7650 – winbindd_dual_sid2gid lookup sometimes fails

Bug 7650 - winbindd_dual_sid2gid lookup sometimes fails

Summary: winbindd_dual_sid2gid lookup sometimes fails

Status:	RESOLVED DUPLICATE of bug 7777

Alias:	None

Product:	Samba 3.5
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	3.5.5
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Michael Adam
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-08-26 00:38 UTC by Kevin Shanahan (dead mail address)
Modified:	2011-02-10 17:52 UTC (History)
CC List:	0 users

See Also:

Attachments
smb.conf (3.74 KB, text/plain) 2010-08-26 00:40 UTC, Kevin Shanahan (dead mail address)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Shanahan (dead mail address) 2010-08-26 00:38:53 UTC

I'm having a problem where users are seemingly randomly getting access denied to a share on our server. I think I've tracked it down now to a failing of the winbind idmap code, where it for some reason stops being able to look up the sid->gid mapping and tries to allocate a new mapping instead (so the id pool is also leaking).

I set log level = 3 winbind:10 idmap:10.
Here is an excerpt from /var/log/samba/log.winbindd-idmap:

[2010/08/26 13:46:39,  4] winbindd/winbindd_dual.c:1460(fork_domain_child)
  child daemon request 52
[2010/08/26 13:46:39, 10] winbindd/winbindd_dual.c:452(child_process_request)
  child_process_request: request fn DUAL_SID2GID
[2010/08/26 13:46:39,  3] winbindd/winbindd_idmap.c:355(winbindd_dual_sid2gid)
  [11621]: sid to gid S-1-5-21-1410203337-155486731-3094506392-513
[2010/08/26 13:46:39, 10] winbindd/idmap_util.c:239(idmap_sid_to_gid)
  idmap_sid_to_gid: sid = [S-1-5-21-1410203337-155486731-3094506392-513], domain = ''
[2010/08/26 13:46:39, 10] winbindd/idmap.c:765(idmap_backends_sid_to_unixid)
  idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-1410203337-155486731-3094506392-513]
[2010/08/26 13:46:39,  3] winbindd/idmap.c:302(idmap_init_domain)
  idmap backend passdb not found
[2010/08/26 13:46:39,  3] lib/module.c:48(do_smb_load_module)
  Error loading module '/usr/lib/samba/idmap/passdb.so': /usr/lib/samba/idmap/passdb.so: cannot open shared object file: No such file or directory
[2010/08/26 13:46:39,  3] winbindd/idmap.c:307(idmap_init_domain)
  Could not probe idmap module passdb
[2010/08/26 13:46:39,  1] winbindd/idmap.c:438(idmap_init_passdb_domain)
  Could not init passdb idmap domain
[2010/08/26 13:46:39, 10] winbindd/idmap.c:465(idmap_find_domain)
  idmap_find_domain called for domain 'NULL'
[2010/08/26 13:46:39, 10] winbindd/idmap.c:349(idmap_init_default_domain)
  idmap_init_default_domain: calling static_init_idmap
[2010/08/26 13:46:39, 10] winbindd/idmap_tdb.c:1246(idmap_tdb_init)
  calling idmap_tdb_init
[2010/08/26 13:46:39,  5] winbindd/idmap.c:218(smb_register_idmap_alloc)
  Successfully added idmap alloc backend 'tdb'
[2010/08/26 13:46:39,  5] winbindd/idmap.c:169(smb_register_idmap)
  Successfully added idmap backend 'tdb'
[2010/08/26 13:46:39,  5] winbindd/idmap.c:169(smb_register_idmap)
  Successfully added idmap backend 'passdb'
[2010/08/26 13:46:39,  5] winbindd/idmap.c:169(smb_register_idmap)
  Successfully added idmap backend 'nss'
[2010/08/26 13:46:39,  3] winbindd/idmap.c:359(idmap_init_default_domain)
  idmap_init: using 'ldap' as remote backend
[2010/08/26 13:46:39,  3] winbindd/idmap.c:302(idmap_init_domain)
  idmap backend ldap not found
[2010/08/26 13:46:39,  2] lib/module.c:64(do_smb_load_module)
  Module '/usr/lib/samba/idmap/ldap.so' loaded
[2010/08/26 13:46:39,  5] winbindd/idmap.c:218(smb_register_idmap_alloc)
  Successfully added idmap alloc backend 'ldap'
[2010/08/26 13:46:39,  5] winbindd/idmap.c:169(smb_register_idmap)
  Successfully added idmap backend 'ldap'
[2010/08/26 13:46:39, 10] winbindd/idmap_tdb.c:1246(idmap_tdb_init)
  calling idmap_tdb_init
[2010/08/26 13:46:39,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2010/08/26 13:46:39,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2010/08/26 13:46:39,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2010/08/26 13:46:39,  2] lib/smbldap.c:890(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2010/08/26 13:46:39,  3] lib/smbldap.c:1101(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2010/08/26 13:46:39, 10] winbindd/idmap_ldap.c:413(idmap_ldap_allocate_id)
  Search of the id pool (filter: (objectClass=sambaUnixIdPool))
[2010/08/26 13:46:39, 10] winbindd/idmap_ldap.c:497(idmap_ldap_allocate_id)
  Try to atomically increment the id (12714 -> 12715)
[2010/08/26 13:46:39, 10] winbindd/idmap.c:704(idmap_new_mapping)
  Setting mapping: S-1-5-21-1410203337-155486731-3094506392-513 <-> GID 12714
[2010/08/26 13:46:39, 10] winbindd/idmap_ldap.c:1459(idmap_ldap_set_mapping)
  Set DN sambaSID=S-1-5-21-1410203337-155486731-3094506392-513,ou=Idmap,dc=ucwb,dc=org,dc=au (S-1-5-21-1410203337-155486731-3094506392-513 -> 12714)
[2010/08/26 13:46:39,  2] lib/smbldap.c:890(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2010/08/26 13:46:39,  3] lib/smbldap.c:1101(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2010/08/26 13:46:39,  0] winbindd/idmap_ldap.c:1470(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add S-1-5-21-1410203337-155486731-3094506392-513 to 12714 mapping [gidNumber]
[2010/08/26 13:46:39,  0] winbindd/idmap_ldap.c:1472(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Error was: (NULL) (Already exists)
[2010/08/26 13:46:39,  3] winbindd/idmap.c:719(idmap_new_mapping)
  Could not store the new mapping: NT_STATUS_UNSUCCESSFUL
[2010/08/26 13:46:39, 10] winbindd/idmap_util.c:293(idmap_sid_to_gid)
  idmap_new_mapping failed: NT_STATUS_UNSUCCESSFUL
[2010/08/26 13:46:39, 10] winbindd/winbindd_idmap.c:370(winbindd_dual_sid2gid)
  winbindd_dual_sid2gid: 0xc0000001 - S-1-5-21-1410203337-155486731-3094506392-513 - 0
[2010/08/26 13:46:39, 10] winbindd/winbindd_cache.c:2627(cache_store_response)
  Storing response for pid 11670, len 3496

