2012/04/27 10:58:37.616331, 10]
> winbindd/idmap.c:475(idmap_find_domain)
>   idmap_find_domain called for domain ''
> [2012/04/27 10:58:37.616352,  5]
> winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
>   Requested id (1004) out of range (10000 - 79999). Filtered!
> [2012/04/27 10:58:37.616380, 10]
> lib/gencache.c:180(gencache_set_data_blob)
>   Adding cache entry with key = IDMAP/UID2SID/1004 and
> timeout = Fri Apr 27 11:00:37 2012
>    (120 seconds ahead)
> [2012/04/27 10:58:37.616436, 10]
> winbindd/idmap_util.c:151(idmap_gid_to_sid)
>   gid [1004] not mapped
> [2012/04/27 10:58:37.616456,  1]
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>        wbint_Gid2Sid: struct wbint_Gid2Sid
>           out: struct wbint_Gid2Sid
>               sid                      : *
>                   sid                      : S-0-0
>               result                   : NT_STATUS_NONE_MAPPED
>
>
> --
> Kevin Elliott
>  
> Network Specialist
> City and Borough of Juneau, MIS
> (907) 586 - 0905
>  
>
>
>
>
> > -----Original Message-----
> > From: [hidden email]
> > [mailto:[hidden email]] On Behalf Of Daniele
> > Sent: Sunday, April 29, 2012 11:50 PM
> > To: [hidden email]
> > Subject: [Samba] winbind stop working
> >
> > Hi, I am trying to use squid proxy with validation on win
> > 2003 active directory to filter internet navigation and for it I
> > installed an ubuntu
> > 10.04 server 64 bit with samba.
> > My installation looks ok, the server is joined to the AD,
> ntlm is able
> > to validate user, wbinfo report corret information and squid works
> > good.
> > The problem arise after some hours: winbind become not able
> to resolv
> > info for users and to retrieve info for groups, so squid become not
> > able to know id a user belong to a group allowed to navigate and
> > refuse connection.
> > Restarting winbind solve the problem for some hours.
> > wbinfo report no particular problem; just give back messages like
> > "could not get info for user xx" and also setting debuglevel to
> > various numbers reports (to me) no significant clues.
> > I made a workaround scheduling a restart of winbind service
> at every
> > half hour and it works, but is not so elegant ...
> > Do you have any suggestion to solve this problem?
> > Thank you
> > Daniele
> >
> > samba/winbind version is 3.4.7
> > squid is 2.7.STABLE7
> > os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
> >
> > smb.conf:
> > [global]
> >      workgroup = CED
> >      realm = CED.AOS
> >      server string = Samba Server Version %v
> >      security = ADS
> >      password server = 172.18.10.24 172.18.10.23
> >      name resolve order = lmhosts host bcast
> >      ldap ssl = no
> >      idmap uid = 15000-25000
> >      idmap gid = 15000-25000
> >      winbind separator = +
> >      winbind enum users = Yes
> >      winbind enum groups = Yes
> >      winbind use default domain = Yes
> >      cups options = raw
> > [homes]
> >      comment = Home Directories
> >      read only = No
> >      browseable = No
> >      browsable = No
> >
> > [printers]
> >      comment = All Printers
> >      path = /var/spool/samba
> >      printable = Yes
> >      browseable = No
> >      browsable = No
> >
> >
> > ----
> > Le informazioni contenute in questa comunicazione e gli eventuali
> > documenti allegati hanno carattere confidenziale e sono ad uso
> > esclusivo del destinatario. Nel caso in cui questa comunicazione Vi
> > sia pervenuta per errore, Vi informiamo che la sua diffusione e
> > riproduzione e' contraria alla legge, pertanto Vi preghiamo
> di darci
> > prontamente avviso e di cancellare quanto ricevuto.
> > Grazie.
> >
> > This e-mail message and any files transmitted with it contain
> > confidential information intended only for the person(s) to
> whom it is
> > addressed. If you are not the intended recipient, you are hereby
> > notified that any use or distribution of this e-mail is strictly
> > prohibited: please notify the sender and delete the
> original message.
> > Thank you.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Kevin Elliott
In reply to this post by Kevin Elliott

No one else has seen this issue?

