Bug 11391 - Winbind not working with a non root account
Winbind not working with a non root account
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.2.0
x64 Linux
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-08 08:40 UTC by thibaud.aubert
Modified: 2015-07-17 12:37 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description thibaud.aubert 2015-07-08 08:40:30 UTC
Hello,

I was using samba 3.6.1 to authenticate users on a squid proxy since two years and it where working perfectly. Samba and winbind were launched as a "squid" account and not root due to very specific rules from the team that host the service on their own servers.

Recently I worked to switch to samba 4.2, using exacly the same processes/configuration as the previous version and it do not work anymore.

I can generate krb tickets, join the domain, but the wbinfo -p said that it can't ping winbind. So obviously any attempt to authenticate fails. 

- If I run winbind manually as root, it's working OK.
- If I run winbind as squid, and try to ping the winbdind as root, it is not working
- If I run winbind as root, and try to ping as squid it's work, but the wbinfo -a fails at the second step, for the challenge/response.

I'm pretty sure rights are ok, otherwise winbind complains at launch.

The only difference I'm seeing, whatever it's working or not has been found with a strace on the wbinfo -p. You may find bellow the main difference on traces, starting at the lstat("/proxy-ng/product/samba-4.2.0/var/run/winbindd : 

Working as root : 

lstat("/proxy-ng/product/samba-4.2.0/var/run/winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/proxy-ng/product/samba-4.2.0/var/run/winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
connect(3, {sa_family=AF_FILE, path="/proxy-ng/product/samba-4.2.0/var/run/winbindd/pipe"}, 110) = 0
poll([{fd=3, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "0\10\0\0\0\0\0\0\0\0\0\0\7a\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2096) = 2096
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\250\r\0\0\2\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3496) = 3496
poll([{fd=3, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "0\10\0\0/\0\0\0\0\0\0\0\7a\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2096) = 2096
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\344\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3496) = 3496
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "/proxy-ng/product/samba-4.2.0/va"..., 60) = 60
lstat("/proxy-ng/product/samba-4.2.0/var/locks/winbindd_privileged", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat("/proxy-ng/product/samba-4.2.0/var/locks/winbindd_privileged/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
fcntl(4, F_GETFD)                       = 0
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
connect(4, {sa_family=AF_FILE, path="/proxy-ng/product/samba-4.2.0/var/locks/winbindd_privileged/pipe"}, 110) = 0
close(3)                                = 0
poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4, revents=POLLOUT}])
write(4, "0\10\0\0#\0\0\0\0\0\0\0\7a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2096) = 2096
poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}])
read(4, "\250\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3496) = 3496
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb61ccd9000
write(1, "Ping to winbindd succeeded\n", 27) = 27
close(4)                                = 0
exit_group(0)                           = ?

Not working :

lstat("/proxy-ng/product/samba-4.2.0/var/run/winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb130d26000
write(1, "Ping to winbindd failed\n", 24) = 24
write(2, "could not ping winbindd!\n", 25) = 25
exit_group(1)                           = ?

the squid users have rights on the /var/run/winbindd, so I don't understand why it do not connect to the IPC socket.

Best Regards,

TAU
Comment 1 thibaud.aubert 2015-07-17 12:37:27 UTC
Hello,

Samba 4.1.19 is working perfectly, with same installation option and configuration than 4.2.0, which is not working with same behavior described bellow...

Hope it may help,

Regards,

TAU