Bug 9615 - winbind unable to retreive users information from AD.
Summary: winbind unable to retreive users information from AD.
Status: RESOLVED DUPLICATE of bug 9899
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.11
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Blocks: 9899
  Show dependency treegraph
Reported: 2013-01-29 19:16 UTC by dant
Modified: 2013-08-13 18:08 UTC (History)
3 users (show)

See Also:

winbind debug level 10 and smb.conf (29.50 KB, application/zip)
2013-01-29 19:16 UTC, dant
no flags Details
diffs removed (16.91 KB, text/plain)
2013-02-14 19:47 UTC, dant
no flags Details
patch that will set domain->can_do_ncacn_ip_tcp to false if cm_connect_lsa_tcp fails. (331 bytes, patch)
2013-07-01 17:34 UTC, dant
no flags Details
v3-6-test patch (879 bytes, patch)
2013-08-09 10:24 UTC, Andreas Schneider
no flags Details
v3-6-test patch version 2 (1.13 KB, patch)
2013-08-09 11:48 UTC, Andreas Schneider
no flags Details
v3-6-test patch version 3 (941 bytes, patch)
2013-08-09 14:36 UTC, Andreas Schneider
gd: review+

Note You need to log in before you can comment on or make changes to this bug.
Description dant 2013-01-29 19:16:40 UTC
Created attachment 8518 [details]
winbind debug level 10 and smb.conf

winbindd from samba 3.6.11 as domain member to windows 2000 PDC is unable to assign uid/gid or show user information.

# wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator

although this works:

# wbinfo -u

# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers

getent passwd/group fails to list any ad user or group.
Comment 1 Thomas Sondag 2013-02-04 09:17:41 UTC

I confirm this bug on RHEL5 with the packages :
samba3x.x86_64 0:3.6.6-0.129.el5       
samba3x-common.x86_64 0:3.6.6-0.129.el5              
samba3x-winbind.x86_64 0:3.6.6-0.129.el5

downgrading to :
samba3x.x86_64 0:3.5.10-0.110.el5_8
samba3x-common.x86_64 0:3.5.10-0.110.el5_8  
samba3x-winbind.x86_64 0:3.5.10-0.110.el5_8

Fix the issue.
Comment 2 Christopher Chan 2013-02-14 14:35:59 UTC
3.6.12 has the exact same problem. Debug out from winbindd -i -d10 is virtually the same.
Comment 3 dant 2013-02-14 19:47:29 UTC
Created attachment 8555 [details]
diffs removed
Comment 4 dant 2013-02-14 19:48:34 UTC
It seems that this happens since version 3.6.10 was released. I removed a few diffs from "patch-3.6.9-3.6.10.diffs" and patched samba-3.6.9. Diffs that I removed are listed in my attachment.
After this winbindd seems to be able to assign uid/gid and list user information.

# wbinfo -V
Version 3.6.10

# wbinfo -i administrator

# getent passwd administrator

sorry but I'm not a developer, I can't produce a patch to fix this.
Comment 5 Björn Jacke 2013-02-20 00:12:49 UTC
looks like the people writing in this bug don't have the same problem. comment #1 says 3.6.6 doesn't work for him while comment #4 says 3.6.9 works and 3.6.10 doesn't. A common error is misconfiguration of idmap or bogus content of idmap tdb files from previous tests or wrong libwbclient library from a different samba version. Please check if those might be your problems. I've seen idmap tdb work in 3.6.11 (at least with the packages from ftp.sernet.de).
Comment 6 dant 2013-02-21 20:00:30 UTC
(In reply to comment #5)

I checked and double checked the configuration. libwbclient library used by winbind is the one that is produced at build time.

This happens when the domain controler is windows 2000. If I link winbind to windows 2003 domain controler everything works, new uid/gid are assigned to domain users/groups, getent also lists domain users/groups.

For me, winbind 3.6.9 is the last version that works with a windows 2000 domain controler. I also tried sernet packages for RHEL 6, the result is the same.
Comment 7 dant 2013-05-25 17:05:30 UTC
looks like "cm_connect_lsa_tcp" function doasn't work with Windows 2000 AD. The error message is: "cli_rpc_pipe_open_schannel_with_key failed: NT_STATUS_UNSUCCESSFUL".

If I try to use "cm_connect_lsa", everithing seems to be ok, winbindd can alocate uid and gid.

I added "status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);" in winbindd_cm after "if (!NT_STATUS_IS_OK(status))" and rebuild.

Open a LSA connection to a DC, suiteable for LSA lookup calls.

NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
                         TALLOC_CTX *mem_ctx,
                         struct rpc_pipe_client **cli,
                         struct policy_handle *lsa_policy)
        NTSTATUS status;

        if (domain->can_do_ncacn_ip_tcp) {
                status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
                if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
                    NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
                        status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
        if (!NT_STATUS_IS_OK(status)) {
				/* If that fails try cm_connect_lsa */
                status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);
                return status;
                return NT_STATUS_OK;

        status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);

        return status;

Can somone advise if that is the corect thing to do?
Comment 8 dant 2013-07-01 17:34:50 UTC
Created attachment 9012 [details]
patch that will set domain->can_do_ncacn_ip_tcp to false if cm_connect_lsa_tcp fails.
Comment 9 dant 2013-07-01 17:40:34 UTC
or better set "domain->can_do_ncacn_ip_tcp" to false and leave winbindd retry using "cm_connect_lsa"?  that seems to be the way it was donw before version 3.6.10...

(sorry but I have not not yet found the right way of attaching a patch and comment in just one post :))
Comment 10 Andreas Schneider 2013-08-09 10:24:14 UTC
Created attachment 9120 [details]
v3-6-test patch

This is the right fix. We return an uninitialized variable if we are already connected.
Comment 11 Andreas Schneider 2013-08-09 11:48:23 UTC
Created attachment 9121 [details]
v3-6-test patch version 2
Comment 12 Guenther Deschner 2013-08-09 11:55:37 UTC
Hm. Setting the status code to something should not be required at all, as the first function in that call sets it already.
Comment 13 Guenther Deschner 2013-08-09 12:05:43 UTC
same cm_connect_lsa_tcp failure as in #9899
Comment 14 Andreas Schneider 2013-08-09 14:36:41 UTC
Created attachment 9122 [details]
v3-6-test patch version 3
Comment 15 Guenther Deschner 2013-08-12 12:45:27 UTC
Comment on attachment 9122 [details]
v3-6-test patch version 3

looks good.
Comment 16 Jeremy Allison 2013-08-13 18:08:41 UTC
Making duplicate of #9899 so we can keep the applied patches in one place.


*** This bug has been marked as a duplicate of bug 9899 ***