Should I move this to samba-technical? Or submit a bug report?


Is there any other information that would be helpful in troubleshooting this?


> -----Original Message-----
> From: Kevin Elliott
> Sent: Monday, April 30, 2012 9:51 AM
> To: [hidden email]
> Subject: RE: [Samba] winbind stop working
>
> We're also seeing similar symptoms with our Squid proxy's
> winbindd as well.
>
> After an indeterminate amount of time (sometimes an hour,
> sometimes a day) the winbind process will lose the ability to
> resolve UID/GIDs to SIDS and authentication to the proxy will fail:
>
> [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
>   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
>
>
> If we try doing a winbind -p we get a sucessful return
> however trying to lookup a SID from UID/GID fails.
>
> We're on Debian 6.0.4 and Samba 2.3.5.6.
>
>
> Has anyone else seen this issue? Any possible workarounds or patches?
>
>
>
>
> Here's an the debugging output for a particular user:
>
> [2012/04/27 11:04:52.217018,  3] smbd/process.c:1294(switch_message)
>   switch message SMBtconX (pid 15651) conn 0x0
> [2012/04/27 11:04:52.217041,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.217062,  5]
> auth/token_util.c:525(debug_nt_user_token)
>   NT user token: (NULL)
> [2012/04/27 11:04:52.217085,  5]
> auth/token_util.c:551(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2012/04/27 11:04:52.217132,  5] smbd/uid.c:369(change_to_root_user)
>   change_to_root_user: now uid=(0,0) gid=(0,0)
> [2012/04/27 11:04:52.217169,  4] smbd/reply.c:786(reply_tcon_and_X)
>   Client requested device type [?????] for share [FTP]
> [2012/04/27 11:04:52.217209,  5] smbd/service.c:1227(make_connection)
>   making a connection to 'normal' service ftp
> [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
>   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
> [2012/04/27 11:04:52.217268,  5] smbd/password.c:423(user_in_netgroup)
>   Unable to get default yp domain, let's try without specifying it
> [2012/04/27 11:04:52.217289,  5] smbd/password.c:430(user_in_netgroup)
>   looking for user CBJ_NT+kevin_miller of domain (ANY) in
> netgroup CBJ_NT+domain users
> [2012/04/27 11:04:52.217316,  5] smbd/password.c:453(user_in_netgroup)
>   looking for user cbj_nt+kevin_miller of domain (ANY) in
> netgroup CBJ_NT+domain users
> [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
>   lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain
> users (name)
> [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
>   lookup_name: flags = 0x077
> [2012/04/27 11:04:52.217841, 10]
> passdb/util_wellknown.c:152(lookup_wellknown_name)
>   map_name_to_wellknown_sid: looking up domain users
> [2012/04/27 11:04:52.217890,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2012/04/27 11:04:52.217921,  3] smbd/uid.c:429(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.217945,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2012/04/27 11:04:52.217966,  5]
> auth/token_util.c:525(debug_nt_user_token)
>   NT user token: (NULL)
> [2012/04/27 11:04:52.217987,  5]
> auth/token_util.c:551(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2012/04/27 11:04:52.218079,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/04/27 11:04:52.219317,  5]
> smbd/share_access.c:117(token_contains_name)
>   lookup_name CBJ_NT+domain users failed
> [2012/04/27 11:04:52.219365, 10]
> smbd/share_access.c:216(user_ok_token)
>   User CBJ_NT+kevin_miller not in 'valid users'
> [2012/04/27 11:04:52.219394,  2]
> smbd/service.c:598(create_connection_server_info)
>   user 'CBJ_NT+kevin_miller' (from session setup) not
> permitted to access this share (ftp)
> [2012/04/27 11:04:52.219420,  1]
> smbd/service.c:678(make_connection_snum)
>   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
> [2012/04/27 11:04:52.219452,  3] smbd/error.c:80(error_packet_set)
>   error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
>
>
> Here's the debugging output from the winbindd-idmap.old log:
>
> 2012/04/27 10:58:37.616201, 10]
> winbindd/idmap_util.c:115(idmap_gid_to_sid)
>   idmap_gid_to_sid: gid = [1004], domain = ''
> [2012/04/27 10:58:37.616243, 10]
> lib/gencache.c:334(gencache_get_data_blob)
>   Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
> [2012/04/27 10:58:37.616265, 10]
> winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
>   idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
> [2012/04/27 10:58:37.616331, 10]
> winbindd/idmap.c:475(idmap_find_domain)
>   idmap_find_domain called for domain ''
> [2012/04/27 10:58:37.616352,  5]
> winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
>   Requested id (1004) out of range (10000 - 79999). Filtered!
> [2012/04/27 10:58:37.616380, 10]
> lib/gencache.c:180(gencache_set_data_blob)
>   Adding cache entry with key = IDMAP/UID2SID/1004 and
> timeout = Fri Apr 27 11:00:37 2012
>    (120 seconds ahead)
> [2012/04/27 10:58:37.616436, 10]
> winbindd/idmap_util.c:151(idmap_gid_to_sid)
>   gid [1004] not mapped
> [2012/04/27 10:58:37.616456,  1]
> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>        wbint_Gid2Sid: struct wbint_Gid2Sid
>           out: struct wbint_Gid2Sid
>               sid                      : *
>                   sid                      : S-0-0
>               result                   : NT_STATUS_NONE_MAPPED
>
>
> --
> Kevin Elliott
>  
> Network Specialist
> City and Borough of Juneau, MIS
> (907) 586 - 0905
>  
>
>
>
>
> > -----Original Message-----
> > From: [hidden email]
> > [mailto:[hidden email]] On Behalf Of Daniele
> > Sent: Sunday, April 29, 2012 11:50 PM
> > To: [hidden email]
> > Subject: [Samba] winbind stop working
> >
> > Hi, I am trying to use squid proxy with validation on win
> > 2003 active directory to filter internet navigation and for it I
> > installed an ubuntu
> > 10.04 server 64 bit with samba.
> > My installation looks ok, the server is joined to the AD,
> ntlm is able
> > to validate user, wbinfo report corret information and squid works
> > good.
> > The problem arise after some hours: winbind become not able
> to resolv
> > info for users and to retrieve info for groups, so squid become not
> > able to know id a user belong to a group allowed to navigate and
> > refuse connection.
> > Restarting winbind solve the problem for some hours.
> > wbinfo report no particular problem; just give back messages like
> > "could not get info for user xx" and also setting debuglevel to
> > various numbers reports (to me) no significant clues.
> > I made a workaround scheduling a restart of winbind service
> at every
> > half hour and it works, but is not so elegant ...
> > Do you have any suggestion to solve this problem?
> > Thank you
> > Daniele
> >
> > samba/winbind version is 3.4.7
> > squid is 2.7.STABLE7
> > os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
> >
> > smb.conf:
> > [global]
> >      workgroup = CED
> >      realm = CED.AOS
> >      server string = Samba Server Version %v
> >      security = ADS
> >      password server = 172.18.10.24 172.18.10.23
> >      name resolve order = lmhosts host bcast
> >      ldap ssl = no
> >      idmap uid = 15000-25000
> >      idmap gid = 15000-25000
> >      winbind separator = +
> >      winbind enum users = Yes
> >      winbind enum groups = Yes
> >      winbind use default domain = Yes
> >      cups options = raw
> > [homes]
> >      comment = Home Directories
> >      read only = No
> >      browseable = No
> >      browsable = No
> >
> > [printers]
> >      comment = All Printers
> >      path = /var/spool/samba
> >      printable = Yes
> >      browseable = No
> >      browsable = No
> >
> >
> > ----
> > Le informazioni contenute in questa comunicazione e gli eventuali
> > documenti allegati hanno carattere confidenziale e sono ad uso
> > esclusivo del destinatario. Nel caso in cui questa comunicazione Vi
> > sia pervenuta per errore, Vi informiamo che la sua diffusione e
> > riproduzione e' contraria alla legge, pertanto Vi preghiamo
> di darci
> > prontamente avviso e di cancellare quanto ricevuto.
> > Grazie.
> >
> > This e-mail message and any files transmitted with it contain
> > confidential information intended only for the person(s) to
> whom it is
> > addressed. If you are not the intended recipient, you are hereby
> > notified that any use or distribution of this e-mail is strictly
> > prohibited: please notify the sender and delete the
> original message.
> > Thank you.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Gaiseric Vandal
I had a problem with Samba 3.0.x on Solaris 10 some time back.  The
samba servers were DC's for the domain-  they were not in an ADS
domain.  However I did have domain trusts set up so winbind was
required.    Winbind would allocate uid's and gid's.   There is a cache
time value for either winbind or idmap (testparm -v will tell you.)
When the cache time expired the cached info was -  obviously -  invalid
BUT samba/winbind would not refresh the cache. Thus users from the
trusted domain would loose access.   The cache files are local TDB
files-  even tho (in case) the idmap and other account info was in ldap.


