Bug 2173 - Creating a local user with winbind running hangs
Summary: Creating a local user with winbind running hangs
Status: RESOLVED LATER
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.20a
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-19 08:32 UTC by samba331
Modified: 2005-10-14 08:37 UTC (History)
1 user (show)

See Also:


Attachments
strace output when running useradd (no user or group enums) (31.89 KB, text/plain)
2005-10-13 10:42 UTC, samba331
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description samba331 2004-12-19 08:32:25 UTC
We are running samba and winbind on a Redhat Enterprise Linux 3 platform (but
samba is compiled by hand). We are authenticating against a large Active
Directory (many thousand users and lots of groups). 

When trying to create a "local user" on our server using the "useradd -u ###"
command, the useradd command just hangs. 

We have specified a range of UID's for winbind to use and I carefully avoid that
range when using the "useradd -u ###" command, so I do not think it is a UID
conflict. 

It works when the winbind service is stopped, but that hardly seems a
satisfactory solution (especially as we need to keep the samba/winbind service
up as much as possible).
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-02-17 08:42:34 UTC
replease retest against 3.0.11 and repoen if the problem 
still exists.  You may need to applthe winbind_find_dc 
patch at http://samba.org/~jerry/patches/post-3.0.11/
as well.  Thanks.
Comment 2 samba331 2005-04-26 08:38:59 UTC
We have upgraded to Samba 3.0.15pre2 but the problem still persists. The problem
also manifests itself when trying to add a local group. Any other information or
things I can try would be appreciated. 
Comment 3 samba331 2005-04-26 18:37:37 UTC
Here is some additional information. 

We tried to add a local group after turning off the winbind service. 

It seems that the the tdb files got corrupted somehow after the local user/group
was added. winbind was having problems resolving SID to gid. We deleted all the
cache files, did a clean installation (we were using 3.0.13 when the problem
started) but the problem persisted. Then I downloaded the 3.15pre version and
that seemed to resolve the issue. However, the error messages were not
consistent during this process. Right after restarting smbd and winbindd, these
errors showed up:

*could not lookup sid* (log.winbindd)
* standard input is not a socket, assuming -D option * (log.smbd)
* getpeername failed. Error was Transport endpoint is not connected* (log.smbd)
(this error is still in the 3.0.15 version)

wbinfo -t returns success.
getent groups|grep 'groupname' returns a group with username. However, 'groups
username' returns user doesn't exists. One time I got these error instead of the
above:
*id: cannot find name for group ID xxxxxx* 
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-09-29 09:06:54 UTC
please retest against 3.0.20a (the current SAMBA_3_0_RELEASE branch) which will
publically be availebl next week.
Comment 5 samba331 2005-10-13 02:41:52 UTC
I compiled the source for 3.20a on a RedHat Enterprise Linux 3 platform and the
problem persists. After starting the samba and winbind services I type "useradd
-u 1234 test1234" and the command never comes back (see my original description
in https://bugzilla.samba.org/show_bug.cgi?id=2173#c0). 

Any suggestions of things I can try to provide more information are welcome. 
Comment 6 samba331 2005-10-13 02:42:48 UTC
In https://bugzilla.samba.org/show_bug.cgi?id=2173#c5 I meant "version 3.0.20a". 
Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-10-13 09:04:56 UTC
Can you try setting 'winbind enum users = no' and 
'winbind enum groups = no'.  Then run strace on the useradd 
command to see where the hang is.  Might give some clues.
Comment 8 samba331 2005-10-13 10:42:10 UTC
Created attachment 1506 [details]
strace output when running useradd (no user or group enums)

This is the strace output from the command: "strace -ostrace.out
/usr/sbin/useradd -u 603 test333" with samba and winbind (version 3.0.20a)
running and with the settings "winbind enum users = no" and "winbind enum
groups = no" in the smb.conf file. This is running on Linux RHEL 3.
Comment 9 samba331 2005-10-13 10:44:33 UTC
Running useradd with 'winbind enum users = no' and 'winbind enum groups = no'
_does_ work around the problem. Unfortunately, we need to be able to see the
user and group names when doing things like "ls -l". Also, it is not feasible
for us to shutdown the samba server to add new local users. 

Anyway, I have created an strace output as requested and uploaded it as an
attachment (https://bugzilla.samba.org/attachment.cgi?id=1506&action=view). I
hope it will help shed some light on the problem. 
Comment 10 Gerald (Jerry) Carter (dead mail address) 2005-10-13 11:22:33 UTC
Actually setting 'winbind enum {users,group] = no' should not
effect ls -l.  It simple disable the get{pw,gr}ent(), not 
get{pw,gr}name(), et. al.   This might break things like id 
or finger.  But ls, chown, etc...should be fine unless they
are really badly written to begin with.

You can test this with "getent passwd 'domain\user'". That should still work
even though 'getent passwd' does not retun domain users.

So if turning off enumerating solves the problem, that is an 
acceptable work around I think.
Comment 11 samba331 2005-10-14 05:26:44 UTC
(In reply to comment #10)
> Actually setting 'winbind enum {users,group] = no' should not
> effect ls -l.  It simple disable the get{pw,gr}ent(), not 
> get{pw,gr}name(), et. al.   This might break things like id 
> or finger.  But ls, chown, etc...should be fine unless they
> are really badly written to begin with.
> 
> You can test this with "getent passwd 'domain\user'". That should still work
> even though 'getent passwd' does not retun domain users.
> 
> So if turning off enumerating solves the problem, that is an 
> acceptable work around I think.

I guess I will use this as a work-around. However, as the one of the goals of
sambs is to be "... an Open Source/Free Software suite that provides seamless
file and print services to SMB/CIFS clients." this issue needs to be addressed
at some point. After all, my Windows 2000 client has no problem dealing with the
AD, even one as large the one we have.
Comment 12 Gerald (Jerry) Carter (dead mail address) 2005-10-14 05:53:19 UTC
Your sarcasm is not appreciated.

Windows user a group enumeration is basically broken
via rpc in the newer MS hotfixes anyways.  By default,
Windows does attempt to enumerate users or groups.  Note 
the search box changes in Windows 2000 when dealing 
with AD.

However, we are working on upcoming changes.

What you don't describe is what turning off enumeration breaks.  
You are basically whining without giving me any helpful
information.  If we make 'winbindd enum users = no' the default
and things just work, is that seamless enough for you?




Comment 13 samba331 2005-10-14 08:07:00 UTC
(In reply to comment #12)
> Your sarcasm is not appreciated.
> 
> Windows user a group enumeration is basically broken
> via rpc in the newer MS hotfixes anyways.  By default,
> Windows does attempt to enumerate users or groups.  Note 
> the search box changes in Windows 2000 when dealing 
> with AD.
> 
> However, we are working on upcoming changes.
> 
> What you don't describe is what turning off enumeration breaks.  
> You are basically whining without giving me any helpful
> information.  If we make 'winbindd enum users = no' the default
> and things just work, is that seamless enough for you?
> 
> 
> 
> 
> 

I was not being sarcastic. I just wanted to be sure that a shortcoming of an
excellent project will not go unaddressed. But I guess you are a mind reader
(THAT is sarcasm). 
Comment 14 Gerald (Jerry) Carter (dead mail address) 2005-10-14 08:37:44 UTC
hahah :-)  Touche. :-)  OK.  So I let my cynical side show.
Point well taken.

You still didn't answer the question abotu what breaks
when disabling enumeration.  The reason I ask is that
we are considering disabling enumeration via get{pw,gr}ent() in
a future release.