2145 – [patch] run time location for /tmp/.winbindd/pipe

Bug 2145 - [patch] run time location for /tmp/.winbindd/pipe

Summary: [patch] run time location for /tmp/.winbindd/pipe

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.9
Hardware:	x86 Linux

Importance:	P3 major
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-12-10 10:17 UTC by Oliver Nyderle
Modified:	2005-02-18 05:18 UTC (History)
CC List:	0 users

See Also:

Attachments
patch to solve the runtime localtion conflict with winbind pipe (5.39 KB, patch) 2005-02-17 10:22 UTC, Oliver Nyderle	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver Nyderle 2004-12-10 10:17:06 UTC

winbind uses a pipe for unprivilaged processes (/tmp/.winbindd/pipe)

When binding the samba to an interface using the available parameters in
smb.conf to use multiple instances of samba for differnet interfaces to connect
to multiple domains or AD's, winbind does not work properly.

Problem is that only one instance of winbindd has the pipe in
/tmp/.winbindd/pipe so the authentication is only against one DC possible (last
started winbind, all connects from every samba instance get only information
from one winbindd).

To use different DC's for every interface I need multiple instances of winbindd
(one for every interface) with exclusive pipe for the smbd and nmbd processes of
this instance.

I made a patch to fix this problem by generating a new parameter for smb.conf
and using this for the unprivilaged pipe. 

With this patch I can configure a path for the unpivilaged winbindd-pipe and so
I have a full-functional samba with exclusive windbindd for every interface. So
authentication against differend DC's for every interface works properly.

Please send me an email so I can send the patch or more information about the
problem.

Comment 1 Gerald (Jerry) Carter 2005-02-17 08:46:07 UTC

please attach your patch to this bug report.

Comment 2 Oliver Nyderle 2005-02-17 10:22:48 UTC

Created attachment 969 [details]
patch to solve the runtime localtion conflict with winbind pipe

this patch was tested with version 3.0.9 and 3.0.10
it works fine, but sometimes we leave the join to the Active Directories after
reboot -> system need new 'net ads join ...' to work properly.
May be there are some more changes to do ...

regards

Oliver

Comment 3 Volker Lendecke 2005-02-18 03:03:13 UTC

Just a feeling: I'm pretty sure I don't like the idea of multiple winbinds in
the same nss space. We already have to deal with different semantics between
windows and unix, but this really departs way too much for my taste. Have you
considered using a chroot enviroment for winbind?

Volker

Comment 4 Oliver Nyderle 2005-02-18 04:42:55 UTC

In my opinion we have with this patch only one winbind in each nss space. Every
interface is connected to one network segment with one ADS (-> one nss space?
please correct me if I'm false) and every instance is bind to one interface and
joined to one domain (net ads join ....).

So we need instances of smbd, nmbd AND winbind for each interface. With the
normal configuration (using the interface bind options etc.) we have running
daemons for each interface:
fsf:/etc/samba # psg smb
root       953  0.0  1.2  7712 3040 ?        S    Feb01   0:30 winbindd -s
/etc/samba/smb_eth2.conf
root       954  0.0  0.2  6276  532 ?        S    Feb01   0:00 winbindd -s
/etc/samba/smb_eth2.conf
root       960  0.0  1.2  7988 3020 ?        S    Feb01   0:06 winbindd -s
/etc/samba/smb_eth3.conf
root       961  0.0  0.2  7308  600 ?        S    Feb01   0:00 winbindd -s
/etc/samba/smb_eth3.conf
root       967  0.0  1.1  7708 2792 ?        S    Feb01   0:06 winbindd -s
/etc/samba/smb_eth4.conf
root       968  0.0  0.2  6272  532 ?        S    Feb01   0:00 winbindd -s
/etc/samba/smb_eth4.conf
root      1953  0.2  1.2  8120 3176 ?        S    12:14   0:00 smbd -s
/etc/samba/smb_eth2.conf -D
root      1958  0.2  0.7  5612 1968 ?        S    12:14   0:00 nmbd -s
/etc/samba/smb_eth2.conf -D
root      1965  0.4  1.2  8120 3176 ?        S    12:14   0:00 smbd -s
/etc/samba/smb_eth3.conf -D
root      1970  0.0  1.2  8120 3176 ?        S    12:14   0:00 smbd -s
/etc/samba/smb_eth2.conf -D
root      1971  0.0  0.7  5616 1964 ?        S    12:14   0:00 nmbd -s
/etc/samba/smb_eth3.conf -D
root      1978  0.0  1.2  8120 3176 ?        S    12:14   0:00 smbd -s
/etc/samba/smb_eth3.conf -D
root      1979  0.3  1.2  8116 3172 ?        S    12:14   0:00 smbd -s
/etc/samba/smb_eth4.conf -D
root      1984  0.0  0.7  5608 1944 ?        S    12:14   0:00 nmbd -s
/etc/samba/smb_eth4.conf -D
root      1990  0.0  1.2  8116 3172 ?        S    12:14   0:00 smbd -s
/etc/samba/smb_eth4.conf -D

Without the patch we have now authentication problems. Every smbd/nmbd instance
gets only the user and group information from one winbindd (via pipe in
.winbindd/pipe). That meens only user from one domain can be authenticated -> no
connects from other Domains are allowed -> binding on interfaces is needless.

We use the following smb-confs:
smb_eth2.conf:

[global]
winbind socket dir = /tmp/samba_eth2/
pid directory = /var/run/samba_eth2/
lock directory = /var/run/samba_eth2/
private dir = /var/run/samba_eth2/
bind interfaces only = yes
interfaces = eth2 10.60.14.100/24
unix charset = ISO8859-15
server string = Samba 3.0.9
log level = 2
syslog = 0
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
printing = cups

netbios name = SWP-VW-FSF

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = SWP-PASSAU
realm = SWP-PASSAU.DE

# all information in one file
log file = /var/log/samba/smb_eth2.log

# Put a capping on the size of the log files (in Kb).
max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
;security = user
security = ADS
# Use password server option only with security = server
password server = 10.60.8.109


smb_eth3.conf:
# -----------------------------------------------------------------------------
# Global Settings
# -----------------------------------------------------------------------------
[global]
winbind socket dir = /tmp/samba_eth3/
pid directory = /var/run/samba_eth3/
lock directory = /var/run/samba_eth3/
private dir = /var/run/samba_eth3/
bind interfaces only = yes
interfaces = eth3 10.60.14.103/24
unix charset = ISO8859-15
server string = Samba 3.0.9
log level = 2
syslog = 0
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 20001-30000
idmap gid = 20001-30000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
printing = cups

netbios name = SWP-WEB-FSF
#host msdfs = no

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = SWP-DMZ
realm = SWP-DMZ.LOCAL

# Security mode. Most people will want user level security. See
# security_level.txt for details.
;security = user
security = ADS
# Use password server option only with security = server
password server = 10.60.13.100

Comment 5 Volker Lendecke 2005-02-18 05:18:12 UTC

The proper way to solve your problem is to have one primary domain that you
connect to and make that domain trust all the other domains. You can either
install this trust in the windows world or install a Samba PDC running winbind
and establish trusts to the other domains.

Volker