The cache issue was resolved when I upgraded to samba 3.4.x.   However,
it seems that winbind now can't even create new idmap entries.   Since
there is practically no personnel change in the trusted ADS domain this
isn't really an issue-  I can always add the idmap entries in ldap.

Check your cache values.  Backup and delete the idmap cache TBD files.
(Maybe the winbind cache files as well)  Restarting winbind and typing
"getent passwd" and "getent group" should repopulate.    TDBDump command
is useful for looking at the contents of the file if you aren't sure
what the file is for.



On 05/04/12 16:02, Kevin Elliott wrote:

> No one else has seen this issue?
>
> Should I move this to samba-technical? Or submit a bug report?
>
>
> Is there any other information that would be helpful in troubleshooting this?
>
>
>> -----Original Message-----
>> From: Kevin Elliott
>> Sent: Monday, April 30, 2012 9:51 AM
>> To: [hidden email]
>> Subject: RE: [Samba] winbind stop working
>>
>> We're also seeing similar symptoms with our Squid proxy's
>> winbindd as well.
>>
>> After an indeterminate amount of time (sometimes an hour,
>> sometimes a day) the winbind process will lose the ability to
>> resolve UID/GIDs to SIDS and authentication to the proxy will fail:
>>
>> [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
>>   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
>>
>>
>> If we try doing a winbind -p we get a sucessful return
>> however trying to lookup a SID from UID/GID fails.
>>
>> We're on Debian 6.0.4 and Samba 2.3.5.6.
>>
>>
>> Has anyone else seen this issue? Any possible workarounds or patches?
>>
>>
>>
>>
>> Here's an the debugging output for a particular user:
>>
>> [2012/04/27 11:04:52.217018,  3] smbd/process.c:1294(switch_message)
>>   switch message SMBtconX (pid 15651) conn 0x0
>> [2012/04/27 11:04:52.217041,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2012/04/27 11:04:52.217062,  5]
>> auth/token_util.c:525(debug_nt_user_token)
>>   NT user token: (NULL)
>> [2012/04/27 11:04:52.217085,  5]
>> auth/token_util.c:551(debug_unix_user_token)
>>   UNIX token of user 0
>>   Primary group is 0 and contains 0 supplementary groups
>> [2012/04/27 11:04:52.217132,  5] smbd/uid.c:369(change_to_root_user)
>>   change_to_root_user: now uid=(0,0) gid=(0,0)
>> [2012/04/27 11:04:52.217169,  4] smbd/reply.c:786(reply_tcon_and_X)
>>   Client requested device type [?????] for share [FTP]
>> [2012/04/27 11:04:52.217209,  5] smbd/service.c:1227(make_connection)
>>   making a connection to 'normal' service ftp
>> [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
>>   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
>> [2012/04/27 11:04:52.217268,  5] smbd/password.c:423(user_in_netgroup)
>>   Unable to get default yp domain, let's try without specifying it
>> [2012/04/27 11:04:52.217289,  5] smbd/password.c:430(user_in_netgroup)
>>   looking for user CBJ_NT+kevin_miller of domain (ANY) in
>> netgroup CBJ_NT+domain users
>> [2012/04/27 11:04:52.217316,  5] smbd/password.c:453(user_in_netgroup)
>>   looking for user cbj_nt+kevin_miller of domain (ANY) in
>> netgroup CBJ_NT+domain users
