Bug 7220 - Cannot start winbindd and cannot authenticate AD user
Summary: Cannot start winbindd and cannot authenticate AD user
Status: CLOSED INVALID
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.4.6
Hardware: x86 Linux
: P3 critical
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 18:52 UTC by Austin Wang
Modified: 2010-03-23 00:43 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Austin Wang 2010-03-06 18:52:08 UTC 
I installed Samba 3.4.6 binaries on RHEL 5.0. 

smb.conf:

# Samba config file created using SWAT
# from UNKNOWN (127.0.0.1)
# Date: 2010/03/06 16:31:09

[global]
        workgroup = EXAMPLEDM
        realm = EXAMPLEDM.COM
        netbios name = EXAMPLE-34
        server string = Samba Server Version %v
        security = ADS
        password server = example-86.exampledm.com
        username map = /etc/samba/smbusers
        log level = 3
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = No
        domain master = No
        dns proxy = No
        wins server = example-86.exampledm.com
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        browseable = No
        browsable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No
        browsable = No

[test]
        path = /test
        write list = +Administrator
        read only = No
        guest ok = Yes

/etc/pam.d/samba:

#%PAM-1.0
auth        sufficient    pam_winbind.so
account        sufficient    pam_winbind.so
password        sufficient    pam_winbind.so
auth    required  pam_stack.so service=system-auth
account required  pam_stack.so service=system-auth

The server REDHAT-34 was joined to the Active Directory domain EXAMPLEDM. The commands kinit, net ads user, etc. worked fine.

However, I cannot start winbindd from the script /etc/rc.d/init.d/winbind. The error messages in the log were:

[2010/03/06 10:24:18,  0] lib/util_sock.c:1790(create_pipe_sock)
  bind failed on pipe socket /tmp/.winbindd/pipe: Permission denied
[2010/03/06 10:24:18,  0] winbindd/winbindd.c:1406(main)
  winbindd_setup_listeners() failed

When I ran "/usr/sbin/winbindd" directly, the winbindd processes were started. However, I was not able to connect to the samba server as an AD user:

[root@example-34 samba]# smbclient -L example-34 -U awang
Enter awang's password:
session setup failed: NT_STATUS_LOGON_FAILURE

I did strace on the smbd processes and found the following in the strace output:

lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/tmp/.winbindd/pipe", 0xbf9c30ec) = -1 EACCES (Permission denied)

What went wrong? Any help would be very much appreciated.
Comment 1 Austin Wang 2010-03-06 18:55:11 UTC 
Additional info:

wbinfo worked fine after winbindd was started from /usr/sbin/winbindd.

Connection from a Windows machine as well as smbclient on the local host failed.
Comment 2 Volker Lendecke 2010-03-07 01:45:20 UTC 
99% this is a selinux problem. Please disable it and retry.

Closing this bug as INVALID because this probably not a Samba bug. Please re-open if it still happens without selinux.

Thanks,

Volker
Comment 3 Simo Sorce 2010-03-07 09:12:31 UTC 
On RHEL the winbind socket is placed in /var/run/winbind and the selinux policy is build to label that directory.
See the RHEL packages for the patch that changes the place where the pipes are made available.
Or make sure you change your policy to relabel /tmp/.winbind
Comment 4 Austin Wang 2010-03-23 00:43:46 UTC 
Setting SELinux to permissive mode solved the problems. Closing.