Bug 873 - winbind works oddly
winbind works oddly
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0preX
All Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-12-10 04:00 UTC by robert kastl
Modified: 2005-11-14 09:27 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description robert kastl 2003-12-10 04:00:42 UTC
Dear Samba-Team,

I have the following problem:
The smbd and winbindd start fine, everthing seems to be okay, all users can be
authenticated.
The getent passwd command for every user in the WIN Domain SUED looks good.
The users are granted in their shares very well.

But a few minutes later, the winbindd is suddenly unable to authenticate some
users against the Domain. You can see it in the snapshot. Messages like "Unable
to initgroups" or "make_server_info_info3: pdb_init_sam failed!" don't look fine.

I tried it with samba3.0.1.pre3 and samba3.0.1rc1

 Here a snapshot of the log.smbd
 --------------------------------------------------------
 [2003/12/09 09:12:30, 2] smbd/close.c:close_normal_file(228)
 SUED+Lauf.Barbara closed file Export-GLB-Sued/DP AG/Report GLB3 OLA DPAG.xls
(numopen=1)
 [2003/12/09 09:12:41, 0] smbd/sec_ctx.c:initialise_groups(203)
 Unable to initgroups. Error was Eingabe-/Ausgabefehler
 [2003/12/09 09:12:41, 0] smbd/service.c:make_connection_snum(677)
 '%H/lesen' does not exist or is not a directory, when connecting to [lesen]
 [2003/12/09 09:12:42, 0] smbd/sec_ctx.c:initialise_groups(203)
 Unable to initgroups. Error was Eingabe-/Ausgabefehler
 [2003/12/09 09:12:42, 0] smbd/service.c:make_connection_snum(677)
 '%H/schreiben' does not exist or is not a directory, when connecting to [schreiben]
 [2003/12/09 09:12:46, 2] smbd/sesssetup.c:setup_new_vc_session(535)
 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
 [2003/12/09 09:12:46, 2] smbd/sesssetup.c:setup_new_vc_session(535)
 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
 [2003/12/09 09:12:46, 0] auth/auth_util.c:make_server_info_info3(1066)
 make_server_info_info3: pdb_init_sam failed!
 [2003/12/09 09:12:46, 2] auth/auth.c:check_ntlm_password(312)
 check_ntlm_password: Authentication for user [Ringer.Thomas] -> [Ringer.Thomas]
FAILED with error NT_STATUS_NO_SUCH_
 USER
 [2003/12/09 09:12:46, 2] smbd/sesssetup.c:setup_new_vc_session(535)
 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
 [2003/12/09 09:12:46, 2] smbd/sesssetup.c:setup_new_vc_session(535)
 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
 [2003/12/09 09:12:46, 0] auth/auth_util.c:make_server_info_info3(1066)
 make_server_info_info3: pdb_init_sam failed!
 --------------------------------------------------------------------------------------------------------
Now the getent passwd SUED+Ringer.Thomas cannot be resolved.

After a restart of the winbindd everything is okay again, but not very long,
other users cannot acces to their share. 




And here is my smb.conf:
;
; /etc/smb.conf
;
;
[global]
workgroup = T-SYSTEMS
netbios name = Q4DEMRSA001
server string = RSC-Fileservice
getwd cache = yes
keep alive = 600
log level = 2
os level = 2

domain master = no
local master = no
preferred master = no
enhanced browsing = no


kernel oplocks = false
invalid users = root
max log size = 1000
syslog = 0
printing = BSD
printcap name = /etc/printcap

winbind separator = +
winbind uid = 10000-90000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 600
template shell = /bin/false
template homedir = /space/home/%D+%U
name resolve order = wins host bcast
auto services = lesen schreiben

security = DOMAIN
password server = *
encrypt passwords = true
update encrypted = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
write cache size = 262144
unix charset = ISO8859-15
map to guest = Never
passdb backend = tdbsam

interfaces = 10.187.10.11/255.255.255.0

wins support = no
dns proxy = no
wins server = 10.206.162.4 10.206.162.6


[lesen]
comment = Lesezugriff
read only = yes
path = %H/lesen
force group = users
force create mode = 777
force security mode = 0777
force directory mode = 777
force directory security mode =0777
browseable = yes

[schreiben]
comment = Schreib- und Lesezugriff
read only = no
path = %H/schreiben
force group = users
force create mode = 770
force security mode = 0770
force directory mode = 770
force directory security mode =0770
browseable = yes

[sichern]
comment = privates Sicherungsverzeichnis
read only = no
path = %H/sichern
force group = users
force create mode = 700
force security mode = 0777
force directory mode = 700
force directory security mode =0777
browseable = yes
guest ok = no


 Best regards

Robert Kastl
Comment 1 Gerald (Jerry) Carter 2003-12-10 08:45:16 UTC
My guess is a disconnected sequence number.  Can you tell me

  1) if SUED+Lauf.Barbara is a member of more than 32 groups
  2) what the output of wbinfo --sequence is (both when winbindd 
     is working and when it fails).