>> [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
>>   lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain
>> users (name)
>> [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
>>   lookup_name: flags = 0x077
>> [2012/04/27 11:04:52.217841, 10]
>> passdb/util_wellknown.c:152(lookup_wellknown_name)
>>   map_name_to_wellknown_sid: looking up domain users
>> [2012/04/27 11:04:52.217890,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2012/04/27 11:04:52.217921,  3] smbd/uid.c:429(push_conn_ctx)
>>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2012/04/27 11:04:52.217945,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2012/04/27 11:04:52.217966,  5]
>> auth/token_util.c:525(debug_nt_user_token)
>>   NT user token: (NULL)
>> [2012/04/27 11:04:52.217987,  5]
>> auth/token_util.c:551(debug_unix_user_token)
>>   UNIX token of user 0
>>   Primary group is 0 and contains 0 supplementary groups
>> [2012/04/27 11:04:52.218079,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2012/04/27 11:04:52.219317,  5]
>> smbd/share_access.c:117(token_contains_name)
>>   lookup_name CBJ_NT+domain users failed
>> [2012/04/27 11:04:52.219365, 10]
>> smbd/share_access.c:216(user_ok_token)
>>   User CBJ_NT+kevin_miller not in 'valid users'
>> [2012/04/27 11:04:52.219394,  2]
>> smbd/service.c:598(create_connection_server_info)
>>   user 'CBJ_NT+kevin_miller' (from session setup) not
>> permitted to access this share (ftp)
>> [2012/04/27 11:04:52.219420,  1]
>> smbd/service.c:678(make_connection_snum)
>>   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
>> [2012/04/27 11:04:52.219452,  3] smbd/error.c:80(error_packet_set)
>>   error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
>> NT_STATUS_ACCESS_DENIED
>>
>>
>> Here's the debugging output from the winbindd-idmap.old log:
>>
>> 2012/04/27 10:58:37.616201, 10]
>> winbindd/idmap_util.c:115(idmap_gid_to_sid)
>>   idmap_gid_to_sid: gid = [1004], domain = ''
>> [2012/04/27 10:58:37.616243, 10]
>> lib/gencache.c:334(gencache_get_data_blob)
>>   Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
>> [2012/04/27 10:58:37.616265, 10]
>> winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
>>   idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
>> [2012/04/27 10:58:37.616331, 10]
>> winbindd/idmap.c:475(idmap_find_domain)
>>   idmap_find_domain called for domain ''
>> [2012/04/27 10:58:37.616352,  5]
>> winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
>>   Requested id (1004) out of range (10000 - 79999). Filtered!
>> [2012/04/27 10:58:37.616380, 10]
>> lib/gencache.c:180(gencache_set_data_blob)
>>   Adding cache entry with key = IDMAP/UID2SID/1004 and
>> timeout = Fri Apr 27 11:00:37 2012
>>    (120 seconds ahead)
>> [2012/04/27 10:58:37.616436, 10]
>> winbindd/idmap_util.c:151(idmap_gid_to_sid)
>>   gid [1004] not mapped
>> [2012/04/27 10:58:37.616456,  1]
>> ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>>        wbint_Gid2Sid: struct wbint_Gid2Sid
>>           out: struct wbint_Gid2Sid
>>               sid                      : *
>>                   sid                      : S-0-0
>>               result                   : NT_STATUS_NONE_MAPPED
