We seem to have discovered a situation that looks like a bug. The setup is a PDC with an LDAP server running locally which is accessed directly and through nsswitch/PAM. A member server is providing shares to clients. When looking up domain users (wbinfo –u) from a member server(Solaris 8, OpenLDAP 2.1.25) there are no problems. When looking up users on the PDC and on the BDC, it fails (Error looking up domain users). The log.winbindd states problems with socket read errors. When running “wbinfo –m” we only get “BUILTIN”. When running “wbinfo –g” we get: BUILTIN+System Operators BUILTIN+Replicators BUILTIN+Guests BUILTIN+Power Users BUILTIN+Print Operators BUILTIN+Administrators BUILTIN+Account Operators BUILTIN+Backup Operators BUILTIN+Users The PDC is running Mandrake 9(2.4.19-16mdk, OpenLDAP 2.0.25) and the BDC is running RedHat 7.3(2.4.18-3, OpenLDAP 2.0.27) and works without problems in other regards. Have tried a similar PDC/BDC configuration on Mandrake 10 as well with same results. The problem was first discovered in Samba 3.0.2(currently 3.0.4) and searching the mailing lists does not reveal anything that equals our situation. Samba config options are: ./configure –with-acl-support –with-libiconv Things checked: There are no firewall rules. Different socket options tried. Custom compiled and vendor compiled binaries tried. LDAP entries commented out with no affect. Guess on cause: The LDAP lookup is messing up a socket used for local host communication. Failing lookup [2004/05/24 12:53:25, 6] nsswitch/winbindd.c:new_connection(343) accepted socket 16 [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 1824 bytes. Need 0 more for a full request. [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:process_request(308) process_request: request fn INTERFACE_VERSION [2004/05/24 12:53:25, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261 ) [ 7076]: request interface version [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 1300 bytes. [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 1824 bytes. Need 0 more for a full request. [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:process_request(308) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2004/05/24 12:53:25, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [ 7076]: request location of privileged pipe [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 1300 bytes. [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(557) client_write: need to write 47 extra data bytes. [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 47 bytes. [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(546) client_write: client_write: complete response written. [2004/05/24 12:53:25, 6] nsswitch/winbindd.c:new_connection(343) accepted socket 17 [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 0 bytes. Need 1824 more for a full request. [2004/05/24 12:53:25, 5] nsswitch/winbindd.c:winbind_client_read(465) read failed on sock 16, pid 7076: EOF [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 1824 bytes. Need 0 more for a full request. [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:process_request(308) process_request: request fn LIST_USERS [2004/05/24 12:53:25, 3] nsswitch/winbindd_user.c:winbindd_list_users(592) [ 7076]: list users [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 1300 bytes. [2004/05/24 12:53:25, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 0 bytes. Need 1824 more for a full request. [2004/05/24 12:53:25, 5] nsswitch/winbindd.c:winbind_client_read(465) read failed on sock 17, pid 7076: EOF Working lookup [2004/05/24 13:19:05, 6] nsswitch/winbindd.c:new_connection(343) accepted socket 19 [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 1824 bytes. Need 0 more for a full request. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:process_request(308) process_request: request fn INTERFACE_VERSION [2004/05/24 13:19:05, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261 ) [27482]: request interface version [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 1300 bytes. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 1824 bytes. Need 0 more for a full request. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:process_request(308) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2004/05/24 13:19:05, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27482]: request location of privileged pipe [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 1300 bytes. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(557) client_write: need to write 47 extra data bytes. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 47 bytes. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(546) client_write: client_write: complete response written. [2004/05/24 13:19:05, 6] nsswitch/winbindd.c:new_connection(343) accepted socket 20 [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 0 bytes. Need 1824 more for a full request. [2004/05/24 13:19:05, 5] nsswitch/winbindd.c:winbind_client_read(463) read failed on sock 19, pid 27482: EOF [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 1824 bytes. Need 0 more for a full request. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:process_request(308) process_request: request fn LIST_USERS [2004/05/24 13:19:05, 3] nsswitch/winbindd_user.c:winbindd_list_users(592) [27482]: list users [2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(355) refresh_sequence_number: SMB-TST time ok [2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(379) refresh_sequence_number: SMB-TST seq number is now 1085397520 [2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:centry_expired(403) centry_expired: Key UL/SMB-TST for domain SMB-TST is good. [2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:wcache_fetch(482) wcache_fetch: returning entry UL/SMB-TST for domain SMB-TST [2004/05/24 13:19:05, 10] nsswitch/winbindd_cache.c:query_user_list(694) query_user_list: [Cached] - cached list for domain SMB-TST status Success [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 1300 bytes. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(557) client_write: need to write 4800 extra data bytes. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(512) client_write: wrote 4800 bytes. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:client_write(546) client_write: client_write: complete response written. [2004/05/24 13:19:05, 10] nsswitch/winbindd.c:winbind_client_read(458) client_read: read 0 bytes. Need 1824 more for a full request. [2004/05/24 13:19:05, 5] nsswitch/winbindd.c:winbind_client_read(463) read failed on sock 20, pid 27482: EOF # Maersk Oil SAMBA 3.0 PDC [global] passdb backend = ldapsam:ldap://infra05/ ldap suffix = dc=cph,dc=maerskoil,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap admin dn = "cn=Manager,dc=cph,dc=maerskoil,dc=com" # # ldap passwd file = /usr/local/etc2/samba_3/private/ldappasswd # the ldap admin dn password is stored in secrets.tdb # and is set using "smbpasswd -w passphrase". It is no # longer stored in the smb.conf file. # # start tls by default ldap ssl = start tls # smbpasswd -x delete the entire dn-entry ldap delete dn = no # synchronize unix and samba passwords ldap passwd sync = yes admin users = @"Domain_Admins" add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d /dev/null - c 'Machine Account' -s /bin/false %u add user script = /usr/local/sbin/smbldap-useradd.pl -a %u delete user script = /usr/local/sbin/smbldap-userdel.pl %u add group script = /usr/local/sbin/smbldap-groupadd.pl %g && /usr/local/sbin/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}' delete group script = /usr/local/sbin/smbldap-groupdel.pl %g add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod.pl -g %g %u # password quality min passwd length = 8 #use cracklib = Yes # charsets display charset = LOCALE dos charset = CP850 unix charset = ISO-8859-1 # winbind must be running to have inter-domain trust winbind uid = 10000-20000 winbind gid = 10000-20000 winbind cache time = 3600 winbind enum users = yes winbind enum groups = yes winbind separator = + #username map = /usr/local/samba/lib/smbusers #idmap backend = ldap://infra05/ #ldap idmap suffix = ou=Idmap,dc=cph,dc=maerskoil,dc=com #idmap uid = 40000-50000 #idmap gid = 40000-50000 #winbind use default domain = yes #socket options = IPTOS_LOWDELAY TCP_NODELAY #socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY # pushing rids out of way of existing groups algorithmic rid base = 6000 workgroup = SMB-TST netbios name = flipper comment = Mandrake 9.0 Samba Server security = user null passwords = Yes encrypt passwords = yes # We don't want roaming profiles logon path = logon home = domain master = yes domain logons = yes preferred master = yes os level = 20 wins server = 89.16.6.4 log level = 10 log file = /usr/local/samba/var/log.%m public = No browseable = No writable = No # Maersk Oil SAMBA 3.0 Member server [global] # charsets display charset = LOCALE dos charset = CP850 unix charset = ISO-8859-1 # winbind must be running to have inter-domain trust winbind uid = 10000-20000 winbind gid = 10000-20000 # winbind use default domain = yes winbind cache time = 3600 winbind enum users = yes winbind enum groups = yes winbind separator = + socket options = IPTOS_LOWDELAY TCP_NODELAY workgroup = SMB-TST #workgroup = TST3 netbios name = Miami comment = SunOS 5.8 Samba Server security = DOMAIN #null passwords = Yes encrypt passwords = yes password server = flipper, deralte #password server = dc3 # We don't want roaming profiles #logon path = #logon home = domain master = auto domain logons = no preferred master = auto os level = 20 wins support = no wins proxy = no wins server = 89.16.6.4 #log level = 2 log level = 0 log file = /usr/local/samba/var/log.%m public = No browseable = No writable = No
Thanks for opening the bug report. I've found a couple of regressions in the winbindd code. I'll work on a patch and should have something in a few days. (still exists in 3.0.5pre2-SVN-build-974)
I've tracked this down. What you are seeing is currently by design. What problem is the lack of local users in wbinfo -u output causing you? The assumption is that the domain users for the Samba DC's domain are returned via other NSS means.
I have the same problem on a Samba PDC. For me the rationale to run Samba PDC and winbindd on the same machine is to use squid with NTLM authentication on the PDC.
NTLM authentication doesn't really affect wbinfo -u (and vice versa). Closing bug report.