I'm having a problem where users are seemingly randomly getting access denied to a share on our server. I think I've tracked it down now to a failing of the winbind idmap code, where it for some reason stops being able to look up the sid->gid mapping and tries to allocate a new mapping instead (so the id pool is also leaking). I set log level = 3 winbind:10 idmap:10. Here is an excerpt from /var/log/samba/log.winbindd-idmap: [2010/08/26 13:46:39, 4] winbindd/winbindd_dual.c:1460(fork_domain_child) child daemon request 52 [2010/08/26 13:46:39, 10] winbindd/winbindd_dual.c:452(child_process_request) child_process_request: request fn DUAL_SID2GID [2010/08/26 13:46:39, 3] winbindd/winbindd_idmap.c:355(winbindd_dual_sid2gid) [11621]: sid to gid S-1-5-21-1410203337-155486731-3094506392-513 [2010/08/26 13:46:39, 10] winbindd/idmap_util.c:239(idmap_sid_to_gid) idmap_sid_to_gid: sid = [S-1-5-21-1410203337-155486731-3094506392-513], domain = '' [2010/08/26 13:46:39, 10] winbindd/idmap.c:765(idmap_backends_sid_to_unixid) idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-1410203337-155486731-3094506392-513] [2010/08/26 13:46:39, 3] winbindd/idmap.c:302(idmap_init_domain) idmap backend passdb not found [2010/08/26 13:46:39, 3] lib/module.c:48(do_smb_load_module) Error loading module '/usr/lib/samba/idmap/passdb.so': /usr/lib/samba/idmap/passdb.so: cannot open shared object file: No such file or directory [2010/08/26 13:46:39, 3] winbindd/idmap.c:307(idmap_init_domain) Could not probe idmap module passdb [2010/08/26 13:46:39, 1] winbindd/idmap.c:438(idmap_init_passdb_domain) Could not init passdb idmap domain [2010/08/26 13:46:39, 10] winbindd/idmap.c:465(idmap_find_domain) idmap_find_domain called for domain 'NULL' [2010/08/26 13:46:39, 10] winbindd/idmap.c:349(idmap_init_default_domain) idmap_init_default_domain: calling static_init_idmap [2010/08/26 13:46:39, 10] winbindd/idmap_tdb.c:1246(idmap_tdb_init) calling idmap_tdb_init [2010/08/26 13:46:39, 5] winbindd/idmap.c:218(smb_register_idmap_alloc) Successfully added idmap alloc backend 'tdb' [2010/08/26 13:46:39, 5] winbindd/idmap.c:169(smb_register_idmap) Successfully added idmap backend 'tdb' [2010/08/26 13:46:39, 5] winbindd/idmap.c:169(smb_register_idmap) Successfully added idmap backend 'passdb' [2010/08/26 13:46:39, 5] winbindd/idmap.c:169(smb_register_idmap) Successfully added idmap backend 'nss' [2010/08/26 13:46:39, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'ldap' as remote backend [2010/08/26 13:46:39, 3] winbindd/idmap.c:302(idmap_init_domain) idmap backend ldap not found [2010/08/26 13:46:39, 2] lib/module.c:64(do_smb_load_module) Module '/usr/lib/samba/idmap/ldap.so' loaded [2010/08/26 13:46:39, 5] winbindd/idmap.c:218(smb_register_idmap_alloc) Successfully added idmap alloc backend 'ldap' [2010/08/26 13:46:39, 5] winbindd/idmap.c:169(smb_register_idmap) Successfully added idmap backend 'ldap' [2010/08/26 13:46:39, 10] winbindd/idmap_tdb.c:1246(idmap_tdb_init) calling idmap_tdb_init [2010/08/26 13:46:39, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2010/08/26 13:46:39, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2010/08/26 13:46:39, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2010/08/26 