I was finally able to correct these errors by enabling Kerberos and changing the security model from domain to ads, but now I've run into the same problem reported here: http://www.usenet-forums.com/samba/394092-re-samba-accessing-member-server-prompts-credentials.html
After about 5 minutes of uptime the winbind service throws several errors into syslog and nothing referencing it will work correctly until I restart it. The processes are still running. Jul 15 17:57:26 testbox winbindd[994]: [2008/07/15 17:57:26, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(182) Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]: [2008/07/15 17:57:26, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(182) Jul 15 17:57:26 testbox winbindd[994]: async_request_timeout_handler: child pid 992 is not responding. Closing connection to it. Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]: async_request_timeout_handler: child pid 992 is not responding. Closing connection to it. This is Samba 3.0.30 and Kerberos 5 running on FreeBSD 7.0. Can anyone help me out here? -HKS On Fri, Jul 11, 2008 at 3:56 PM, (private) HKS <[EMAIL PROTECTED]> wrote: > A few more tidbits... > > My winbind logs have this complaint for each of the domain local groups: > [2008/07/11 14:40:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(365) > could not lookup membership for group sid <munged-sid> in domain > DOMAIN (error: NT_STATUS_NO_SUCH_GROUP) > [2008/07/11 14:40:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110) > could not lookup domain group dnsadmins > > wbinfo doesn't have any difficulty with converting name -> SID -> gid > -> SID, but if I run wbinfo -r on a user that's a member of one of the > groups, that group doesn't show up. > > So, at the moment, it appears that winbind just can't grab membership > for these domain local groups. I found this reported a few other > places on the 'net, but it doesn't seem that a resolution has ever > been reached. > > -HKS > > > On Fri, Jul 11, 2008 at 1:13 PM, (private) HKS <[EMAIL PROTECTED]> wrote: >> Any ideas? >> -HKS >> >> On Mon, Jul 7, 2008 at 5:01 PM, (private) HKS <[EMAIL PROTECTED]> wrote: >>> Hello all. >>> >>> I'm relatively new to Samba, and haven't been able to track down a >>> solution to this particular problem. >>> >>> I use Samba/Winbind to authenticate FreeBSD machines against a >>> Windows 2003 Active Directory. That all works fine. The problem is >>> that groups in the AD of type "Security Group - Domain Local" are >>> causing winbindd a lot of grief. Every time the winbindd daemon is >>> accessed, it spews syslog messages like these for every Domain >>> Local group in the AD: >>> >>> -------------------- >>> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0] >>> nsswitch/winbindd_group.c:winbindd_getgrent(1110) >>> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain >>> group dhcp users >>> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0] >>> nsswitch/winbindd_group.c:winbindd_getgrent(1110) >>> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain >>> group dhcp administrators >>> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0] >>> nsswitch/winbindd_group.c:winbindd_getgrent(1110) >>> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain >>> group dnsadmins >>> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0] >>> nsswitch/winbindd_group.c:winbindd_getgrent(1110) >>> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain >>> group debugger users >>> --------------------- >>> >>> All non-local groups show up just fine in the BSD system. Local >>> groups do not show up in a getent group. >>> >>> All groups, including the local ones, show up when I run wbinfo -g. >>> Running wbinfo -n <localgroup> comes back with a SID: >>> $ wbinfo -n dnsadmins >>> <munged-SID> Local Group (4) >>> >>> This SID is trackable back to a gid: >>> $ sudo wbinfo --sid-to-gid <munged-SID> >>> 11105 >>> >>> Why, then, are these groups not actually getting populated? Can anyone >>> shed some light on this? >>> >>> -HKS >>> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
