Bug 8421 - Samba integrated with AD
Summary: Samba integrated with AD
Status: RESOLVED DUPLICATE of bug 6825
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.5.8
Hardware: x86 Linux
: P5 critical
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-29 17:06 UTC by praveen
Modified: 2014-07-23 18:19 UTC (History)
0 users

See Also:


Attachments
Winbind logs (521.21 KB, text/plain)
2011-08-29 21:57 UTC, praveen
no flags Details
Winbind logs (1.58 MB, application/octet-stream)
2011-09-02 14:26 UTC, praveen
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description praveen 2011-08-29 17:06:08 UTC
Hi,

We have integrated Samaba with our AD.The OS of the linux machine is Suse 9 and OS of our AD is Windows 2008 R2.

I am able to login to the Suse linux machine using my AD account.But when I typing the command "id -a " ,its not displaying the entire groups I am belonging , only showing some group names. If i checked in the AD server I am member of all these groups,but all of these groups not displaying in Linux machine where Samba and winbind configured.

We configured ACL to some directories and because some groups is not displaying with my ID ,unable to access those directories.

Request to please help on this ASAP.Kindly let me know if you require any more information.

Thank you in advance.

Regards
Praveen
Comment 1 praveen 2011-08-29 17:20:06 UTC
(In reply to comment #0)
> Hi,
> We have integrated Samaba with our AD.The OS of the linux machine is Suse 9 and
> OS of our AD is Windows 2008 R2.
> I am able to login to the Suse linux machine using my AD account.But when I
> typing the command "id -a " ,its not displaying the entire groups I am
> belonging , only showing some group names. If i checked in the AD server I am
> member of all these groups,but all of these groups not displaying in Linux
> machine where Samba and winbind configured.
> We configured ACL to some directories and because some groups is not displaying
> with my ID ,unable to access those directories.
> Request to please help on this ASAP.Kindly let me know if you require any more
> information.
> Thank you in advance.
> Regards
> Praveen

One more thing I forgot to tell. Recently I upgrade the samaba package to 3.5.8 from 3.0.26a-0.9. After this upgrade only I am getting this issue,before that it was worming fine.
Comment 2 Volker Lendecke 2011-08-29 17:36:45 UTC
Did you check all your idmap settings? id mapping has changed significantly between 3.0 and 3.5.

With best regards,

Volker Lendecke
Comment 3 praveen 2011-08-29 17:44:38 UTC
(In reply to comment #2)
> Did you check all your idmap settings? id mapping has changed significantly
> between 3.0 and 3.5.
> With best regards,
> Volker Lendecke

Hi,

Thanks for the reply.

In the smb.conf file I ahve added the below lines related to idmap:

idmap gid = 16777216-33554431
        idmap uid = 16777216-33554431
Is this was the one you referring to?
Comment 4 Volker Lendecke 2011-08-29 19:12:42 UTC
If that's all, then it should continue to work fine. Please upload full debug level 10 logs of winbind (log.w* in the directory where you store your log files, please set "debug level = 10" in your smb.conf file and restart winbind before you do that operation) during the idmap -a operation.

With best regards,

Volker Lendecke
Comment 5 praveen 2011-08-29 21:57:00 UTC
Created attachment 6830 [details]
Winbind logs
Comment 6 praveen 2011-08-29 22:06:55 UTC
Pls find the smb.conf file configuration

