winbind uses a pipe for unprivilaged processes (/tmp/.winbindd/pipe) When binding the samba to an interface using the available parameters in smb.conf to use multiple instances of samba for differnet interfaces to connect to multiple domains or AD's, winbind does not work properly. Problem is that only one instance of winbindd has the pipe in /tmp/.winbindd/pipe so the authentication is only against one DC possible (last started winbind, all connects from every samba instance get only information from one winbindd). To use different DC's for every interface I need multiple instances of winbindd (one for every interface) with exclusive pipe for the smbd and nmbd processes of this instance. I made a patch to fix this problem by generating a new parameter for smb.conf and using this for the unprivilaged pipe. With this patch I can configure a path for the unpivilaged winbindd-pipe and so I have a full-functional samba with exclusive windbindd for every interface. So authentication against differend DC's for every interface works properly. Please send me an email so I can send the patch or more information about the problem.
please attach your patch to this bug report.
Created attachment 969 [details] patch to solve the runtime localtion conflict with winbind pipe this patch was tested with version 3.0.9 and 3.0.10 it works fine, but sometimes we leave the join to the Active Directories after reboot -> system need new 'net ads join ...' to work properly. May be there are some more changes to do ... regards Oliver
Just a feeling: I'm pretty sure I don't like the idea of multiple winbinds in the same nss space. We already have to deal with different semantics between windows and unix, but this really departs way too much for my taste. Have you considered using a chroot enviroment for winbind? Volker
In my opinion we have with this patch only one winbind in each nss space. Every interface is connected to one network segment with one ADS (-> one nss space? please correct me if I'm false) and every instance is bind to one interface and joined to one domain (net ads join ....). So we need instances of smbd, nmbd AND winbind for each interface. With the normal configuration (using the interface bind options etc.) we have running daemons for each interface: fsf:/etc/samba # psg smb root 953 0.0 1.2 7712 3040 ? S Feb01 0:30 winbindd -s /etc/samba/smb_eth2.conf root 954 0.0 0.2 6276 532 ? S Feb01 0:00 winbindd -s /etc/samba/smb_eth2.conf root 960 0.0 1.2 7988 3020 ? S Feb01 0:06 winbindd -s /etc/samba/smb_eth3.conf root 961 0.0 0.2 7308 600 ? S Feb01 0:00 winbindd -s /etc/samba/smb_eth3.conf root 967 0.0 1.1 7708 2792 ? S Feb01 0:06 winbindd -s /etc/samba/smb_eth4.conf root 968 0.0 0.2 6272 532 ? S Feb01 0:00 winbindd -s /etc/samba/smb_eth4.conf root 1953 0.2 1.2 8120 3176 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth2.conf -D root 1958 0.2 0.7 5612 1968 ? S 12:14 0:00 nmbd -s /etc/samba/smb_eth2.conf -D root 1965 0.4 1.2 8120 3176 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth3.conf -D root 1970 0.0 1.2 8120 3176 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth2.conf -D root 1971 0.0 0.7 5616 1964 ? S 12:14 0:00 nmbd -s /etc/samba/smb_eth3.conf -D root 1978 0.0 1.2 8120 3176 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth3.conf -D root 1979 0.3 1.2 8116 3172 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth4.conf -D root 1984 0.0 0.7 5608 1944 ? S 12:14 0:00 nmbd -s /etc/samba/smb_eth4.conf -D root 1990 0.0 1.2 8116 3172 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth4.conf -D Without the patch we have now authentication problems. Every smbd/nmbd instance gets only the user and group information from one winbindd (via pipe in .winbindd/pipe). That meens only user from one domain can be authenticated -> no connects from other Domains are allowed -> binding on interfaces is needless. We use the following smb-confs: smb_eth2.conf: [global] winbind socket dir = /tmp/samba_eth2/ pid directory = /var/run/samba_eth2/ lock directory = /var/run/samba_eth2/ private dir = /var/run/samba_eth2/ bind interfaces only = yes interfaces = eth2 10.60.14.100/24 unix charset = ISO8859-15 server string = Samba 3.0.9 log level = 2 syslog = 0 max log size = 50 printcap name = CUPS ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 template primary group = "Domain Users" template shell = /bin/bash winbind separator = + printing = cups netbios name = SWP-VW-FSF # workgroup = NT-Domain-Name or Workgroup-Name workgroup = SWP-PASSAU realm = SWP-PASSAU.DE # all information in one file log file = /var/log/samba/smb_eth2.log # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. ;security = user security = ADS # Use password server option only with security = server password server = 10.60.8.109 smb_eth3.conf: # ----------------------------------------------------------------------------- # Global Settings # ----------------------------------------------------------------------------- [global] winbind socket dir = /tmp/samba_eth3/ pid directory = /var/run/samba_eth3/ lock directory = /var/run/samba_eth3/ private dir = /var/run/samba_eth3/ bind interfaces only = yes interfaces = eth3 10.60.14.103/24 unix charset = ISO8859-15 server string = Samba 3.0.9 log level = 2 syslog = 0 max log size = 50 printcap name = CUPS ldap ssl = no idmap uid = 20001-30000 idmap gid = 20001-30000 template primary group = "Domain Users" template shell = /bin/bash winbind separator = + printing = cups netbios name = SWP-WEB-FSF #host msdfs = no # workgroup = NT-Domain-Name or Workgroup-Name workgroup = SWP-DMZ realm = SWP-DMZ.LOCAL # Security mode. Most people will want user level security. See # security_level.txt for details. ;security = user security = ADS # Use password server option only with security = server password server = 10.60.13.100
The proper way to solve your problem is to have one primary domain that you connect to and make that domain trust all the other domains. You can either install this trust in the windows world or install a Samba PDC running winbind and establish trusts to the other domains. Volker