Package: winbind
Version: 2:3.2.5-4lenny7
Severity: important
I have investigated a strange issue on a system not allowing users to login.
It appeared that the winbind cache eventually got corrupt when mixing group
queries and user queries.
I am using the idmap_rid allocator.
If one queries with "wbinfo -G" for a group whose id is indeed a user id, that
user won't exist any more in winbind
Example on a sane system:
e...@pp2tnce10c:~$ wbinfo -i 'PREPROD\jcb'
jcb:*:11129:10513:XXXXXXXXXXXXXXX YYYYYY:/home/PREPROD+jcb:/bin/bash
How to get a corrupt system (different from the first one, though)
## Step 1 : Try to group-resolve a user id
e...@pp2tnsa10c:~$ wbinfo -G 11129
S-1-5-21-4162644616-3733566000-1282571631-1129
## Step 2 : You can check that jcb's account is locked because his SID is now
associated to a group account in winbind cache
e...@pp2tnsa10c:~$ id jcb
id: jcb: No such user
e...@pp2tnsa10c:~$ wbinfo -s S-1-5-21-4162644616-3733566000-1282571631-1129
PREPROD\jcb 1
e...@pp2tnsa10c:~$ wbinfo -n 'PREPROD\jcb'
S-1-5-21-4162644616-3733566000-1282571631-1129 User (1)
e...@pp2tnsa10c:~$ wbinfo -i 'PREPROD\jcb'
Could not get info for user PREPROD\jcb
##############
For some reason, this occurs without intent on one of my systems.
If you want the locked account to be able to log in again, you have to wait for
the positive ttl to expire, or to manually clean up winbind caches.
I attach my smb.conf so that one can easily reproduce
e...@pp2tnsa10c:~$ testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = PREPROD
realm = PREPROD.COMPANY.COM
security = ADS
restrict anonymous = 2
client NTLMv2 auth = Yes
use kerberos keytab = Yes
idmap domains = PREPROD, CORP, OTHERTRUSTED
template homedir = /home/%D+%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap config OTHERTRUSTED:range = 70000 - 79999
idmap config OTHERTRUSTED:backend = tdb
idmap config CORP:range = 50000 - 69999
idmap config CORP:backend = rid
idmap config PREPROD:range = 10000 - 49999
idmap config PREPROD:backend = rid
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (800, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages winbind depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libtalloc1 1.2.0~git20080616-1 hierarchical pool based memory all
ii libwbclient0 2:3.2.5-4lenny7 client library for interfacing wit
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii samba-common 2:3.2.5-4lenny7 Samba common files used by both th
winbind recommends no packages.
winbind suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