[global]
        workgroup = NA
        realm = NA.UIS.UNISYS.COM
        netbios name = ustr-linux-1
        server string = USTR-LINUX-1.na.uis.unisys.com
        encrypt passwords = yes
        security = ADS
        password server = 129.224.152.11, 129.224.8.140
        passdb backend = smbpasswd
        log level = 2 winbind:10 ads:10 auth:10
        syslog = 0
        log file = /var/log/samba/%m.log
        debug level = 10
        max log size = 5000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        winbind use default domain = no
        winbind uid = 16777216-33554431
        winbind gid = 16777216-33554431
        winbind enum users = no
        winbind enum groups = no
        winbind cache time = 3600
        template homedir = /home/%D/%U
        template shell = /bin/bash
        admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
        nt acl support = yes
        map acl inherit = yes
        unix extensions = no
        idmap backend = ad
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        usershare allow guests = No
        winbind refresh tickets = yes
        obey pam restrictions = yes
Comment 7 praveen 2011-09-02 13:45:58 UTC
(In reply to comment #6)
> Pls find the smb.conf file configuration
> [global]
>         workgroup = NA
>         realm = NA.UIS.UNISYS.COM
>         netbios name = ustr-linux-1
>         server string = USTR-LINUX-1.na.uis.unisys.com
>         encrypt passwords = yes
>         security = ADS
>         password server = 129.224.152.11, 129.224.8.140
>         passdb backend = smbpasswd
>         log level = 2 winbind:10 ads:10 auth:10
>         syslog = 0
>         log file = /var/log/samba/%m.log
>         debug level = 10
>         max log size = 5000
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         winbind use default domain = no
>         winbind uid = 16777216-33554431
>         winbind gid = 16777216-33554431
>         winbind enum users = no
>         winbind enum groups = no
>         winbind cache time = 3600
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>         admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
>         nt acl support = yes
>         map acl inherit = yes
>         unix extensions = no
>         idmap backend = ad
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>         usershare allow guests = No
>         winbind refresh tickets = yes
>         obey pam restrictions = yes


Hi,

Can anyone help on this issue. I am having no idea how to go ahead with the issue. I will once more explain what excatly the issue.


We are having a samba server 3.0.26a verion with Winbind authentcating in a SLES 9 SP4 with Windows 2003 the AD server.Http configured which is using the domain ID's to login.  Last week we got an issue that users not able to authenticate using their domain ID.
wbinfo -t command was failing. Then we heard from the corporate IT that they upgraded the AD OS from Windows 2003 to Windows 2008 R2 .

So I upgraded the Samab package from 3.0.26a to 3.5.8. After that able to conatct with AD ,aslo users able to authenticate using domain ID's. But later users complained that they are getting intermittent authentication problem. Also if they loging to the linux server using domain ID's using SSH ,not able to get the entire group details using id -a command. But for some users its working fine. 

This is an overall picture of the situation.Please find the samba conifiguration file also.Kindly let us know if any more information required.

[global]
        workgroup = NA
        realm = NA.UIS.UNISYS.COM
        netbios name = ustr-linux-1
        server string = USTR-LINUX-1.na.uis.unisys.com
        encrypt passwords = yes
        security = ADS
        password server = 129.224.152.11, 129.224.8.140
        passdb backend = smbpasswd
        log level = 2 winbind:10 ads:10 auth:10
        syslog = 0
        log file = /var/log/samba/%m.log
        debug level = 10
        max log size = 5000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        winbind use default domain = no
        winbind uid = 16777216-33554431
        winbind gid = 16777216-33554431
        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 3600
        template homedir = /home/%D/%U
        template shell = /bin/bash
        admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
        nt acl support = yes
        map acl inherit = yes
        unix extensions = no
#        idmap domains = NA
#        idmap backend = idmap_rid:NA=16777216-33554431
        idmap gid = 16777216-33554431
        idmap uid = 16777216-33554431
#        allow trusted domains = no
        usershare allow guests = No
        winbind refresh tickets = yes
        obey pam restrictions = yes
#       printer setup
#       load printers = yes
#       use client driver = no
#       printing = cups



Regards

Praveen
Comment 8 praveen 2011-09-02 13:49:35 UTC
Hi,

Can anyone help on this issue. I am having no idea how to go ahead with the
issue. I will once more explain what excatly the issue.


We are having a samba server 3.0.26a verion with Winbind authentcating in a
SLES 9 SP4 with Windows 2003 the AD server.Http configured which is using the
domain ID's to login.  Last week we got an issue that users not able to
authenticate using their domain ID.
wbinfo -t command was failing. Then we heard from the corporate IT that they
upgraded the AD OS from Windows 2003 to Windows 2008 R2 .

