Hello, I was using samba 3.6.1 to authenticate users on a squid proxy since two years and it where working perfectly. Samba and winbind were launched as a "squid" account and not root due to very specific rules from the team that host the service on their own servers. Recently I worked to switch to samba 4.2, using exacly the same processes/configuration as the previous version and it do not work anymore. I can generate krb tickets, join the domain, but the wbinfo -p said that it can't ping winbind. So obviously any attempt to authenticate fails. - If I run winbind manually as root, it's working OK. - If I run winbind as squid, and try to ping the winbdind as root, it is not working - If I run winbind as root, and try to ping as squid it's work, but the wbinfo -a fails at the second step, for the challenge/response. I'm pretty sure rights are ok, otherwise winbind complains at launch. The only difference I'm seeing, whatever it's working or not has been found with a strace on the wbinfo -p. You may find bellow the main difference on traces, starting at the lstat("/proxy-ng/product/samba-4.2.0/var/run/winbindd : Working as root : lstat("/proxy-ng/product/samba-4.2.0/var/run/winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/proxy-ng/product/samba-4.2.0/var/run/winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 connect(3, {sa_family=AF_FILE, path="/proxy-ng/product/samba-4.2.0/var/run/winbindd/pipe"}, 110) = 0 poll([{fd=3, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}]) write(3, "0\10\0\0\0\0\0\0\0\0\0\0\7a\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2096) = 2096 poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "\250\r\0\0\2\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3496) = 3496 poll([{fd=3, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}]) write(3, "0\10\0\0/\0\0\0\0\0\0\0\7a\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2096) = 2096 poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "\344\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3496) = 3496 poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "/proxy-ng/product/samba-4.2.0/va"..., 60) = 60 lstat("/proxy-ng/product/samba-4.2.0/var/locks/winbindd_privileged", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 lstat("/proxy-ng/product/samba-4.2.0/var/locks/winbindd_privileged/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 connect(4, {sa_family=AF_FILE, path="/proxy-ng/product/samba-4.2.0/var/locks/winbindd_privileged/pipe"}, 110) = 0 close(3) = 0 poll([{fd=4, events=POLLIN|POLLOUT|POLLHUP}], 1, -1) = 1 ([{fd=4, revents=POLLOUT}]) write(4, "0\10\0\0#\0\0\0\0\0\0\0\7a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2096) = 2096 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}]) read(4, "\250\r\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3496) = 3496 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb61ccd9000 write(1, "Ping to winbindd succeeded\n", 27) = 27 close(4) = 0 exit_group(0) = ? Not working : lstat("/proxy-ng/product/samba-4.2.0/var/run/winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb130d26000 write(1, "Ping to winbindd failed\n", 24) = 24 write(2, "could not ping winbindd!\n", 25) = 25 exit_group(1) = ? the squid users have rights on the /var/run/winbindd, so I don't understand why it do not connect to the IPC socket. Best Regards, TAU
Hello, Samba 4.1.19 is working perfectly, with same installation option and configuration than 4.2.0, which is not working with same behavior described bellow... Hope it may help, Regards, TAU