Bug 4579 - Winbind in 3.0.25rc3 broken wbinfo -t when winbindd running on the PDC
Summary: Winbind in 3.0.25rc3 broken wbinfo -t when winbindd running on the PDC
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.25
Hardware: x86 Linux
: P3 normal
Target Milestone: 3.0.25
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
: 4740 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-04-29 14:30 UTC by Szombathelyi György
Modified: 2019-01-14 00:08 UTC (History)
4 users (show)

See Also:


Attachments
Winbidd logs with 3.0.25a (3.75 KB, application/x-tgz)
2007-05-26 18:34 UTC, Szombathelyi György
no flags Details
don't mark the SAM domain on a DC as internal (566 bytes, patch)
2007-06-25 19:51 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Szombathelyi György 2007-04-29 14:30:08 UTC
In 3.0.25rc wbinfo -t always returns 
checking the trust secret via RPC calls failed
error code was NT_STATUS_INVALID_HANDLE (0xc0000008)

checking squid logins via ntlm_auth fails.

But downgrading to 3.0.24 solves the problem.

I've got one Samba server on the network, as a PDC, and running winbindd on the same machine.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2007-05-18 11:40:48 UTC
There was an old bug here.  Apparently something regressed.
Please attach a gzipped tarball of level 10 logs (i.e. log.{winbindd*,wb-*}) 
from winbindd.
Comment 2 Szombathelyi György 2007-05-26 18:34:42 UTC
Created attachment 2730 [details]
Winbidd logs with 3.0.25a

What I see from this that a "could not open handle to NETLOGON pipe" message.
I used log level=10 winbind:15 in smb.conf
The version string is from the Suse 10.2 spec file, but I compiled (made an rpm) Samba 3.0.25a without any patches, just the released tarball.
Comment 3 Dmitry Vagin 2007-06-23 03:43:37 UTC
The same problem for me.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2007-06-25 09:43:29 UTC
*** Bug 4740 has been marked as a duplicate of this bug. ***
Comment 5 Gerald (Jerry) Carter (dead mail address) 2007-06-25 18:51:19 UTC
not enough information in the log files.  Need at least a level 10.
I'll try to reproduce this locally.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2007-06-25 19:51:51 UTC
Created attachment 2782 [details]
don't mark the SAM domain on a DC as internal
Comment 7 Andreas Pflug 2007-06-26 04:51:26 UTC
I'm not sure the patch as described in the attachment above is really good. I applied and tested it, and found that winbindd takes about 35 seconds startup time until the wbinfo call is serviced. In contrast, the preliminary patch I proposed in bug 4740 (forcing the domain to external in cm_connect_netlogon() only) makes winbindd start servicing immediately.
Comment 8 Gerald (Jerry) Carter (dead mail address) 2007-06-26 08:35:52 UTC
(In reply to comment #7)
> I'm not sure the patch as described in the attachment above is really good. I
> applied and tested it, and found that winbindd takes about 35 seconds startup
> time until the wbinfo call is serviced. In contrast, the preliminary patch I
> proposed in bug 4740 (forcing the domain to external in cm_connect_netlogon()
> only) makes winbindd start servicing immediately.


I'll look into the delay but your proposed patch is changing the 
internal flag in the wrong place.  Some domain should always be 
considered internal as they are handled by the winbindd_passdb.c 
methods.


Comment 9 Szombathelyi György 2007-07-02 17:35:42 UTC
Thanks, the patch makes winbindd working. There's a slight delay with the  wbinfo -t command. The smbd logs when the delay occurs (about 10 secs, but somteimes 35 secs):

[2007/07/03 00:06:51, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/07/03 00:06:51, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/07/03 00:06:51, 10] lib/util_pw.c:getpwnam_alloc(76)
  Got serv1$ from pwnam_cache
[2007/07/03 00:06:51, 10] lib/util_pw.c:getpwnam_alloc(76)
  Got serv1$ from pwnam_cache
[2007/07/03 00:06:51, 10] lib/system_smbd.c:sys_getgrouplist(125)
  sys_getgrouplist: user [serv1$]
[2007/07/03 00:07:01, 5] passdb/lookup_sid.c:gid_to_sid(1354)
  gid_to_sid: winbind failed to find a sid for gid 515
[2007/07/03 00:07:01, 5] auth/auth_util.c:make_server_info_sam(623)
  make_server_info_sam: made server info for user serv1$ -> serv1$


But I have group 515 mapped, net groupmap list shows the mapping.
Comment 10 Szombathelyi György 2007-07-02 17:56:41 UTC
I did more testing, and the delay occurs in (altough not every time) every winbind request (wbinfo -u, -g, ntlm_auth).
Comment 11 Szombathelyi György 2007-07-03 05:18:49 UTC
Some more testing (by the users of a live system :) revealed that not just the winbindd authentication requests are delayed, but every request does (so browsing the server in Windows is a pain).
Comment 12 Björn Jacke 2014-07-28 09:33:56 UTC
can you confirm that this issue is fixed in current samba versions for you also?