>>
>>
>> --
>> Kevin Elliott
>>  
>> Network Specialist
>> City and Borough of Juneau, MIS
>> (907) 586 - 0905
>>  
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of Daniele
>>> Sent: Sunday, April 29, 2012 11:50 PM
>>> To: [hidden email]
>>> Subject: [Samba] winbind stop working
>>>
>>> Hi, I am trying to use squid proxy with validation on win
>>> 2003 active directory to filter internet navigation and for it I
>>> installed an ubuntu
>>> 10.04 server 64 bit with samba.
>>> My installation looks ok, the server is joined to the AD,
>> ntlm is able
>>> to validate user, wbinfo report corret information and squid works
>>> good.
>>> The problem arise after some hours: winbind become not able
>> to resolv
>>> info for users and to retrieve info for groups, so squid become not
>>> able to know id a user belong to a group allowed to navigate and
>>> refuse connection.
>>> Restarting winbind solve the problem for some hours.
>>> wbinfo report no particular problem; just give back messages like
>>> "could not get info for user xx" and also setting debuglevel to
>>> various numbers reports (to me) no significant clues.
>>> I made a workaround scheduling a restart of winbind service
>> at every
>>> half hour and it works, but is not so elegant ...
>>> Do you have any suggestion to solve this problem?
>>> Thank you
>>> Daniele
>>>
>>> samba/winbind version is 3.4.7
>>> squid is 2.7.STABLE7
>>> os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
>>>
>>> smb.conf:
>>> [global]
>>>      workgroup = CED
>>>      realm = CED.AOS
>>>      server string = Samba Server Version %v
>>>      security = ADS
>>>      password server = 172.18.10.24 172.18.10.23
>>>      name resolve order = lmhosts host bcast
>>>      ldap ssl = no
>>>      idmap uid = 15000-25000
>>>      idmap gid = 15000-25000
>>>      winbind separator = +
>>>      winbind enum users = Yes
>>>      winbind enum groups = Yes
>>>      winbind use default domain = Yes
>>>      cups options = raw
>>> [homes]
>>>      comment = Home Directories
>>>      read only = No
>>>      browseable = No
>>>      browsable = No
>>>
>>> [printers]
>>>      comment = All Printers
>>>      path = /var/spool/samba
>>>      printable = Yes
>>>      browseable = No
>>>      browsable = No
>>>
>>>
>>> ----
>>> Le informazioni contenute in questa comunicazione e gli eventuali
>>> documenti allegati hanno carattere confidenziale e sono ad uso
>>> esclusivo del destinatario. Nel caso in cui questa comunicazione Vi
>>> sia pervenuta per errore, Vi informiamo che la sua diffusione e
>>> riproduzione e' contraria alla legge, pertanto Vi preghiamo
>> di darci
>>> prontamente avviso e di cancellare quanto ricevuto.
>>> Grazie.
>>>
>>> This e-mail message and any files transmitted with it contain
>>> confidential information intended only for the person(s) to
>> whom it is
>>> addressed. If you are not the intended recipient, you are hereby
>>> notified that any use or distribution of this e-mail is strictly
>>> prohibited: please notify the sender and delete the
>> original message.
>>> Thank you.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Kevin Elliott
 