13:46:39, 2] lib/smbldap.c:890(smbldap_open_connection) smbldap_open_connection: connection opened [2010/08/26 13:46:39, 3] lib/smbldap.c:1101(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2010/08/26 13:46:39, 10] winbindd/idmap_ldap.c:413(idmap_ldap_allocate_id) Search of the id pool (filter: (objectClass=sambaUnixIdPool)) [2010/08/26 13:46:39, 10] winbindd/idmap_ldap.c:497(idmap_ldap_allocate_id) Try to atomically increment the id (12714 -> 12715) [2010/08/26 13:46:39, 10] winbindd/idmap.c:704(idmap_new_mapping) Setting mapping: S-1-5-21-1410203337-155486731-3094506392-513 <-> GID 12714 [2010/08/26 13:46:39, 10] winbindd/idmap_ldap.c:1459(idmap_ldap_set_mapping) Set DN sambaSID=S-1-5-21-1410203337-155486731-3094506392-513,ou=Idmap,dc=ucwb,dc=org,dc=au (S-1-5-21-1410203337-155486731-3094506392-513 -> 12714) [2010/08/26 13:46:39, 2] lib/smbldap.c:890(smbldap_open_connection) smbldap_open_connection: connection opened [2010/08/26 13:46:39, 3] lib/smbldap.c:1101(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2010/08/26 13:46:39, 0] winbindd/idmap_ldap.c:1470(idmap_ldap_set_mapping) ldap_set_mapping_internals: Failed to add S-1-5-21-1410203337-155486731-3094506392-513 to 12714 mapping [gidNumber] [2010/08/26 13:46:39, 0] winbindd/idmap_ldap.c:1472(idmap_ldap_set_mapping) ldap_set_mapping_internals: Error was: (NULL) (Already exists) [2010/08/26 13:46:39, 3] winbindd/idmap.c:719(idmap_new_mapping) Could not store the new mapping: NT_STATUS_UNSUCCESSFUL [2010/08/26 13:46:39, 10] winbindd/idmap_util.c:293(idmap_sid_to_gid) idmap_new_mapping failed: NT_STATUS_UNSUCCESSFUL [2010/08/26 13:46:39, 10] winbindd/winbindd_idmap.c:370(winbindd_dual_sid2gid) winbindd_dual_sid2gid: 0xc0000001 - S-1-5-21-1410203337-155486731-3094506392-513 - 0 [2010/08/26 13:46:39, 10] winbindd/winbindd_cache.c:2627(cache_store_response) Storing response for pid 11670, len 3496 To me it looks like winbind is not even trying to look up the ID via ldap before allocating a new ID? The mapping is definitely there: $ SID="S-1-5-21-1410203337-155486731-3094506392-513" $ ldapsearch -x -H ldap://ldap.ucwb.org.au -P 3 \ > -b "ou=Idmap,dc=ucwb,dc=org,dc=au" "(sambaSID=$SID)" \ > uidNumber gidNumber # extended LDIF # # LDAPv3 # base <ou=Idmap,dc=ucwb,dc=org,dc=au> with scope subtree # filter: (sambaSID=S-1-5-21-1410203337-155486731-3094506392-513) # requesting: uidNumber gidNumber # # S-1-5-21-1410203337-155486731-3094506392-513, Idmap, ucwb.org.au dn: sambaSID=S-1-5-21-1410203337-155486731-3094506392-513,ou=Idmap,dc=ucwb,dc= org,dc=au gidNumber: 10344 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I'll attach smb.conf and more complete log files. I am using the Samba 3.4.8 packages from Debian Squeeze.
Created attachment 5925 [details] smb.conf
Actually, I'm not sure what other log files to upload. Please let me know what would be useful. Also, I looked at bug 6537, which does look similar, but my problem is with domain groups and not local groups.
Same problem after upgrade to Samba 3.5.5, updating product/version info...
Have tested the patches attached to bug 7777 and they fix this problem. *** This bug has been marked as a duplicate of bug 7777 ***