winbind uses a pipe for unprivilaged processes (/tmp/.winbindd/pipe) When binding the samba to an interface using the available parameters in smb.conf to use multiple instances of samba for differnet interfaces to connect to multiple domains or AD's, winbind does not work properly. Problem is that only one instance of winbindd has the pipe in /tmp/.winbindd/pipe so the authentication is only against one DC possible (last started winbind, all connects from every samba instance get only information from one winbindd). To use different DC's for every interface I need multiple instances of winbindd (one for every interface) with exclusive pipe for the smbd and nmbd processes of this instance. I made a patch to fix this problem by generating a new parameter for smb.conf and using this for the unprivilaged pipe. With this patch I can configure a path for the unpivilaged winbindd-pipe and so I have a full-functional samba with exclusive windbindd for every interface. So authentication against differend DC's for every interface works properly. Please send me an email so I can send the patch or more information about the problem.
please attach your patch to this bug report.
Created attachment 969 [details] patch to solve the runtime localtion conflict with winbind pipe this patch was tested with version 3.0.9 and 3.0.10 it works fine, but sometimes we leave the join to the Active Directories after reboot -> system need new 'net ads join ...' to work properly. May be there are some more changes to do ... regards Oliver
Just a feeling: I'm pretty sure I don't like the idea of multiple winbinds in the same nss space. We already have to deal with different semantics between windows and unix, but this really departs way too much for my taste. Have you considered using a chroot enviroment for winbind? Volker
In my opinion we have with this patch only one winbind in each nss space. Every interface is connected to one network segment with one ADS (-> one nss space? please correct me if I'm false) and every instance is bind to one interface and joined to one domain (net ads join ....). So we need instances of smbd, nmbd AND winbind for each interface. With the normal configuration (using the interface bind options etc.) we have running daemons for each interface: fsf:/etc/samba # psg smb root 953 0.0 1.2 7712 3040 ? S Feb01 0:30 winbindd -s /etc/samba/smb_eth2.conf root 954 0.0 0.2 6276 532 ? S Feb01 0:00 winbindd -s /etc/samba/smb_eth2.conf root 960 0.0 1.2 7988 3020 ? S Feb01 0:06 winbindd -s /etc/samba/smb_eth3.conf root 961 0.0 0.2 7308 600 ? S Feb01 0:00 winbindd -s /etc/samba/smb_eth3.conf root 967 0.0 1.1 7708 2792 ? S Feb01 0:06 winbindd -s /etc/samba/smb_eth4.conf root 968 0.0 0.2 6272 532 ? S Feb01 0:00 winbindd -s /etc/samba/smb_eth4.conf root 1953 0.2 1.2 8120 3176 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth2.conf -D root 1958 0.2 0.7 5612 1968 ? S 12:14 0:00 nmbd -s /etc/samba/smb_eth2.conf -D root 1965 0.4 1.2 8120 3176 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth3.conf -D root 1970 0.0 1.2 8120 3176 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth2.conf -D root 1971 0.0 0.7 5616 1964 ? S 12:14 0:00 nmbd -s /etc/samba/smb_eth3.conf -D root 1978 0.0 1.2 8120 3176 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth3.conf -D root 1979 0.3 1.2 8116 3172 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth4.conf -D root 1984 0.0 0.7 5608 1944 ? S 12:14 0:00 nmbd -s /etc/samba/smb_eth4.conf -D root 1990 0.0 1.2 8116 3172 ? S 12:14 0:00 smbd -s /etc/samba/smb_eth4.conf -D Without the patch we have now authentication problems. Every smbd/nmbd instance gets only the user and group information from one winbindd (via pipe in .winbindd/pipe). That meens only user from one domain can be authenticated -> no connects from other Domains are allowed -> binding on interfaces is needless. We use the following smb-confs: smb_eth2.conf: [global] winbind socket dir = /tmp/samba_eth2/ pid directory = /var/run/samba_eth2/ lock directory = /var/run/samba_eth2/ private dir = /var/run/samba_eth2/ bind interfaces only = yes interfaces = eth2 10.60.14.100/24 unix charset = ISO8859-15 server string = Samba 3.0.9 log level = 2 syslog = 0 max log size = 50 printcap name = CUPS ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 template primary group = "Domain Users" template shell = /bin/bash winbind separator = + printing = cups netbios name = SWP-VW-FSF # workgroup = NT-Domain-Name or Workgroup-Name workgroup = SWP-PASSAU realm = SWP-PASSAU.DE # all information in one file log file = /var/log/samba/smb_eth2.log # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. ;security = user security = ADS # Use password server option only with security = server password server = 10.60.8.109 smb_eth3.conf: # ----------------------------------------------------------------------------- # Global Settings # ----------------------------------------------------------------------------- [global] winbind socket dir = /tmp/samba_eth3/ pid directory = /var/run/samba_eth3/ lock directory = /var/run/samba_eth3/ private dir = /var/run/samba_eth3/ bind interfaces only = yes interfaces = eth3 10.60.14.103/24 unix charset = ISO8859-15 server string = Samba 3.0.9 log level = 2 syslog = 0 max log size = 50 printcap name = CUPS ldap ssl = no idmap uid = 20001-30000 idmap gid = 20001-30000 template primary group = "Domain Users" template shell = /bin/bash winbind separator = + printing = cups netbios name = SWP-WEB-FSF #host msdfs = no # workgroup = NT-Domain-Name or Workgroup-Name workgroup = SWP-DMZ realm = SWP-DMZ.LOCAL # Security mode. Most people will want user level security. See # security_level.txt for details. ;security = user security = ADS # Use password server option only with security = server password server = 10.60.13.100
The proper way to solve your problem is to have one primary domain that you connect to and make that domain trust all the other domains. You can either install this trust in the windows world or install a Samba PDC running winbind and establish trusts to the other domains. Volker
commit e512491552d9ed0dc1005a23ffc8f77ba237f863 Author: Andrew Bartlett <abartlet@samba.org> Date: Fri Oct 11 13:34:13 2013 +1300 s3-winbindd: Remove undocumented winbindd:socket dir parameter This uses the documeted "winbindd socket directory" parameter instead. This came about due to the merge of the two smb.conf tables in s3 and s4 for the Samba 4.0 release. The s4 code used a real parameter, which caused this to be documented, whereas no automatic procedure existed to notice the parametric option and the need to document that. The fact that this was not used consistently in both codebases is one of the many areas of technical debt we still need to pay off here. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> commit 0805a4bc715f055fd68c5e27bd46eadfb101e1b9 Author: Stefan Metzmacher <metze@samba.org> Date: Wed Sep 19 17:19:57 2007 +0000 r25236: make it possible to alter WINBINDD_SOCKET_DIR via "winbindd:socket dir=/path/to/dir" for usage in make test metze (This used to be commit 5566cf01e827edf60c0235a661d95dd376210108) So part of this have actually been fixed in some way since Samba 3.4 due to needing to make this work much as asked for our 'make test'. For security and other reasons however the client library will always use a fixed path.