Bug 1383 - wbinfo -u fails on PDC and BDC
wbinfo -u fails on PDC and BDC
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.4
All Linux
: P1 normal
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-25 06:41 UTC by Hans Randgaard (550 5.1.1 User unknown)
Modified: 2004-09-29 04:44 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans Randgaard (550 5.1.1 User unknown) 2004-05-25 06:41:43 UTC
We seem to have discovered a situation that looks like a bug.

The setup is a PDC with an LDAP server running locally which is accessed 
directly and through nsswitch/PAM. A member server is providing shares to 
clients.

When looking up domain users (wbinfo –u) from a member server(Solaris 8, 
OpenLDAP 2.1.25) there are no problems. When looking up users on the PDC and on 
the BDC, it fails (Error looking up domain users). The log.winbindd states 
problems with socket read errors. When running “wbinfo –m” we only 
get “BUILTIN”. When running “wbinfo –g” we get:

BUILTIN+System Operators
BUILTIN+Replicators
BUILTIN+Guests
BUILTIN+Power Users
BUILTIN+Print Operators
BUILTIN+Administrators
BUILTIN+Account Operators
BUILTIN+Backup Operators
BUILTIN+Users

The PDC is running Mandrake 9(2.4.19-16mdk, OpenLDAP 2.0.25) and the BDC is 
running RedHat 7.3(2.4.18-3, OpenLDAP 2.0.27) and works without problems in 
other regards.

Have tried a similar PDC/BDC configuration on Mandrake 10 as well with same 
results.

The problem was first discovered in Samba 3.0.2(currently 3.0.4) and searching 
the mailing lists does not reveal anything that equals our situation.

Samba config options are: ./configure –with-acl-support –with-libiconv

Things checked: There are no firewall rules. Different socket options tried. 
Custom compiled and vendor compiled binaries tried. LDAP entries commented out 
with no affect.

Guess on cause: The LDAP lookup is messing up a socket used for local host 
communication. 


Failing lookup

[2004/05/24 12:53:25, 6] nsswitch/winbindd.c:new_connection(343)
  accepted socket 16
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn INTERFACE_VERSION
[2004/05/24 12:53:25, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261
)
  [ 7076]: request interface version
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2004/05/24 12:53:25, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [ 7076]: request location of privileged pipe
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(557)
  client_write: need to write 47 extra data bytes.
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 47 bytes.
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(546)
  client_write: client_write: complete response written.
[2004/05/24 12:53:25, 6] nsswitch/winbindd.c:new_connection(343)
  accepted socket 17
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2004/05/24 12:53:25, 5] nsswitch/winbindd.c:winbind_client_read(465)
  read failed on sock 16, pid 7076: EOF
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn LIST_USERS
[2004/05/24 12:53:25, 3] nsswitch/winbindd_user.c:winbindd_list_users(592)
  [ 7076]: list users
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2004/05/24 12:53:25, 5] nsswitch/winbindd.c:winbind_client_read(465)
  read failed on sock 17, pid 7076: EOF


Working lookup

[2004/05/24 13:19:05, 6] nsswitch/winbindd.c:new_connection(343)
  accepted socket 19
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn INTERFACE_VERSION
[2004/05/24 13:19:05, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261
)
  [27482]: request interface version
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2004/05/24 13:19:05, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27482]: request location of privileged pipe
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(557)
  client_write: need to write 47 extra data bytes.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 47 bytes.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(546)
  client_write: client_write: complete response written.
[2004/05/24 13:19:05, 6] nsswitch/winbindd.c:new_connection(343)
  accepted socket 20
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2004/05/24 13:19:05, 5] nsswitch/winbindd.c:winbind_client_read(463)
  read failed on sock 19, pid 27482: EOF
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn LIST_USERS
[2004/05/24 13:19:05, 3] nsswitch/winbindd_user.c:winbindd_list_users(592)
  [27482]: list users
[2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(355)
  refresh_sequence_number: SMB-TST time ok
[2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(379)
  refresh_sequence_number: SMB-TST seq number is now 1085397520
[2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:centry_expired(403)
  centry_expired: Key UL/SMB-TST for domain SMB-TST is good.
[2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:wcache_fetch(482)
  wcache_fetch: returning entry UL/SMB-TST for domain SMB-TST
[2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:query_user_list(694)
  query_user_list: [Cached] - cached list for domain SMB-TST status Success
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(557)
  client_write: need to write 4800 extra data bytes.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 4800 bytes.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(546)
  client_write: client_write: complete response written.
[2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2004/05/24 13:19:05, 5] nsswitch/winbindd.c:winbind_client_read(463)
  read failed on sock 20, pid 27482: EOF

