Bug 12720 - Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.
Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes fro...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.6.1
All Linux
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-26 12:00 UTC by Rowland Penny
Modified: 2017-07-25 09:22 UTC (History)
6 users (show)

See Also:


Attachments
log10 of when working (22.82 KB, text/plain)
2017-03-26 12:00 UTC, Rowland Penny
no flags Details
log10 of when not working (22.82 KB, text/plain)
2017-03-26 12:02 UTC, Rowland Penny
no flags Details
smb.conf (1.04 KB, text/plain)
2017-03-26 12:02 UTC, Rowland Penny
no flags Details
The real one where it is not working (21.46 KB, text/plain)
2017-03-27 07:02 UTC, Rowland Penny
no flags Details
log.winbindd from an nss info failure case (16.80 KB, text/plain)
2017-06-27 14:29 UTC, Dustin L. Howett
no flags Details
log.winbindd-idmap from an nss info failure case (4.10 KB, text/plain)
2017-06-27 14:30 UTC, Dustin L. Howett
no flags Details
Patch for 4.6 and 4.7 cherry-picked from master (1.82 KB, patch)
2017-07-14 13:12 UTC, Ralph Böhme
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Rowland Penny 2017-03-26 12:00:08 UTC
Created attachment 13104 [details]
log10 of when working

A Linux Domain member set up as per the release notes will show the correct Unix home dir & login shell for a user:

getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Wait a short while and then run the command again:

getent passwd rowland
rowland:*:10000:10000::/home/SAMDOM/rowland:/bin/false

You then need to restart winbindd to make it work again, 'net cache flush' doesn't seem to work.
Comment 1 Rowland Penny 2017-03-26 12:02:06 UTC
Created attachment 13105 [details]
log10 of when not working
Comment 2 Rowland Penny 2017-03-26 12:02:42 UTC
Created attachment 13106 [details]
smb.conf
Comment 3 Volker Lendecke 2017-03-27 06:13:42 UTC
I don't see a difference, both log files have the same md5sum of 5c8c118b5b030a002b12aacb56ca6c75. What is your perceived difference in both files?
Comment 4 Rowland Penny 2017-03-27 07:02:53 UTC
Created attachment 13108 [details]
The real one where it is not working

OOPS, sorry, bit ham fisted there, sent same file twice
Comment 5 Dustin L. Howett 2017-06-27 14:29:45 UTC
Created attachment 13313 [details]
log.winbindd from an nss info failure case
Comment 6 Dustin L. Howett 2017-06-27 14:30:12 UTC
Created attachment 13314 [details]
log.winbindd-idmap from an nss info failure case

I'm hitting this as well. It looks like Rowland and I are both getting NTSTATUS 0xF2000051 from GETNSSINFO. In both cases it's falling back to the templated info.

Curiously, I can't find any known LDAP (facility 0xF2) errors that match code 0x51 in 4.6.5.
Comment 7 Dustin L. Howett 2017-06-27 22:30:17 UTC
I'm not seeing any traffic on the DC (also Samba, also 4.6.x) for this user info request, so it may be hitting the cache. However, netsamlogon_cache doesn't contain the NSS/rfc2307 information. Should it? Are we erroneously falling back to incomplete cached information?
Comment 8 David Rodriguez 2017-07-11 09:57:08 UTC
I am hitting this bug on my home environment too. I upgraded from 4.5.10 to 4.6.5, and after the upgrade wbinfo is also ignoring the loginShell and unixHomeDirectory on my domain member. With this version, restarting winbindd, flushing the cache or even manually removing cache files in /var/lib/samba had no effect.

Downgrading back samba, smbclient and libwbclient back to 4.5.10 solved the issue with wbinfo -i once again reporting the correct data.
Comment 9 Dustin L. Howett 2017-07-11 18:13:38 UTC
David,
If you're not getting any NSS info from the DC, even after restarting winbindd,
that sounds like a different issue than 12720. Did you switch to the new
"idmap config DOMAIN: unix_*" config keys? If not, please refer to the 4.5->4.6
transition notes.
Comment 10 David Rodriguez 2017-07-11 19:26:13 UTC
Sorry, I explained myself terribly. I do get NSS info, it is just the unixHomeDir and the loginShell the ones that now are not being overridden with the AD attributes.

I created a sample user, I hope this explains the issue. This is with Samba 4.5.10:

getent passwd sambatestuser
sambatestuser:*:11118:10513:sambaTestUser:/tmp/sambaTestUser:/sbin/nologin

And this is with Samba 4.6.:

getent passwd sambatestuser
sambatestuser:*:11118:10513::/home/sambatestuser:/bin/bash

My samba config file sets bash as the template default shell:
        template shell = /bin/bash
        template homedir = /home/%U

Everything else keeps working. I only realized this issue because for my user the default shell is zsh, not bash. Only when troubleshooting that I found that for some of the users I configured with /sbin/nologin as the loginShell I was now seeing bash. The list of users and groups, and specially the idmap values are still ok.

However, contrary to Rowland, restarting winbind and flushing the cache will have no effect, at no point using samba 4.6.5 I have seen the AD values being displayed for loginShell and unixHomeDir, only the template ones.
Comment 11 Ralph Böhme 2017-07-14 13:12:21 UTC
Created attachment 13384 [details]
Patch for 4.6 and 4.7 cherry-picked from master
Comment 12 Volker Lendecke 2017-07-17 07:03:08 UTC
(In reply to Ralph Böhme from comment #11)
> Created attachment 13384 [details]
> Patch for 4.6 and 4.7 cherry-picked from master

Ralph, is that really for the right bug for this patch?
Comment 13 Ralph Böhme 2017-07-17 08:15:26 UTC
(In reply to Volker Lendecke from comment #12)
-v please. :) Adding the retry logic to query-user looked reasonable. However, I haven't analyzed the traces attached to this bugreport.
Comment 14 Dustin L. Howett 2017-07-17 17:05:36 UTC
(In reply to Volker Lendecke from comment #12)

Volker,

These logs point to a transient loss of connection to the DC. This connection loss is exacerbated by the NSS info missing from the winbind cache. I posit that these connection failures have existed for a while and in 4.5 and below the cache was covering until the connection was reestablished.

I think this patch is the right one to pull in for the 4.6 release series since it addresses the immediate issue. I'm not sure a more broadly-scoped change to user caching would be as safe.
Comment 15 Karolin Seeger 2017-07-23 19:58:20 UTC
Pushed to autobuild-v4-{6,7}-test.
Comment 16 Karolin Seeger 2017-07-25 09:22:35 UTC
(In reply to Karolin Seeger from comment #15)
Pushed to both branches.
Closing out bug report.

Thanks!