?  Thanks.
Comment 2 robert kastl 2003-12-21 02:53:11 UTC
1. Yes SUED+Lauf.Barbara is a member of more than 32 groups 
2.

Just after start of winbindd and smbd, nmbd:
-------------------------------------------------------------------
My own account works with getent passwd, as you can see:
Q4DEMRSA001:~/neu-samba# getent passwd SUED+kastl.robert
SUED+kastl.robert:x:10000:10000::/space/home/SUED+kastl.robert:/bin/false

Here the output of wbinfo:
Q4DEMRSA001:~# /usr/local/samba/bin/wbinfo --sequence
T-COM : DISCONNECTED
SUED10 : 29973
OST1 : 340553
WEST3 : 447950
WEST2 : 1932890
SUEDWEST : 1937266
SUED13 : 1464
WEST : 2650649
SUEDWEST2 : 1142976
SUED3 : 691117
SUED12 : 5748
OST3 : 1
SUED : 1709397
OST : 1
NORD2 : 27004
OST2 : 1651579
MITTE : 3
NORD : 1930791
MITTE2 : 1158
SUED8 : 235058
WEST1 : 1305298
DITSCOM : 150538
DSH : 1
SUED2 : 1849843
MITTE3 : 138651
OST5 : 1
ADS-TELEKOM : DISCONNECTED
T-SYSTEMS : 1
Q4DEMRSA001:~/neu-samba#

20 Minutes later....................

Now my own account failed with getent passwd:
Q4DEMRSA001:~/neu-samba# getent passwd SUED+kastl.robert
Q4DEMRSA001:~#


/usr/local/samba/bin/wbinfo --sequence
T-COM : DISCONNECTED
SUED10 : 29973
OST1 : 340554
WEST3 : 447950
WEST2 : 1932890
SUEDWEST : 1937266
SUED13 : 1464
WEST : 2650649
SUEDWEST2 : 1142976
SUED3 : 691117
SUED12 : 5748
OST3 : 1
SUED : DISCONNECTED
OST : 1
NORD2 : 27004
OST2 : 1651579
MITTE : 3
NORD : 1930791
MITTE2 : 1158
SUED8 : 235058
WEST1 : 1305298
DITSCOM : 150551
DSH : 1
SUED2 : 1849875
MITTE3 : 138653
OST5 : 1
ADS-TELEKOM : DISCONNECTED
T-SYSTEMS : 1


I estimate that every user in a disconnected Domain cannot be authenticated. But
why have the Domain SUED after the start of the winbindd a sequence-number an
later on SUED is disconnected?
Comment 3 robert kastl 2003-12-21 02:55:08 UTC
Dear Samba-Team,
I would like to give you some more informations, which may be helpful.

Usually i use the pre-compiled Samba3.0.0 from the Debian-Distribution.
When i use this, the output of wbinfo --sequence looks good:

Q4DEMRSA001:~# wbinfo --sequence
T-COM : 5983116
SUED10 : 129480
OST1 : 340585
WEST3 : 5724521
WEST2 : 4171159
SUEDWEST : 3535657
SUED13 : 5830488
WEST : 863569159
SUEDWEST2 : 4303121
SUED3 : 4203035
SUED12 : 287095
OST3 : 2135990695
SUED : 529870237
OST : 1053422962
NORD2 : 5881490
OST2 : 1064240182
MITTE : 5051426
NORD : 586410753
MITTE2 : 8999625
SUED8 : 5428940
WEST1 : 47310
DITSCOM : 150572
DSH : 1352223
SUED2 : 1851289
MITTE3 : 138661
OST5 : 1934489
ADS-TELEKOM : 6219222
T-SYSTEMS : 6969237
Q4DEMRSA001:~#

Unfortunately has the Samba3.0.0 the Bug 551 Excel cannot open read-only files.
Therefore i tried to use the latest Samba from samba.org, with the trouble i
described.

I tried it at three different machines, always with the same result.
Comment 4 robert kastl 2003-12-21 02:57:11 UTC
Dear Samba-Team,

Now i think whats going wrong with my winbind:

It depends on the library libldap2-dev, the OpenLDAP development libraries.

When i compile the samba-sources and the ibldap2-dev are NOT installed, i have
problems with the sequence-numbers.

When i compile the samba-sources and the ibldap2-dev are installed, every seem
to work well.

I compile the sources in both cases:

./configure
make
make install

It would have been better to compile the sources with:
./configure --with-ads --with-ldap
than a message tell me, that the ldap-libraries are necessary.
In this case, my problems never happend.

Thank you for your support, your tip with the the wbinfo --sequence helped me to
find out whats happend. 
Comment 5 Gerald (Jerry) Carter 2004-01-14 21:26:44 UTC
build issues.  All of this is documented in the HOWTO Collection,
Comment 6 Gerald (Jerry) Carter 2005-02-07 07:57:12 UTC
originally reported against 3.0aph24.  Bugzilla spring cleaning.  
Removing old alpha versions.
Comment 7 Gerald (Jerry) Carter 2005-11-14 09:27:33 UTC
database cleanup