Bug 4501 - winbind: ERROR: Could not get methods for backend ad
winbind: ERROR: Could not get methods for backend ad
Status: RESOLVED WORKSFORME
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.25
Sparc Solaris
: P1 regression
: 3.0.26
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-10 11:01 UTC by mchugh19@yahoo.com
Modified: 2007-08-29 06:39 UTC (History)
0 users

See Also:


Attachments
debug 10 logs (80.94 KB, application/x-tgz)
2007-04-10 11:07 UTC, mchugh19@yahoo.com
no flags Details
smb.conf (981 bytes, text/plain)
2007-04-10 11:08 UTC, mchugh19@yahoo.com
no flags Details
dumps core with this smb.conf (983 bytes, text/plain)
2007-04-10 11:10 UTC, mchugh19@yahoo.com
no flags Details
logs from core dump (48.40 KB, application/x-tgz)
2007-04-10 11:10 UTC, mchugh19@yahoo.com
no flags Details
add schema_mode option (1.27 KB, patch)
2007-04-10 14:54 UTC, Gerald (Jerry) Carter
no flags Details
new patch which also fixes the idmap_init() failure when no alloc backend has been specified (2.77 KB, patch)
2007-04-10 17:56 UTC, Gerald (Jerry) Carter
no flags Details
more debug 10 logs (90.00 KB, application/x-tgz)
2007-04-10 19:30 UTC, mchugh19@yahoo.com
no flags Details
3rd revision of patch to fix allocate_gid crashes (7.37 KB, patch)
2007-04-11 07:23 UTC, Gerald (Jerry) Carter
no flags Details
debug 10 logs of samba dumping core (47.45 KB, application/x-tgz)
2007-04-11 11:23 UTC, mchugh19@yahoo.com
no flags Details
smb.conf with tdb (1006 bytes, text/plain)
2007-04-11 11:24 UTC, mchugh19@yahoo.com
no flags Details
smb.conf now used (998 bytes, text/plain)
2007-04-11 13:01 UTC, mchugh19@yahoo.com
no flags Details
yet more debug 10 logs (609.75 KB, application/x-tgz)
2007-04-11 13:03 UTC, mchugh19@yahoo.com
no flags Details
samba logs (423.48 KB, application/x-tbz)
2007-04-23 11:02 UTC, mchugh19@yahoo.com
no flags Details
logs from debug 10 (224.39 KB, application/x-tbz)
2007-04-25 13:49 UTC, mchugh19@yahoo.com
no flags Details
smb.conf with two domains (1.16 KB, application/octet-stream)
2007-04-25 13:52 UTC, mchugh19@yahoo.com
no flags Details
debug 10 logs (65.35 KB, application/x-gzip)
2007-04-29 18:40 UTC, mchugh19@yahoo.com
no flags Details
smb.conf used (1.14 KB, text/plain)
2007-04-29 18:43 UTC, mchugh19@yahoo.com
no flags Details
log files of debug 10 trying to look up a user from another domain (81.31 KB, application/gzip)
2007-05-14 13:30 UTC, mchugh19@yahoo.com
no flags Details
more winbind logs (172.69 KB, application/gzip)
2007-06-27 13:58 UTC, mchugh19@yahoo.com
no flags Details
winbind log (21.68 KB, application/gzip)
2007-06-27 14:33 UTC, mchugh19@yahoo.com
no flags Details
all the logs! (86.82 KB, application/gzip)
2007-06-27 14:45 UTC, mchugh19@yahoo.com
no flags Details
SPAM (106 bytes, application/foo)
2007-06-28 15:39 UTC, SPAMMER
no flags Details
log files and smb.conf (78.27 KB, application/gzip)
2007-06-29 12:29 UTC, mchugh19@yahoo.com
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mchugh19@yahoo.com 2007-04-10 11:01:22 UTC
winbind's idmap_ad appears to not want to enumerate users on solaris 10. 

