Bug 7243 - pam_winbind.so looks up unqualified domain name
Summary: pam_winbind.so looks up unqualified domain name
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.4.0
Hardware: x64 Linux
: P3 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL: http://lists.samba.org/archive/samba/...
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-12 16:33 UTC by Jim Kusznir
Modified: 2016-12-21 07:34 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jim Kusznir 2010-03-12 16:33:29 UTC 
Hello:

For a while, pam_winbind.so was looking up my domain (CASAS.WSU.EDU) as CASAS, specifically looking for _kerberos._udp.CASAS.  This of course failed.  wbinfo -u or -g commands, as well as all net ads commands worked fine.

This installation was working, then at some point, suddenly stopped working with this problem.  Ultimately, I restored it to functioning by stopping samba and winbind,rm -rf /var/lib/samba/*; rm -rf /var/cache/samba/*, and removing the computer account from the AD.  Then, restarting samba and winbind and re-adding the computer to the domain, and finally restarting winbind one more time.

I'm not sure what caused this problem, but it did persist accross several reboots.  Here's most of the e-mail I sent to samba-users on March 10, 2010:

16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV?
_kerberos._tcp.CASAS. (38)

(domain is CASAS.WSU.EDU).  I can do a DNS lookup with the fqdn, and
it works fine, but the short name definitely does NOT work.  I've even
modified /etc/resolv.conf to directly query the windows dns server
that is serving up casas.wsu.edu (which the normal production dns
server is set to delegate to).  DNS queries for any of the magic
entries in proper form do work (with exception of reverse resolution
of the linux host itself -- it returns a different domain name when
querying the correct servers).

I've gone through both /etc/krb5.conf and smb.conf; there are now NO
occurrences of the short domain name in there.  (I even changed
"workgroup" in smb.conf to the fqdn, as that was the last remaining
occurrence).  Keep in mind that winbind was working fine with no edits
to either files yesterday and early this morning, no changes had
occurred anywhere on that line...all I did was tweak pam files to try
and correct a different problem).

Here are my config files:

------ smb.conf ------
[global]
  workgroup = CASAS.WSU.EDU
  server string = %h Ubuntu Termserver
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = ads
  realm = CASAS.WSU.EDU
  password server = 192.168.3.16
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  idmap backend = rid:CASAS.WSU.EDU=10000-20000
  allow trusted domains = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/%U
  template shell = /bin/bash
  client use spnego = yes
  client ntlmv2 auth = yes
  restrict anonymous = 2
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
  pam password change = yes
  map to guest = bad user
  usershare allow guests = yes
[printers]
  comment = All Printers
  browseable = no
  path = /var/spool/samba
  printable = yes
  guest ok = no
  read only = yes
  create mask = 0700

[print$]
  comment = Printer Drivers
  path = /var/lib/samba/printers
  browseable = yes
  read only = yes
  guest ok = no
------------------------
/etc/krb5.conf
------------------------
[libdefaults]
       default_realm = CASAS.WSU.EDU
       krb4_config = /etc/krb.conf
       krb4_realms = /etc/krb.realms
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true
       v4_instance_resolve = false
       v4_name_convert = {
               host = {
                       rcmd = host
                       ftp = ftp
               }
               plain = {
                       something = something-else
               }
       }
       fcc-mit-ticketflags = true

[realms]
       CASAS.WSU.EDU = {
               kdc = ad1.casas.wsu.edu:88
               admin_server = ad1.casas.wsu.edu
               default_domain = casas.wsu.edu
       }