To me it looks like winbind is not even trying to look up the ID via ldap before allocating a new ID? The mapping is definitely there:

$ SID="S-1-5-21-1410203337-155486731-3094506392-513"
$ ldapsearch -x -H ldap://ldap.ucwb.org.au -P 3 \
>    -b "ou=Idmap,dc=ucwb,dc=org,dc=au" "(sambaSID=$SID)" \
>    uidNumber gidNumber
# extended LDIF
#
# LDAPv3
# base <ou=Idmap,dc=ucwb,dc=org,dc=au> with scope subtree
# filter: (sambaSID=S-1-5-21-1410203337-155486731-3094506392-513)
# requesting: uidNumber gidNumber 
#

# S-1-5-21-1410203337-155486731-3094506392-513, Idmap, ucwb.org.au
dn: sambaSID=S-1-5-21-1410203337-155486731-3094506392-513,ou=Idmap,dc=ucwb,dc=
 org,dc=au
gidNumber: 10344

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I'll attach smb.conf and more complete log files. I am using the Samba 3.4.8 packages from Debian Squeeze.

Comment 1 Kevin Shanahan (dead mail address) 2010-08-26 00:40:55 UTC

Created attachment 5925 [details]
smb.conf

Comment 2 Kevin Shanahan (dead mail address) 2010-08-26 01:04:16 UTC

Actually, I'm not sure what other log files to upload. Please let me know what would be useful.

Also, I looked at bug 6537, which does look similar, but my problem is with domain groups and not local groups.

Comment 3 Kevin Shanahan (dead mail address) 2010-09-27 00:06:45 UTC

Same problem after upgrade to Samba 3.5.5, updating product/version info...

Comment 4 Kevin Shanahan (dead mail address) 2011-02-10 17:52:50 UTC

Have tested the patches attached to bug 7777 and they fix this problem.


*** This bug has been marked as a duplicate of bug 7777 ***