With variations in the smb.conf winbind either core dumps outright or simply does not function. This is against a win2k3 domain with rfc2307 unix attributes.
Comment 1 mchugh19@yahoo.com 2007-04-10 11:07:36 UTC
Created attachment 2364 [details]
debug 10 logs
Comment 2 mchugh19@yahoo.com 2007-04-10 11:08:00 UTC
Created attachment 2365 [details]
smb.conf
Comment 3 mchugh19@yahoo.com 2007-04-10 11:10:11 UTC
Created attachment 2366 [details]
dumps core with this smb.conf
Comment 4 mchugh19@yahoo.com 2007-04-10 11:10:36 UTC
Created attachment 2367 [details]
logs from core dump
Comment 5 Gerald (Jerry) Carter 2007-04-10 14:38:33 UTC
I've found the segv.  Either setting "winbind nss info = sfu" 
or "winbind nss info = rfc2307" should fix that if I'm correct.
I'll have to fix this dependency, but could you verify that 
it does prevent the crash?  Thanks.
Comment 6 Gerald (Jerry) Carter 2007-04-10 14:54:54 UTC
Created attachment 2368 [details]
add schema_mode option

Please try this patch which should fix the segv with the original
smb.conf.  Adds new idmap_ad config option.
  
   "idmap config DOMAIN:schema_mode = {sfu,rfc2307}"
Comment 7 mchugh19@yahoo.com 2007-04-10 15:41:22 UTC
Seems to have fixed some of the issues, but I'm still getting:

[2007/04/10 13:33:27, 2] lib/module.c:do_smb_load_module(64)
  Module '/usr/local/samba/lib/idmap/ad.so' loaded
[2007/04/10 13:33:27, 0] nsswitch/idmap.c:idmap_init(403)
  ERROR: Could not get methods for backend ad
[2007/04/10 13:33:27, 0] nsswitch/idmap.c:idmap_init(615)
  Aborting IDMAP Initialization ...


Samba was compiled with ./configure --prefix=/usr/local/samba --with-shared-modules=idmap_ad --with-pam --with-ads
using kerberos and openldap from blastwave (/opt/csw)
Comment 8 Gerald (Jerry) Carter 2007-04-10 17:56:33 UTC
Created attachment 2372 [details]
new patch which also fixes the idmap_init() failure when no alloc backend has been specified

I have idmap_ad working with this patch against 3.0.25rc1.  This includes the
previous schema_mode patch.
Comment 9 Gerald (Jerry) Carter 2007-04-10 17:57:06 UTC
Christian, this should be fixed now.  Please reopen if the second
patch doesn get things working for you.
Comment 10 mchugh19@yahoo.com 2007-04-10 19:30:23 UTC
Created attachment 2373 [details]
more debug 10 logs

Unfortunately after the patch, it now immediately dumps core
Comment 11 mchugh19@yahoo.com 2007-04-10 19:31:12 UTC
dumps core at startup
Comment 12 Gerald (Jerry) Carter 2007-04-11 07:23:05 UTC
Created attachment 2375 [details]
3rd revision of patch to fix allocate_gid crashes

This is v3 of the patch which adds a fix for the allocate_gid() crashes.
I can successfully login using both Krb5 and NTLMSSP and the idmap_ad.
Comment 13 Gerald (Jerry) Carter 2007-04-11 07:24:07 UTC
Christian, Hopefully fixed.  Again, reopen if you still get failures.  
Thanks for spending the efforts testing these patches.
Comment 14 mchugh19@yahoo.com 2007-04-11 11:22:09 UTC
winbind runs but still does not return domain users. If tdb is added as described from http://us1.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html samba dumps core.
Comment 15 mchugh19@yahoo.com 2007-04-11 11:23:28 UTC
Created attachment 2377 [details]
debug 10 logs of samba dumping core
Comment 16 mchugh19@yahoo.com 2007-04-11 11:24:29 UTC
Created attachment 2378 [details]
smb.conf with tdb
Comment 17 Gerald (Jerry) Carter 2007-04-11 12:22:02 UTC
I cannot reproduce any crashs on x86.  Are you on sparc?  What 
command are you running when yousay that winbindd "does not 
return domain users"?
Comment 18 Gerald (Jerry) Carter 2007-04-11 12:24:25 UTC
The signal 10 indicates a Bus error.  Did you install the updated
idmap_ad plugin?
Comment 19 mchugh19@yahoo.com 2007-04-11 12:51:52 UTC
Yep. On sparc. As for returning domain users running "getent passwd mcm75" (a domain user) returns nothing. Even after setting winbind enum users and groups to yes, getent passwd pauses but still does not return any domain users. When you say updated idmap_ad plugin, what do you mean? I compiled 3.0.25rc1 plus your patch from below. Should I grab the post bugday rc1 patch as mentioned in the wiki?

