Package: winbind Version: 2:3.2.5-4lenny7 Severity: important I have investigated a strange issue on a system not allowing users to login. It appeared that the winbind cache eventually got corrupt when mixing group queries and user queries.
I am using the idmap_rid allocator. If one queries with "wbinfo -G" for a group whose id is indeed a user id, that user won't exist any more in winbind Example on a sane system: e...@pp2tnce10c:~$ wbinfo -i 'PREPROD\jcb' jcb:*:11129:10513:XXXXXXXXXXXXXXX YYYYYY:/home/PREPROD+jcb:/bin/bash How to get a corrupt system (different from the first one, though) ## Step 1 : Try to group-resolve a user id e...@pp2tnsa10c:~$ wbinfo -G 11129 S-1-5-21-4162644616-3733566000-1282571631-1129 ## Step 2 : You can check that jcb's account is locked because his SID is now associated to a group account in winbind cache e...@pp2tnsa10c:~$ id jcb id: jcb: No such user e...@pp2tnsa10c:~$ wbinfo -s S-1-5-21-4162644616-3733566000-1282571631-1129 PREPROD\jcb 1 e...@pp2tnsa10c:~$ wbinfo -n 'PREPROD\jcb' S-1-5-21-4162644616-3733566000-1282571631-1129 User (1) e...@pp2tnsa10c:~$ wbinfo -i 'PREPROD\jcb' Could not get info for user PREPROD\jcb ############## For some reason, this occurs without intent on one of my systems. If you want the locked account to be able to log in again, you have to wait for the positive ttl to expire, or to manually clean up winbind caches. I attach my smb.conf so that one can easily reproduce e...@pp2tnsa10c:~$ testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER [global] workgroup = PREPROD realm = PREPROD.COMPANY.COM security = ADS restrict anonymous = 2 client NTLMv2 auth = Yes use kerberos keytab = Yes idmap domains = PREPROD, CORP, OTHERTRUSTED template homedir = /home/%D+%U template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes idmap config OTHERTRUSTED:range = 70000 - 79999 idmap config OTHERTRUSTED:backend = tdb idmap config CORP:range = 50000 - 69999 idmap config CORP:backend = rid idmap config PREPROD:range = 10000 - 49999 idmap config PREPROD:backend = rid -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (800, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages winbind depends on: ii adduser 3.110 add and remove users and groups ii libc6 2.7-18 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l ii libpopt0 1.14-4 lib for parsing cmdline parameters ii libtalloc1 1.2.0~git20080616-1 hierarchical pool based memory all ii libwbclient0 2:3.2.5-4lenny7 client library for interfacing wit ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii samba-common 2:3.2.5-4lenny7 Samba common files used by both th winbind recommends no packages. winbind suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org