So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted?


Here's my idmap cache values:

        idmap backend = tdb
        idmap alloc backend =
        idmap cache time = 604800
        idmap negative cache time = 120
        idmap uid = 10000-79999
        idmap gid = 10000-79999
        winbind separator = +
        winbind cache time = 300
        winbind reconnect delay = 30
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind trusted domains only = No
        winbind nested groups = Yes
        winbind expand groups = 1
        winbind nss info = template
        winbind refresh tickets = No
        winbind offline logon = No
        winbind normalize names = No

--
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 



> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Gaiseric Vandal
> Sent: Friday, May 04, 2012 12:16 PM
> To: [hidden email]
> Subject: Re: [Samba] winbind stop working
>
> I had a problem with Samba 3.0.x on Solaris 10 some time
> back.  The samba servers were DC's for the domain-  they were
> not in an ADS domain.  However I did have domain trusts set
> up so winbind was
> required.    Winbind would allocate uid's and gid's.   There
> is a cache
> time value for either winbind or idmap (testparm -v will tell
> you.) When the cache time expired the cached info was -  
> obviously -  invalid BUT samba/winbind would not refresh the
> cache. Thus users from the
> trusted domain would loose access.   The cache files are local TDB
> files-  even tho (in case) the idmap and other account info
> was in ldap.
>
>
> The cache issue was resolved when I upgraded to samba 3.4.x.  
>  However,
> it seems that winbind now can't even create new idmap entries.   Since
> there is practically no personnel change in the trusted ADS
> domain this
> isn't really an issue-  I can always add the idmap entries in ldap.
>
> Check your cache values.  Backup and delete the idmap cache
> TBD files.
> (Maybe the winbind cache files as well)  Restarting winbind and typing
> "getent passwd" and "getent group" should repopulate.    
> TDBDump command
> is useful for looking at the contents of the file if you aren't sure
> what the file is for.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Daniele
Il 04/05/2012 23:47, Kevin Elliott ha scritto:

>
> So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted?
>
>
> Here's my idmap cache values:
>
>          idmap backend = tdb
>          idmap alloc backend =
>          idmap cache time = 604800
>          idmap negative cache time = 120
>          idmap uid = 10000-79999
>          idmap gid = 10000-79999
>          winbind separator = +
>          winbind cache time = 300
>          winbind reconnect delay = 30
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind trusted domains only = No
>          winbind nested groups = Yes
>          winbind expand groups = 1
>          winbind nss info = template
>          winbind refresh tickets = No
>          winbind offline logon = No
>          winbind normalize names = No
>

After playing with parameters I found that lowering idmap cache time has
some effects.
Now, with a value of 300, looks good.
I have to do other tests to understand what is happening, but it seems a
good staring point.

Daniele
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Kevin Elliott
Interesting.

I'l try this and see what happens.

Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this?

--
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 


> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of daniele
> Sent: Sunday, May 06, 2012 11:13 PM
> To: [hidden email]
> Subject: Re: [Samba] winbind stop working
>
> Il 04/05/2012 23:47, Kevin Elliott ha scritto:
> >
> > So what's happening is that the idmap cache is expiring but
> winbind is unable to create new entries until its restarted?
> >
> >
> > Here's my idmap cache values:
> >
> >          idmap backend = tdb
> >          idmap alloc backend =
> >          idmap cache time = 604800
> >          idmap negative cache time = 120
> >          idmap uid = 10000-79999
> >          idmap gid = 10000-79999
> >          winbind separator = +
> >          winbind cache time = 300
> >          winbind reconnect delay = 30
> >          winbind enum users = Yes
> >          winbind enum groups = Yes
> >          winbind use default domain = Yes
> >          winbind trusted domains only = No
> >          winbind nested groups = Yes
> >          winbind expand groups = 1
> >          winbind nss info = template
> >          winbind refresh tickets = No
> >          winbind offline logon = No
> >          winbind normalize names = No
> >
>
> After playing with parameters I found that lowering idmap
> cache time has some effects.
> Now, with a value of 300, looks good.
> I have to do other tests to understand what is happening, but
> it seems a good staring point.
>
> Daniele
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Daniele
Il 08/05/2012 21:37, Kevin Elliott ha scritto:
> Interesting.
>
> I'l try this and see what happens.
>
> Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this?
>

My server is still in test, so I don't know what will happen when
hundreds of users became to connect. As a reference, in the current
working server with samba Version 3.0.33-3.29.el5_7.4 the parameter
idmap cache time is set to the default (900).
I wonder about such difference (900 vs 604800) and I did use 900 instead
of 300. Now it looks good (after 1 day), but I'll keep in test for some
while.
I also had bad mapping problems: winbind reported uncorrect number of
groups and wrong group for some users.
I guess this is also related to the cache because after yesterday is
working correctly and I don't know why (may be: net cache flush or some
smb.conf parameter or ...).
I also verified that setting idmap uid and idmap gid at a value like
10000-20000 does not work (I have no unix user or group in the range
1000-65000, so I supposed the range 10000-20000 was equivalent to
15000-25000 ...)