[domain_realm]
       .casas.wsu.edu = CASAS.WSU.EDU
       casas.wsu.edu = CASAS.WSU.EDU
[login]
       krb4_convert = true
       krb4_get_tickets = false
-------------------------
And here's a tcpdump done filtering on port 53 during a winbind restart:
-------------------------
16:03:37.399967 IP 192.168.3.11.49438 > 192.168.3.16.53: 3748+ A?
AD1.CASAS.WSU.EDU. (35)
16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.49438: 3748* 1/0/0 A[|domain]
16:03:37.399967 IP 192.168.3.11.43851 > 192.168.3.16.53: 27311+ A?
AD1.CASAS.WSU.EDU. (35)
16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.43851: 27311* 1/0/0 A[|domain]
16:03:37.429967 IP 192.168.3.11.40739 > 192.168.3.16.53: 46827+ A?
ad1.casas.wsu.edu. (35)
16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.40739: 46827* 1/0/0 A[|domain]
16:03:37.429967 IP 192.168.3.11.54465 > 192.168.3.16.53: 44669+[|domain]
16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.54465: 44669
NXDomain*[|domain]
16:03:37.429967 IP 192.168.3.11.57928 > 192.168.3.16.53: 58938+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.57928: 58938
NXDomain*[|domain]
16:03:37.439967 IP 192.168.3.11.45449 > 192.168.3.16.53: 58085+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.45449: 58085
NXDomain*[|domain]
16:03:37.439967 IP 192.168.3.11.58599 > 192.168.3.16.53: 64069+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.58599: 64069
NXDomain*[|domain]
16:03:37.449967 IP 192.168.3.11.35620 > 192.168.3.16.53: 52173+ A?
ad1.casas.wsu.edu. (35)
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.35620: 52173* 1/0/0 A[|domain]
16:03:37.449967 IP 192.168.3.11.58933 > 192.168.3.16.53: 27556+ A?
ad1.casas.wsu.edu. (35)
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.58933: 27556* 1/0/0 A[|domain]
16:03:37.449967 IP 192.168.3.11.36892 > 192.168.3.16.53: 12188+[|domain]
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.36892: 12188
NXDomain*[|domain]
16:03:37.459967 IP 192.168.3.11.59294 > 192.168.3.16.53: 12121+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59294: 12121* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.59240 > 192.168.3.16.53: 54066+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59240: 54066* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.56838 > 192.168.3.16.53: 48561+[|domain]
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.56838: 48561
NXDomain*[|domain]
16:03:37.469967 IP 192.168.3.11.55189 > 192.168.3.16.53: 33246+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.55189: 33246* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.52539 > 192.168.3.16.53: 19873+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.52539: 19873* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.38806 > 192.168.3.16.53: 15173+[|domain]
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.38806: 15173
NXDomain*[|domain]
16:03:37.469967 IP 192.168.3.11.39860 > 192.168.3.16.53: 19200+ SRV?
_kerberos._udp.CASAS. (38)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.39860: 19200
NXDomain 0/1/0 (113)
16:03:37.469967 IP 192.168.3.11.40215 > 192.168.3.16.53: 12115+ SRV?
_kerberos._tcp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.40215: 12115
NXDomain 0/1/0 (113)
16:03:37.479967 IP 192.168.3.11.42234 > 192.168.3.16.53: 2986+ A?
ad1.casas.wsu.edu. (35)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.42234: 2986* 1/0/0 A[|domain]
16:03:37.479967 IP 192.168.3.11.53553 > 192.168.3.16.53: 13263+ A?
ad1.casas.wsu.edu. (35)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.53553: 13263* 1/0/0 A[|domain]
16:03:37.479967 IP 192.168.3.11.49456 > 192.168.3.16.53: 38656+[|domain]
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.49456: 38656
NXDomain*[|domain]
16:03:37.479967 IP 192.168.3.11.56202 > 192.168.3.16.53: 7957+ SRV?
_kerberos._udp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.56202: 7957 NXDomain
0/1/0 (113)
16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV?
_kerberos._tcp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.38775: 44000
NXDomain 0/1/0 (113)
--------------------
Here's a chunk from the winbindd log:
--------------------
[2010/03/10 16:04:22,  0] winbindd/winbindd.c:190(winbindd_sig_term_handler)
 Got sig[15] terminate (is_parent=1)
[2010/03/10 16:04:24,  0] winbindd/winbindd.c:1244(main)
 winbindd version 3.4.0 started.
 Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/10 16:04:24,  0]
winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)
 initialize_winbindd_cache: clearing cache and re-creating with
version number 1
[2010/03/10 16:04:24,  0] winbindd/winbindd_util.c:782(init_domain_list)
 Could not fetch our SID - did we join?
[2010/03/10 16:04:24,  0] winbindd/winbindd.c:1385(main)
 unable to initialize domain list
-----------------------
Comment 1 Björn Jacke 2016-12-21 07:34:42 UTC 
the REALM and the netbios domain name should be correct at all times and if you want to rely on the netbios name you cannot look that up via DNS and expect that to succeed, netbios domain lookup (if wanted at all) should be done via a wins server. Keept the This does not look like a bug to me.