So I upgraded the Samab package from 3.0.26a to 3.5.8. After that able to
conatct with AD ,aslo users able to authenticate using domain ID's. But later
users complained that they are getting intermittent authentication problem.
Also if they loging to the linux server using domain ID's using SSH ,not able
to get the entire group details using id -a command. But for some users its
working fine. 

This is an overall picture of the situation.Please find the samba
conifiguration file also.Kindly let us know if any more information required.

[global]
        workgroup = NA
        realm = NA.UIS.UNISYS.COM
        netbios name = ustr-linux-1
        server string = USTR-LINUX-1.na.uis.unisys.com
        encrypt passwords = yes
        security = ADS
        password server = 129.224.152.11, 129.224.8.140
        passdb backend = smbpasswd
        log level = 2 winbind:10 ads:10 auth:10
        syslog = 0
        log file = /var/log/samba/%m.log
        debug level = 10
        max log size = 5000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        winbind use default domain = no
        winbind uid = 16777216-33554431
        winbind gid = 16777216-33554431
        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 3600
        template homedir = /home/%D/%U
        template shell = /bin/bash
        admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
        nt acl support = yes
        map acl inherit = yes
        unix extensions = no
#        idmap domains = NA
#        idmap backend = idmap_rid:NA=16777216-33554431
        idmap gid = 16777216-33554431
        idmap uid = 16777216-33554431
#        allow trusted domains = no
        usershare allow guests = No
        winbind refresh tickets = yes
        obey pam restrictions = yes
#       printer setup
#       load printers = yes
#       use client driver = no
#       printing = cups



Regards

Praveen
Comment 9 praveen 2011-09-02 13:59:12 UTC
(In reply to comment #6)
> Pls find the smb.conf file configuration
> [global]
>         workgroup = NA
>         realm = NA.UIS.UNISYS.COM
>         netbios name = ustr-linux-1
>         server string = USTR-LINUX-1.na.uis.unisys.com
>         encrypt passwords = yes
>         security = ADS
>         password server = 129.224.152.11, 129.224.8.140
>         passdb backend = smbpasswd
>         log level = 2 winbind:10 ads:10 auth:10
>         syslog = 0
>         log file = /var/log/samba/%m.log
>         debug level = 10
>         max log size = 5000
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         winbind use default domain = no
>         winbind uid = 16777216-33554431
>         winbind gid = 16777216-33554431
>         winbind enum users = no
>         winbind enum groups = no
>         winbind cache time = 3600
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>         admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
>         nt acl support = yes
>         map acl inherit = yes
>         unix extensions = no
>         idmap backend = ad
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>         usershare allow guests = No
>         winbind refresh tickets = yes
>         obey pam restrictions = yes



One more update. --  Today we are not having intermittent issue as the server load is low. So when the smbd packge using more cpu at that we are getting the intermittent issue. Whether any patch need to be installed.
Comment 10 Volker Lendecke 2011-09-02 14:12:03 UTC
(In reply to comment #5)
> Created attachment 6830 [details]
> Winbind logs

Those are not winbind logs.
Comment 11 praveen 2011-09-02 14:26:28 UTC
Created attachment 6851 [details]
Winbind logs
Comment 12 praveen 2011-09-02 16:38:31 UTC
Hi,

Please let me know whether I attached  the correct logs.
Comment 13 praveen 2011-09-02 19:56:04 UTC
Hi ,

Just now we got an authentication issue and the winbind logs showing the below message.


[2011/09/02 14:54:02.181868,  5] winbindd/winbindd.c:934(winbindd_listen_fde_handler)
winbindd: Exceeding 200 client connections, removing idle connection.  
[2011/09/02 14:54:02.181900,  5] winbindd/winbindd.c:908(remove_idle_client)
  Found 200 idle client connections, shutting down sock 77, pid 11057
[2011/09/02 14:54:02.181937,  6] winbindd/winbindd.c:791(new_connection)
accepted socket 77
Comment 14 Björn Jacke 2014-07-23 18:19:07 UTC

*** This bug has been marked as a duplicate of bug 6825 ***