My actual settings are:
[global]
        workgroup = CED
        realm = CED.AOS
        server string = Samba Server Version %v
        security = ADS
        password server = 172.18.10.24 172.18.10.23
        name resolve order = lmhosts host bcast
        passdb backend = tdbsam
        ldap ssl = no
        idmap uid = 100000-200000
        idmap gid = 100000-200000
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        cups options = raw
        winbind cache time = 300
        idmap cache time = 900
        encrypt passwords = yes


Regards
Daniele Bernazzi
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

sigunas
In reply to this post by Daniele
We have similar problem to with samba file server, serving about 800 users. After server restart samba/winbind works as intended. After some time (it may be couple of weeks, or it may be 1 day) server does not authenticate new connections. Old connections work.
For example: I don't turn off my computer, and next day I can access samba shares, reade/create/delete files and directories as usual. Users who just started computers and try to access shares are rejected with unknown user/password. After winbind restart (don't need to restart samba) everything works as intended again for day or sometimes for couple of weeks.

Server configuration:
security=ADS
realm=our.domain.com
client schanel=no
wins support=no
domain logons=no
domain master=auto
password server=dc.our.domain.com
server string=failai
local master=yes
idmap uid=10000-20000
idmap gid=10000-20000
winbind enum users=yes
winbind enum groups=yes
encrypt password=true
keepalive=600
socket options=TCP_NODELAY
dns proxy=no
log level=1
large readwrite=yes

When users can't connect I see in log file:
[2012/05/10] 00:59:59.024569, 1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/05/10] 00:59:59.025649, 1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
.......

What's interesting, some users (I would gues 1 from 10) can connect even at this time, as I see log:
[2012/05/10] 07:48:07.777869, 1] smbd/service.c:678(make_connection_snum)
  __ffff_10.23.15.20 (::ffff:10.23.14.20) connect to service apps initially as user CENTRAS\nijovizb (uid=10717, guid=10004) (pid 6861)
.......

Than after winbind all users can connect

Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

Daniele
On 05/10/2012 11:21 AM, sigunas wrote:

> We have similar problem to with samba file server, serving about 800 users.
> After server restart samba/winbind works as intended. After some time (it
> may be couple of weeks, or it may be 1 day) server does not authenticate new
> connections. Old connections work.
> For example: I don't turn off my computer, and next day I can access samba
> shares, reade/create/delete files and directories as usual. Users who just
> started computers and try to access shares are rejected with unknown
> user/password. After winbind restart (don't need to restart samba)
> everything works as intended again for day or sometimes for couple of weeks.
>
> Server configuration:
> security=ADS
> realm=our.domain.com
> client schanel=no
> wins support=no
> domain logons=no
> domain master=auto
> password server=dc.our.domain.com
> server string=failai
> local master=yes
> idmap uid=10000-20000
> idmap gid=10000-20000
> winbind enum users=yes
> winbind enum groups=yes
> encrypt password=true
> keepalive=600
> socket options=TCP_NODELAY
> dns proxy=no
> log level=1
> large readwrite=yes
>

 From my experience reducing idmap cache time seems to solve the problem.
I also experienced problems with idmap uid and idmap gid to such values
(10000-20000); try lo raise over 65536 (100000-200000).
I made some tests on another server acting as a file server with
validation on AD (no user and group mappings) in which winbind is
usually off. Starting winbind and playing with parameters brought samba
to deny the service after about 1 day; after stopping winbind and
restarting nmbd smbd it works good ...



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

sigunas
This post has NOT been accepted by the mailing list yet.
Thanks,
I lowered idmap cache value yesterday from default 604800 to 900. If it helps, I will post after couple of weeks or will try raise uid,gid and will post results.
Reply | Threaded
Open this post in threaded view
|

Re: winbind stop working

sigunas
Lowering idmap cache time from default 604800 to 900 did not helped... Something different here.