Thanks again!
Comment 20 mchugh19@yahoo.com 2007-04-11 13:00:41 UTC
Alright, slightly more info. Looks like the crash comes from having BUILTIN in the idmap domains def. Take it out it seems to run fine. Thought I saw that in some documentation or on the list some place. 

I'll attach another round of log files.
Comment 21 mchugh19@yahoo.com 2007-04-11 13:01:17 UTC
Created attachment 2379 [details]
smb.conf now used

logs to follow
Comment 22 mchugh19@yahoo.com 2007-04-11 13:03:35 UTC
Created attachment 2380 [details]
yet more debug 10 logs

This shows winbind running and trying to list out domain users. Oddly it seemed to kind of work for a single user, mmchugh. It returned mmchugh:*:62107:10003:Christian McHugh:/home/NAU-STUDENTS/mmchugh:/bin/false which has the correct uid, and gecos, but nothing else. 

On another unix host running centrify it returns: mmchugh:x:62107:10000:Christian McHugh:/home/mcm75:/bin/bash

Also running getent passwd mcm75 returned nothing, nor did running getent passwd.
Comment 23 Gerald (Jerry) Carter 2007-04-17 16:53:58 UTC
Christian, I'm going to release 3.0.25rc2 tomorrow.  Let's resync
with that release and see where things stand.
Comment 24 Gerald (Jerry) Carter 2007-04-22 17:46:54 UTC
please reopen if still reproducible against 3.0.25rc2.
Comment 25 mchugh19@yahoo.com 2007-04-23 10:58:17 UTC
I'm still having issues with winbind doing much of anything. If I just start samba (winbind and all) it appears to not be connected. wbinfo does not seem to function, or return anything. If I then try joining the domain again, everything appears connected. wbinfo -g -t -m all work, but by the time I got around to trying wbinfo -u it would not function any more. It appears to die and loose the domain connection after about 20 seconds.
Comment 26 mchugh19@yahoo.com 2007-04-23 11:02:45 UTC
Created attachment 2399 [details]
samba logs
Comment 27 mchugh19@yahoo.com 2007-04-23 11:03:33 UTC
winbind still non functional
Comment 28 Gerald (Jerry) Carter 2007-04-23 14:58:17 UTC
we borked winbindd in rc2.  Sorry.  RC3 coming in a few days.
Comment 29 mchugh19@yahoo.com 2007-04-25 13:47:47 UTC
Winbind appears to sorta work now. Once again it returns the same from comment #22 for user mmchugh, and can't find user mcm75. Also if I add our other domain it looks like idmap_ad fails to start. Attaching log files and smb.conf next.
Comment 30 mchugh19@yahoo.com 2007-04-25 13:49:19 UTC
Created attachment 2413 [details]
logs from debug 10
Comment 31 mchugh19@yahoo.com 2007-04-25 13:52:43 UTC
Created attachment 2414 [details]
smb.conf with two domains

smb.conf showing the addition of the nau domain. Uses the same uid mappings for users that exist in both domains. From our point of view nau\username is the same as nau-students\username so we keep the same uid in both domains. Hope this does not present a problem. What is even stranger is that mcm75 exits in both domains. mmchugh also shares the same uid. As mentioned in the bug comments mcm75 was not found while mmchugh was, and mmchugh was returned improperly.
Comment 32 Gerald (Jerry) Carter 2007-04-28 21:45:53 UTC
You have to different idmap domains defined as default.
This is an invalid configuration.  I'll see what I can do 
to give better feeedback on misconfiguration. 

Thanks for the help in testing earlier patches, but I think this
is fixed (as soon as smb.conf is corrected).  Closing.
Comment 33 mchugh19@yahoo.com 2007-04-28 23:55:46 UTC
Thanks for all the help Jerry, but I think there is still a problem. I tried to explain in comment #29 that I am still seeing the same behavior as shown in comment #22. Doing a getent passwd mmchugh, does not return the all the fields as entered into active directory, but instead uses the winbind template fields. Furthermore, running getent passwd mcm75 returns absolutely nothing, which is also wrong. I realize you would like to get 3.0.25 out the door, but from what I can tell about its current form it seems to be unusable for ad rfc 2307 users. Let me know if there is any information I can send you to clarify the situation or help out in any way.
Comment 34 Gerald (Jerry) Carter 2007-04-29 06:42:16 UTC
Pleas read the smb.conf(5) entry for "winbind nss info" to deal 
with the home directory and login shell.  If "mcm75" is the loginName
attribute, we ignore that.  I could patch for it possibly for 3.0.26
but the current behavior would be expected in that case.

btw...I've done a good bit of testing of idmap_ad with rfc2307 
as a result of this but and things work as expected.  So I 
would disagree with your use of the work unusable.  
Comment 35 mchugh19@yahoo.com 2007-04-29 13:29:14 UTC
About the inability to lookup user mcm75 problem, it looks like the valid lines from log.winbind are:

[2007/04/29 11:20:04, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(539)
  winbindd_sid2gid_async: Resolving S-1-5-21-2129867641-1992771036-1243820751-513 to a gid
[2007/04/29 11:20:04, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2282)
  Retrieving response for pid 22910
[2007/04/29 11:20:04, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(521)
  sid2gid returned an error
[2007/04/29 11:20:04, 5] nsswitch/winbindd_user.c:getpwsid_sid2gid_recv(293)
  Could not query gid for user NAU-STUDENTS\mcm75

Looks like that prevents winbind from returning mcm75 as a vaild user. I've seen reference in the past that winbind would lookup a users primary gid by looking up their primary group in ad and trying to find a gid for that group. Meaning it would not just read the gid attribute out of the rfc2307 ad attribute. If this the case, that would be the problem, as "Domain Users" does not have a unix gid associated with it. All users just have gid 10000 set rfc2307 style.

Also even with winbind nss info set to sfu, doing a getent for user mmchugh still returns the template answers. Is there something special that should be done for rfc2307 attributes?

Thanks for all the help Jerry. This bug was marked as release critical. Since it works for you I can fill out new reports about my winbind issues and let you guys get on with the release, if you want. 
Comment 36 Gerald (Jerry) Carter 2007-04-29 17:11:10 UTC
Make sure you remove winbindd_cache.tdb to clear out any 
previously cached homedir and login shell attribute.
The primary group defined in AD should be returned 
(it is for me here).  Are you using winbindd nss info = sfu ?
Or rfc2307 ?  Do the sfu.so and rfc2307.so files in 
/usr/local/samba/lib/nss_info/ point back to idmap/ad.so ?

Comment 37 mchugh19@yahoo.com 2007-04-29 18:40:27 UTC
Created attachment 2565 [details]
debug 10 logs

Logs showing:
  rm -r /usr/local/samba/var/*
  starting samba
  getent passwd mcm75
  getent passwd mmchugh
  stopping samba
Comment 38 mchugh19@yahoo.com 2007-04-29 18:43:41 UTC
Created attachment 2566 [details]
smb.conf used

Make sure you remove winbindd_cache.tdb to clear out any 
previously cached homedir and login shell attribute.
 - Done. As mentioned in previous attachment.


The primary group defined in AD should be returned 
(it is for me here).  Are you using winbindd nss info = sfu ?
Or rfc2307 ?  
 - From the config: winbind nss info = sfu rfc2307
   That is proper, correct? Not winbindd?
   I've also tried just winbind nss info = sfu to the same effect.

Do the sfu.so and rfc2307.so files in 
/usr/local/samba/lib/nss_info/ point back to idmap/ad.so ?
 - Yep. Symlinks in place.
Comment 39 mchugh19@yahoo.com 2007-05-14 13:24:15 UTC
So it looks like my nss info param was wrong and it should just be rfc2307. That should probably be fixed in the smb.conf man page as it only mentions sfu and template.

Anyway I've tried a few combinations of params in smb.conf and I'm only able to look up users in the default domain. I think the actual sid lookup is functioning, but it looks like it can't map to uid.

Doing a 
#getent passwd 'NAU\car3'

I get this in the log
sid [S-1-5-21-20713206-1263413069-421607344-5886] not mapped to an uid [2,1,0]

I'll attach the debug logs.

