No one else has seen this issue? Should I move this to samba-technical? Or submit a bug report?
Is there any other information that would be helpful in troubleshooting this? > -----Original Message----- > From: Kevin Elliott > Sent: Monday, April 30, 2012 9:51 AM > To: samba@lists.samba.org > Subject: RE: [Samba] winbind stop working > > We're also seeing similar symptoms with our Squid proxy's > winbindd as well. > > After an indeterminate amount of time (sometimes an hour, > sometimes a day) the winbind process will lose the ability to > resolve UID/GIDs to SIDS and authentication to the proxy will fail: > > [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) > string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. > > > If we try doing a winbind -p we get a sucessful return > however trying to lookup a SID from UID/GID fails. > > We're on Debian 6.0.4 and Samba 2.3.5.6. > > > Has anyone else seen this issue? Any possible workarounds or patches? > > > > > Here's an the debugging output for a particular user: > > [2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message) > switch message SMBtconX (pid 15651) conn 0x0 > [2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2012/04/27 11:04:52.217062, 5] > auth/token_util.c:525(debug_nt_user_token) > NT user token: (NULL) > [2012/04/27 11:04:52.217085, 5] > auth/token_util.c:551(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user) > change_to_root_user: now uid=(0,0) gid=(0,0) > [2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X) > Client requested device type [?????] for share [FTP] > [2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection) > making a connection to 'normal' service ftp > [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) > string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. > [2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup) > Unable to get default yp domain, let's try without specifying it > [2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup) > looking for user CBJ_NT+kevin_miller of domain (ANY) in > netgroup CBJ_NT+domain users > [2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup) > looking for user cbj_nt+kevin_miller of domain (ANY) in > netgroup CBJ_NT+domain users > [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name) > lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain > users (name) > [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name) > lookup_name: flags = 0x077 > [2012/04/27 11:04:52.217841, 10] > passdb/util_wellknown.c:152(lookup_wellknown_name) > map_name_to_wellknown_sid: looking up domain users > [2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2012/04/27 11:04:52.217966, 5] > auth/token_util.c:525(debug_nt_user_token) > NT user token: (NULL) > [2012/04/27 11:04:52.217987, 5] > auth/token_util.c:551(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2012/04/27 11:04:52.219317, 5] > smbd/share_access.c:117(token_contains_name) > lookup_name CBJ_NT+domain users failed > [2012/04/27 11:04:52.219365, 10] > smbd/share_access.c:216(user_ok_token) > User CBJ_NT+kevin_miller not in 'valid users' > [2012/04/27 11:04:52.219394, 2] > smbd/service.c:598(create_connection_server_info) > user 'CBJ_NT+kevin_miller' (from session setup) not > permitted to access this share (ftp) > [2012/04/27 11:04:52.219420, 1] > smbd/service.c:678(make_connection_snum) > create_connection_server_info failed: NT_STATUS_ACCESS_DENIED > [2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set) > error packet at smbd/reply.c(795) cmd=117 (SMBtconX) > NT_STATUS_ACCESS_DENIED > > > Here's the debugging output from the winbindd-idmap.old log: > > 2012/04/27 10:58:37.616201, 10] > winbindd/idmap_util.c:115(idmap_gid_to_sid) > idmap_gid_to_sid: gid = [1004], domain = '' > [2012/04/27 10:58:37.616243, 10] > lib/gencache.c:334(gencache_get_data_blob) > Cache entry with key = IDMAP/GID2SID/1004 couldn't be found > [2012/04/27 10:58:37.616265, 10] > winbindd/idmap.c:745(idmap_backends_unixid_to_sid) > idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2) > [2012/04/27 10:58:37.616331, 10] > winbindd/idmap.c:475(idmap_find_domain) > idmap_find_domain called for domain '' > [2012/04/27 10:58:37.616352, 5] > winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid) > Requested id (1004) out of range (10000 - 79999). Filtered! > [2012/04/27 10:58:37.616380, 10] > lib/gencache.c:180(gencache_set_data_blob) > Adding cache entry with key = IDMAP/UID2SID/1004 and > timeout = Fri Apr 27 11:00:37 2012 > (120 seconds ahead) > [2012/04/27 10:58:37.616436, 10] > winbindd/idmap_util.c:151(idmap_gid_to_sid) > gid [1004] not mapped > [2012/04/27 10:58:37.616456, 1] > ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > wbint_Gid2Sid: struct wbint_Gid2Sid > out: struct wbint_Gid2Sid > sid : * > sid : S-0-0 > result : NT_STATUS_NONE_MAPPED > > > -- > Kevin Elliott > > Network Specialist > City and Borough of Juneau, MIS > (907) 586 - 0905 > > > > > > > -----Original Message----- > > From: samba-boun...@lists.samba.org > > [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniele > > Sent: Sunday, April 29, 2012 11:50 PM > > To: samba@lists.samba.org > > Subject: [Samba] winbind stop working > > > > Hi, I am trying to use squid proxy with validation on win > > 2003 active directory to filter internet navigation and for it I > > installed an ubuntu > > 10.04 server 64 bit with samba. > > My installation looks ok, the server is joined to the AD, > ntlm is able > > to validate user, wbinfo report corret information and squid works > > good. > > The problem arise after some hours: winbind become not able > to resolv > > info for users and to retrieve info for groups, so squid become not > > able to know id a user belong to a group allowed to navigate and > > refuse connection. > > Restarting winbind solve the problem for some hours. > > wbinfo report no particular problem; just give back messages like > > "could not get info for user xx" and also setting debuglevel to > > various numbers reports (to me) no significant clues. > > I made a workaround scheduling a restart of winbind service > at every > > half hour and it works, but is not so elegant ... > > Do you have any suggestion to solve this problem? > > Thank you > > Daniele > > > > samba/winbind version is 3.4.7 > > squid is 2.7.STABLE7 > > os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux > > > > smb.conf: > > [global] > > workgroup = CED > > realm = CED.AOS > > server string = Samba Server Version %v > > security = ADS > > password server = 172.18.10.24 172.18.10.23 > > name resolve order = lmhosts host bcast > > ldap ssl = no > > idmap uid = 15000-25000 > > idmap gid = 15000-25000 > > winbind separator = + > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > cups options = raw > > [homes] > > comment = Home Directories > > read only = No > > browseable = No > > browsable = No > > > > [printers] > > comment = All Printers > > path = /var/spool/samba > > printable = Yes > > browseable = No > > browsable = No > > > > > > ---- > > Le informazioni contenute in questa comunicazione e gli eventuali > > documenti allegati hanno carattere confidenziale e sono ad uso > > esclusivo del destinatario. Nel caso in cui questa comunicazione Vi > > sia pervenuta per errore, Vi informiamo che la sua diffusione e > > riproduzione e' contraria alla legge, pertanto Vi preghiamo > di darci > > prontamente avviso e di cancellare quanto ricevuto. > > Grazie. > > > > This e-mail message and any files transmitted with it contain > > confidential information intended only for the person(s) to > whom it is > > addressed. If you are not the intended recipient, you are hereby > > notified that any use or distribution of this e-mail is strictly > > prohibited: please notify the sender and delete the > original message. > > Thank you. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba