Bug 5973 - 3.3 idmap_adex fails to connect to domain
Summary: 3.3 idmap_adex fails to connect to domain
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.3.0
Hardware: Sparc Solaris
: P3 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
: 6074 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-12-15 13:01 UTC by mchugh19@yahoo.com
Modified: 2012-02-07 18:04 UTC (History)
4 users (show)

See Also:


Attachments
debug 10 logs (155.25 KB, application/x-gzip)
2009-01-05 10:54 UTC, mchugh19@yahoo.com
no flags Details
level 10 logs for samba 3.3.0 (960.00 KB, application/x-tar)
2009-01-27 10:04 UTC, Christina Jagodics (550 #5.1.0 Address rejected)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mchugh19@yahoo.com 2008-12-15 13:01:32 UTC
I testing samba 3.3rc2 on solaris 10 sparc and after joining the domain I see messages about not being able to connect to the domain.

log.wb-NAU-STUDENTS:
[2008/12/15 11:50:56,  1] winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(346)
  LWI: Failled to connect to cell "dc=STUDENTS,dc=FROOT,dc=NAU,dc=EDU" (NT_STATUS_NO_LOGON_SERVERS)

log.winbindd-dc-connect:
[2008/12/15 11:22:31,  3] winbindd/winbindd_cm.c:connection_ok(1601)
  connection_ok: Connection to acaddcn.students.froot.nau.edu for domain NAU-STUDENTS has died or was never started (fd == -1)


This seems strange since a pre 3.3rc2 build on a different machine can talk to my domain just fine and wbinfo seems to think everything is ok.

root@rieekan:/usr/local/samba/var$ ../bin/wbinfo --online-status
BUILTIN : online
RIEEKAN : online
NAU-STUDENTS : online
ADROOT : offline
FROOT : online
NAU : online
BUS : offline

root@rieekan:/usr/local/samba/var$ ../bin/wbinfo -n 'NAU-STUDENTS\mmchugh'
S-1-5-21-2129867641-1992771036-1243820751-147039 User (1)
root@rieekan:/usr/local/samba/var$ ../bin/wbinfo -s S-1-5-21-2129867641-1992771036-1243820751-147039
NAU-STUDENTS\mmchugh 1

root@rieekan:/usr/local/samba/var$ ../bin/wbinfo -n 'NAU\car3'  
S-1-5-21-20713206-1263413069-421607344-5886 User (1)
root@rieekan:/usr/local/samba/var$ ../bin/wbinfo -s S-1-5-21-20713206-1263413069-421607344-5886
NAU\car3 1

but wbinfo -i still fails
root@rieekan:/usr/local/samba/var$ ../bin/wbinfo -i 'NAU\car3'
Could not get info for user NAU\car3
root@rieekan:/usr/local/samba/var$ ../bin/wbinfo -i 'NAU-STUDENTS\mmchugh'
Could not get info for user NAU-STUDENTS\mmchugh

and my log files are filled with the no login servers error mentioned earlier.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2008-12-15 13:08:02 UTC
(In reply to comment #0)
> I testing samba 3.3rc2 on solaris 10 sparc and after joining the domain I see
> messages about not being able to connect to the domain.
> 
> log.wb-NAU-STUDENTS:
> [2008/12/15 11:50:56,  1]
> winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(346)
>   LWI: Failled to connect to cell "dc=STUDENTS,dc=FROOT,dc=NAU,dc=EDU"
> (NT_STATUS_NO_LOGON_SERVERS)
> 
> log.winbindd-dc-connect:
> [2008/12/15 11:22:31,  3] winbindd/winbindd_cm.c:connection_ok(1601)
>   connection_ok: Connection to acaddcn.students.froot.nau.edu for domain
> NAU-STUDENTS has died or was never started (fd == -1)

Technically these errors are comming from two different things.  The first is from the
idmap_adex plugin and the second is comign from core Winbind code.  Any chance
there is a firewall ni the mix here?  or that udp/389 is bring blocked?
Comment 2 mchugh19@yahoo.com 2008-12-15 13:41:07 UTC
(In reply to comment #1)
> Any chance
> there is a firewall ni the mix here?  or that udp/389 is bring blocked?

Nope. The solaris machine is not running a firewall, and it is on a subnet with older working samba servers.

Comment 3 Christina Jagodics (550 #5.1.0 Address rejected) 2008-12-17 02:29:31 UTC
we've discovered the same problem while testing rc2 on redhat enterprise server 5.

Comment 4 mchugh19@yahoo.com 2008-12-29 09:49:43 UTC
Any updates here? I'm still unable to join rc2 to a domain and have it connect properly.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2009-01-05 10:20:02 UTC
Can you upload full lvl 10 debug logs?
Comment 6 mchugh19@yahoo.com 2009-01-05 10:54:24 UTC
Created attachment 3852 [details]
debug 10 logs

Logs from running:
/etc/init.d/NAUsamba start
/usr/local/samba/bin/wbinfo -i 'NAU\car3'
/etc/init.d/NAUsamba stop

Both the "NT_STATUS_NO_LOGON_SERVERS" and the "Connection... has died or was never started (fd == -1)" errors are there.
Comment 7 mchugh19@yahoo.com 2009-01-15 13:05:52 UTC
Is this a blocker for the final 3.3 release? Not fully communicating the a domain seems like a pretty major bug. Is there anything else I can provide?
Comment 8 Christina Jagodics (550 #5.1.0 Address rejected) 2009-01-27 10:04:43 UTC
Created attachment 3893 [details]
level 10 logs for samba 3.3.0
Comment 9 Christina Jagodics (550 #5.1.0 Address rejected) 2009-01-27 10:13:10 UTC
Hi, 

this is what I get while trying to connect to my domain using 3.3.0. It seems like nothing has changed. I'm still unable to connect to my domain. 

log.winbindd shows the following error over and over again:
------------------------
[2009/01/27 13:24:41,  1] winbindd/idmap.c:idmap_init_named_domain(403)
  no backend defined for idmap config WIN2K8
[2009/01/27 13:24:41,  1] winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(34
6)
  LWI: Failled to connect to cell "dc=WIN2K8,dc=LOCAL" (NT_STATUS_NO_LOGON_SERVE
RS)
------------------------
A full level 10 transcript of all the logfiles available has been uploaded. If you need more, please tell.

RC1 worked perfectly - please get back to what you did there.
Comment 10 mchugh19@yahoo.com 2009-01-29 10:07:52 UTC
I am still seeing this error as well on 3.3.0. 

[2009/01/29 23:06:22,  3] winbindd/winbindd_cm.c:connection_ok(1593)
  connection_ok: Connection to acaddcn.students.froot.nau.edu for domain NAU-STUDENTS has died or was never started (fd == -1)
Comment 11 Gerald (Jerry) Carter (dead mail address) 2009-01-29 10:12:24 UTC
Is that with Michael's ldap ssl suggestion?
Comment 12 mchugh19@yahoo.com 2009-01-29 12:10:47 UTC
(In reply to comment #11)
> Is that with Michael's ldap ssl suggestion?

Yes.
Comment 13 mchugh19@yahoo.com 2009-01-30 16:51:15 UTC
Any ideas of what else I might try? I'm still only able to get 

[2009/01/29 23:00:47,  3] libsmb/namequery.c:get_dc_list(1971)
  get_dc_list: preferred server list: "acaddcn.students.froot.nau.edu, *"
[2009/01/29 23:00:47,  3] libads/ldap.c:ads_connect(611)
  Successfully contacted LDAP server 134.114.198.199
[2009/01/29 23:00:47,  1] winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(346)
  LWI: Failled to connect to cell "dc=STUDENTS,dc=FROOT,dc=NAU,dc=EDU" (NT_STATUS_NO_LOGON_SERVERS)
[2009/01/29 23:00:47,  3] winbindd/idmap_adex/provider_unified.c:search_cell_list(599)
  LWI (search_cell_list): NT_STATUS_NO_LOGON_SERVERS
[2009/01/29 23:00:47,  1] winbindd/winbindd_group.c:winbindd_getgrent(1366)
  could not look up gid for group NLAC Users


type of errors
Comment 14 Christina Jagodics (550 #5.1.0 Address rejected) 2009-02-03 11:41:40 UTC
*** Bug 6074 has been marked as a duplicate of this bug. ***
Comment 15 mchugh19@yahoo.com 2009-02-16 08:47:33 UTC
Just tried configuring smb.conf to use the idmap_ad module and not adex, but with the same results.