Also is there any way, or are there any plans to implement cycling through domains? Such as looking up a user in the current domain and then trying the rest that have trusts? Otherwise depending on what domain the server is joined to a users username will change, which can be very confusing.
Comment 40 mchugh19@yahoo.com 2007-05-14 13:30:19 UTC
Created attachment 2691 [details]
log files of debug 10 trying to look up a user from another domain

I also appears that winbind hangs when doing a wbinfo -u and never comes back. After that any wbinfo commands only return error:
root@ackbar:/usr/local/samba/lib$ ../bin/wbinfo -u
Error looking up domain users
root@ackbar:/usr/local/samba/lib$ ../bin/wbinfo -p
Ping to winbindd failed on fd -1
could not ping winbindd!
Comment 41 Gerald (Jerry) Carter 2007-05-14 13:41:10 UTC
wbinfo -u is a syncrhonize operation done in the parent and should be
used carefully.  It is not a good test for a determining a working system.
I'll fix the omission on the man page you mention as well as looking at 
the logs later this week.
Comment 42 mchugh19@yahoo.com 2007-06-27 13:58:03 UTC
Created attachment 2788 [details]
more winbind logs

Still not able to lookup a user from another domain with 3.0.25b. Looks similar to comment #36 only now seeing entries like:
[2007/06/27 11:54:18, 5] nsswitch/winbindd_dual.c:async_reply_recv(263)
  Could not receive async reply from child pid 14163
[2007/06/27 11:54:18, 5] nsswitch/winbindd_async.c:winbindd_sid2uid_recv(341)
  Could not trigger sid2uid
[2007/06/27 11:54:18, 5] nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266)
  Could not query uid for user NAU\car3
Comment 43 Gerald (Jerry) Carter 2007-06-27 14:01:54 UTC
idmap_init: Unable to get methods for alloc backend ad

The AD backend is read-only.  You cannot set it for allocation uids/gids.
What are you trying to do here ?
Comment 44 mchugh19@yahoo.com 2007-06-27 14:33:55 UTC
Created attachment 2789 [details]
winbind log

Sorry for that. Fixed a typo in my smb.conf. Anyway still seeing the same problem. Seems to contact the NAU domain (while joined to nau-students) but still can't lookup a user with "getent passwd 'nau\car3'"
Comment 45 mchugh19@yahoo.com 2007-06-27 14:45:56 UTC
Created attachment 2790 [details]
all the logs!

Attaching all the logs after noticing:
INTERNAL ERROR: Signal 10 in pid 14231 (3.0.25b)
 
in log.winbind-idmap. Also a note about dumping core. Let me know if you want the core file.
Comment 46 Gerald (Jerry) Carter 2007-06-28 15:46:06 UTC
Comment on attachment 2793 [details]
SPAM
Comment 47 mchugh19@yahoo.com 2007-06-29 12:29:46 UTC
Created attachment 2795 [details]
log files and smb.conf

After double checking the smb.conf, clearing the winbind cache, and deleting out old log files, I'm still unable to get "getent passwd 'nau\car3'" to return any information. The attached tar.gz contains just the logs of samba starting, running getent passwd 'nau\car3' and getent passwd mcm75 then stopping. Nothing really stands out to me except winbind keeps claiming that it can't map the nau\car3 sid to a uid, which I believe is not true.
Comment 48 mchugh19@yahoo.com 2007-07-16 13:31:48 UTC
to add to my confusion...

root@ackbar:/usr/local/samba/bin$ ./wbinfo --domain=NAU -u | grep car3
NAU\car3

root@ackbar:/usr/local/samba/bin$ getent passwd 'NAU\car3' 
root@ackbar:/usr/local/samba/bin$

wbinfo seems capable of finding the user, while getent can't. The logs that are already attached to this bug report show this same activity.
Comment 49 mchugh19@yahoo.com 2007-07-23 10:28:50 UTC
Just for additional feedback, I see the same samba response with a checkout of 3.2.0
Comment 50 Gerald (Jerry) Carter 2007-08-29 06:39:45 UTC
Looks like there is no uid assigned to that user or else you still have conf problems.

  [15789]: sid to uid S-1-5-21-20713206-1263413069-421607344-5886  
     idmap_sid_to_uid: sid = [S-1-5-21-20713206-1263413069-421607344-5886]
  Query backends to map sids->ids
  SID S-1-5-21-20713206-1263413069-421607344-5886 is being handled by 
     nau-students
  Query ids from domain nau-students
  Current tickets expire in 35984 seconds (at 1183173621, time is now 
     1183137637)
  Filter: [(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)
    (sAMAccountType=805306370)(sAMAccountType=268435456)
    (sAMAccountType=536870912))
    (|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E
       \4B\B0\37\21\19\FE\16\00\00)))]
  Search for ... in <dc=STUDENTS,dc=FROOT,dc=NAU,dc=EDU> gave 0 replies
  No IDs found