Created attachment 8518 [details] winbind debug level 10 and smb.conf winbindd from samba 3.6.11 as domain member to windows 2000 PDC is unable to assign uid/gid or show user information. # wbinfo -i administrator failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user administrator although this works: # wbinfo -u administrator guest tsinternetuser krbtgt test # wbinfo -g domain computers domain controllers schema admins enterprise admins cert publishers domain admins domain users domain guests group policy creator owners ras and ias servers dnsadmins dnsupdateproxy getent passwd/group fails to list any ad user or group.
hi, I confirm this bug on RHEL5 with the packages : samba3x.x86_64 0:3.6.6-0.129.el5 samba3x-common.x86_64 0:3.6.6-0.129.el5 samba3x-winbind.x86_64 0:3.6.6-0.129.el5 downgrading to : samba3x.x86_64 0:3.5.10-0.110.el5_8 samba3x-common.x86_64 0:3.5.10-0.110.el5_8 samba3x-winbind.x86_64 0:3.5.10-0.110.el5_8 Fix the issue.
3.6.12 has the exact same problem. Debug out from winbindd -i -d10 is virtually the same.
Created attachment 8555 [details] diffs removed
It seems that this happens since version 3.6.10 was released. I removed a few diffs from "patch-3.6.9-3.6.10.diffs" and patched samba-3.6.9. Diffs that I removed are listed in my attachment. After this winbindd seems to be able to assign uid/gid and list user information. # wbinfo -V Version 3.6.10 # wbinfo -i administrator administrator:*:50000:50000:Administrator:/home/SGS/administrator:/bin/bash # getent passwd administrator administrator:*:50000:50000:Administrator:/home/SGS/administrator:/bin/bash sorry but I'm not a developer, I can't produce a patch to fix this.
looks like the people writing in this bug don't have the same problem. comment #1 says 3.6.6 doesn't work for him while comment #4 says 3.6.9 works and 3.6.10 doesn't. A common error is misconfiguration of idmap or bogus content of idmap tdb files from previous tests or wrong libwbclient library from a different samba version. Please check if those might be your problems. I've seen idmap tdb work in 3.6.11 (at least with the packages from ftp.sernet.de).
(In reply to comment #5) I checked and double checked the configuration. libwbclient library used by winbind is the one that is produced at build time. This happens when the domain controler is windows 2000. If I link winbind to windows 2003 domain controler everything works, new uid/gid are assigned to domain users/groups, getent also lists domain users/groups. For me, winbind 3.6.9 is the last version that works with a windows 2000 domain controler. I also tried sernet packages for RHEL 6, the result is the same.
looks like "cm_connect_lsa_tcp" function doasn't work with Windows 2000 AD. The error message is: "cli_rpc_pipe_open_schannel_with_key failed: NT_STATUS_UNSUCCESSFUL". If I try to use "cm_connect_lsa", everithing seems to be ok, winbindd can alocate uid and gid. I added "status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);" in winbindd_cm after "if (!NT_STATUS_IS_OK(status))" and rebuild. /**************************************************************************** Open a LSA connection to a DC, suiteable for LSA lookup calls. ****************************************************************************/ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli, struct policy_handle *lsa_policy) { NTSTATUS status; if (domain->can_do_ncacn_ip_tcp) { status = cm_connect_lsa_tcp(domain, mem_ctx, cli); if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) || NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { invalidate_cm_connection(&domain->conn); status = cm_connect_lsa_tcp(domain, mem_ctx, cli); } if (!NT_STATUS_IS_OK(status)) { /* If that fails try cm_connect_lsa */ status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy); return status; } return NT_STATUS_OK; } status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy); return status; } Can somone advise if that is the corect thing to do?
Created attachment 9012 [details] patch that will set domain->can_do_ncacn_ip_tcp to false if cm_connect_lsa_tcp fails.
or better set "domain->can_do_ncacn_ip_tcp" to false and leave winbindd retry using "cm_connect_lsa"? that seems to be the way it was donw before version 3.6.10... (sorry but I have not not yet found the right way of attaching a patch and comment in just one post :))
Created attachment 9120 [details] v3-6-test patch This is the right fix. We return an uninitialized variable if we are already connected.
Created attachment 9121 [details] v3-6-test patch version 2
Hm. Setting the status code to something should not be required at all, as the first function in that call sets it already.
same cm_connect_lsa_tcp failure as in #9899
Created attachment 9122 [details] v3-6-test patch version 3
Comment on attachment 9122 [details] v3-6-test patch version 3 looks good.
Making duplicate of #9899 so we can keep the applied patches in one place. Jeremy. *** This bug has been marked as a duplicate of bug 9899 ***