# Maersk Oil SAMBA 3.0 PDC
[global]
passdb backend = ldapsam:ldap://infra05/
ldap suffix = dc=cph,dc=maerskoil,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = "cn=Manager,dc=cph,dc=maerskoil,dc=com"

#
#       ldap passwd file = /usr/local/etc2/samba_3/private/ldappasswd
#       the ldap admin dn password is stored in secrets.tdb
#       and is set using "smbpasswd -w passphrase".  It is no
#       longer stored in the smb.conf file.
#
#       start tls by default
ldap ssl = start tls

# smbpasswd -x delete the entire dn-entry
ldap delete dn = no

# synchronize unix and samba passwords
ldap passwd sync = yes


admin users = @"Domain_Admins"

add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d /dev/null  -
c 'Machine Account' -s /bin/false %u
add user script = /usr/local/sbin/smbldap-useradd.pl -a %u
delete user script = /usr/local/sbin/smbldap-userdel.pl %u
add group script = /usr/local/sbin/smbldap-groupadd.pl %g 
&& /usr/local/sbin/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}'
delete group script = /usr/local/sbin/smbldap-groupdel.pl %g
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g %g %u

# password quality
min passwd length = 8
#use cracklib = Yes

# charsets
display charset = LOCALE
dos charset = CP850
unix charset = ISO-8859-1


# winbind must be running to have inter-domain trust
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes

winbind separator = +
#username map = /usr/local/samba/lib/smbusers
#idmap backend = ldap://infra05/
#ldap idmap suffix = ou=Idmap,dc=cph,dc=maerskoil,dc=com
#idmap uid = 40000-50000
#idmap gid = 40000-50000 
#winbind use default domain = yes



#socket options = IPTOS_LOWDELAY TCP_NODELAY
#socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY

# pushing rids out of way of existing groups
algorithmic rid base = 6000

workgroup = SMB-TST
netbios name = flipper  
comment = Mandrake 9.0  Samba Server
security = user
null passwords = Yes
encrypt passwords = yes

# We don't want roaming profiles
logon path =
logon home =


domain master = yes
domain logons = yes
preferred master = yes
os level = 20

wins server = 89.16.6.4

log level = 10
log file = /usr/local/samba/var/log.%m
public = No
browseable = No
writable = No


# Maersk Oil SAMBA 3.0 Member server
[global]

# charsets
display charset = LOCALE
dos charset = CP850
unix charset = ISO-8859-1


# winbind must be running to have inter-domain trust
winbind uid = 10000-20000
winbind gid = 10000-20000
# winbind use default domain = yes
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes

winbind separator = +


socket options = IPTOS_LOWDELAY TCP_NODELAY


workgroup = SMB-TST
#workgroup = TST3
netbios name = Miami
comment = SunOS 5.8 Samba Server
security = DOMAIN
#null passwords = Yes
encrypt passwords = yes
password server = flipper, deralte
#password server = dc3

# We don't want roaming profiles
#logon path = 
#logon home = 


domain master = auto
domain logons = no
preferred master = auto
os level = 20

wins support = no
wins proxy = no
wins server = 89.16.6.4

#log level = 2
log level = 0
log file = /usr/local/samba/var/log.%m
public = No
browseable = No
writable = No
Comment 1 Gerald (Jerry) Carter 2004-06-02 14:16:28 UTC
Thanks for opening the bug report.  I've found a couple of 
regressions in the winbindd code.  I'll work on a patch
and should have something in a few days.

(still exists in 3.0.5pre2-SVN-build-974)
Comment 2 Gerald (Jerry) Carter 2004-06-03 10:51:15 UTC
I've tracked this down.  What you are seeing is currently
by design.  What problem is the lack of local users in 
wbinfo -u output causing you?  The assumption is that the domain
users for the Samba DC's domain are returned via other NSS
means.
Comment 3 Szombathelyi György 2004-09-29 03:43:39 UTC
I have the same problem on a Samba PDC. For me the rationale to run Samba PDC
and winbindd on the same machine is to use squid with NTLM authentication on the
PDC.
Comment 4 Gerald (Jerry) Carter 2004-09-29 04:44:37 UTC
NTLM authentication doesn't really affect wbinfo -u (and
vice versa).  Closing bug report.