From log.wb-NAU

[2009/02/16 21:43:46,  3] libsmb/namequery.c:resolve_wins(1092)
  resolve_wins: WINS server resolution selected and no WINS servers listed.
[2009/02/16 21:43:46,  3] libsmb/namequery.c:resolve_hosts(1306)
  resolve_hosts: Attempting host lookup for name DRAGONFLOWER<0x20>
[2009/02/16 21:43:46,  3] libsmb/namequery.c:resolve_hosts(1325)
  resolve_hosts: getaddrinfo failed for name DRAGONFLOWER [node name or service name not known]
[2009/02/16 21:43:46,  3] libsmb/namequery.c:name_resolve_bcast(1015)
  name_resolve_bcast: Attempting broadcast lookup for name DRAGONFLOWER<0x20>
[2009/02/16 21:43:47,  3] winbindd/winbindd_cm.c:connection_ok(1593)
  connection_ok: Connection to acaddc.students.froot.nau.edu for domain NAU-STUDENTS has died or was never started (fd == -1)
[2009/02/16 21:43:47,  1] rpc_client/cli_pipe.c:rpc_pipe_destructor(2362)
  rpc_pipe_destructor: cli_close failed on pipe host acaddc.students.froot.nau.edu, pipe \NETLOGON, fnum 0x8. Error was SUCCESS - 0
Comment 16 mchugh19@yahoo.com 2009-02-25 09:59:26 UTC
I think I finally have more info. In trying to test 3.3.1 I found that I had typoed the smb.conf and when trying to test idmap_ad over idmap_adex, I missed a line and left "winbind nss info = adex". Changing all references of adex to just ad and winbind nss info = rfc2307 I am finally able to get samba to connect to the domain without error. So this appears to be a bug in the adex nss mapper.
Comment 17 Michael Adam 2009-05-18 04:28:22 UTC
(In reply to comment #16)
> I think I finally have more info. In trying to test 3.3.1 I found that I had
> typoed the smb.conf and when trying to test idmap_ad over idmap_adex, I missed
> a line and left "winbind nss info = adex". Changing all references of adex to
> just ad and winbind nss info = rfc2307 I am finally able to get samba to
> connect to the domain without error. So this appears to be a bug in the adex
> nss mapper.

OK, I updated the "Subject".
I assume this bug is still valid?

Michael

Comment 18 mchugh19@yahoo.com 2009-05-18 09:48:12 UTC
(In reply to comment #17)
> I assume this bug is still valid?

Last time I tried it was. We are performing some renovations on our server room so I won't be able to confirm again for a few weeks. Once everything is back up I'll try testing.
Comment 19 Peter Crossley 2009-10-16 19:18:36 UTC
I wanted to see that status on this I am having the exact same issue with the adex module in ubuntu (karmic), samba 3.4.0
Comment 20 Klaus Steinberger 2010-04-14 10:03:43 UTC
I see this same bug with idmap_adex with samba 3.3.x, 3.4.x as well as 3.5.2 so looks like idmap_adex never worked as in the man page mentioned?

Comment 21 Volker Lendecke 2010-04-14 10:11:13 UTC
This is mainly a Likewise module, maybe contacting the support at www.likewise.com gets you help quickly.

Volker
Comment 22 Gerald (Jerry) Carter (dead mail address) 2010-04-14 10:13:42 UTC
The idmap_adex is likely just abandoned.  I ported the code from Likewise originally at it did work at that time according to all my testing.  However, since I left working on Samba day to day, I doubt anyone has picked it up.

My suggestion is to close this as a WONTFIX unless someone is willing to pick up the issue.  Perhaps it should just be removed from the tree until someone wants to resurrect it.
Comment 23 Gerald (Jerry) Carter (dead mail address) 2010-04-14 10:18:30 UTC
(In reply to comment #21)
> This is mainly a Likewise module, maybe contacting the support at
> www.likewise.com gets you help quickly.

Volker, Actually, this is a Samba idmap plugin adapted originally from my code @ Likewise.  It has nothing to do with Likewise at this point.  It was ported in good faith.  You (i.e. Samba) are (is) free to do with it as you see fit.  My suggestion is just to remove it since it is unsupported by Samba.  Of course, that's just my opinion.  The final decision is up to the team/release manager/active developers.
Comment 24 Volker Lendecke 2010-04-14 10:24:07 UTC
"nothing to do with likewise at this point" --

http://git.samba.org/?p=samba.git;a=blob;f=source3/winbindd/idmap_adex/likewise_cell.c;h=d666d8c01a50a8c958bb5e45ccddc8d5736acb64;hb=HEAD

gives a slightly different impression to the unsuspecting developer. It contains a line

static struct likewise_cell *_lw_cell_list = NULL;

idmap_adex.h in the same directory contains the strings

#define ADEX_CELL_RDN             "$LikewiseIdentityCell"
#define ADEX_OC_USER              "centerisLikewiseUser"
#define ADEX_OC_GROUP             "centerisLikewiseGroup"

I wonder how that fits with your assessment that this does not have to do anything with Likewise.

Can you explain?

Volker
Comment 25 Volker Lendecke 2010-04-14 10:31:56 UTC
Sorry for my ignorance. Maybe we should really remove this module from the code tree if nobody steps up to actively support it.

Volker
Comment 26 Jeremy Allison 2012-02-07 18:04:00 UTC
+1 from me. Unmaintained code is dangerous. I'll add a patch to remove this.

Jeremy.