Bug#858601: [Pkg-samba-maint] Bug#858601: winbind: user authentication using windows domain fails after upgrade to 4.2.14+dfsg-0+deb8u4

2017-03-30 Thread Albert Dengg 
sorry for the late reply i was a bit busy and re-upgrading the
server is a slight problem as it is an activly used producticion
server were people need 
On Thu, Mar 30, 2017 at 10:34:28PM +0200, Mathieu Parent wrote:
> )Control: tag -1 + moreinfo
> 
> 2017-03-24 15:20 GMT+01:00 Mathieu Parent :
> > 2017-03-24 11:19 GMT+01:00 Albert Dengg :
> >> Package: winbind
> >> Version: 2:4.2.14+dfsg-0+deb8u2
> >> Severity: important
> >>
> >> after upgrading windbind and samba to 4.2.14+dfsg-0+deb8u4, authentication 
> >> of domains users using winbind
> >> does not work anymore:
> >> winbindd[8142]: [2017/03/24 10:20:10.040610,  0] 
> >> ../source3/winbindd/winbindd_group.c:45(fill_grent)
> >> winbindd[8142]:   Failed to find domain ''. Check connection to trusted 
> >> domains!
> >>
> >> (getent did list at least users from winbind)
> >>
> >> the domain ins specified in smbd.conf and it works as expected in 
> >> 4.2.14+dfsg-0+deb8u2
> >
> > Please send us your smb.conf.
see attachment
(i changed the domain name to something neutral, but 
> >
> > What does "net ads testjoin" tells?
Join is OK
(and both 'getent passwd' as well as 'getent group' produces the
desired output)
> 
> Appart from the above. This looks very strange. Nothing was changed on
> the winbind side between those versions.
> 
> Are you able to use gdb and post the backtrae in this function
> (fill_grent) and find why dom_name is empty?
i tried to install samba-dbg and start winbindd using gdb.

however a breakpoint on fill_grent did not trigger for some reason
(i played around with follow-mode and tried both starting without
passing arguments as well as passing -i)

> 
> Is your smb.conf a symlink?
no

side note:
i downgraded initially to work around the problem and upgraded today
to do the test (with the same result), but a downgrade of the
following packages solved it again:
libnss-winbind
libpam-winbind
libsmbclient
libwbclient0
python-samba
samba
samba-common
samba-common-bin
samba-dbg
samba-dsdb-modules
samba-libs
samba-vfs-modules
winbind

regards,
albert
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#behaviour of Samba but the option is considered important
#enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#=== Global Settings ===

[global]
workgroup = SOMEDOMAIN
server string = Samba Server Version %v
security = ads
realm = SOMEDOMAIN.LOCAL
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 
SO_SNDBUF=131072
use sendfile = true
 
idmap config * : backend = tdb
idmap config * : range = 10-29
idmap config SOMEDOMAIN : backend = rid
idmap config SOMEDOMAIN : range = 1-9
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/false
 
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50
loglevel = 0

ea support = yes
acl check permissions = yes
inherit acls =yes
csc policy = disable
store dos attributes = yes
dos filemode = no
 
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes   
 
# Share Definitions ==
 
[Individuell]
comment = "Verzeichnis fuer Datenaustausch"
path = /pools/share/Individuell
read only = no
browseable = yes
guest ok = no
delete readonly = yes
vfs objects = acl_xattr shadow_copy2
map acl inherit = Yes
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = %Y-%m-%d-%H%M
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes

[INSTALL]
comment = "Div. Installer"
path = /pools/share/INSTALL
read only = no
browseable = yes
guest ok = no
delete readonly = yes
vfs objects = acl_xattr

Bug#858601: [Pkg-samba-maint] Bug#858601: winbind: user authentication using windows domain fails after upgrade to 4.2.14+dfsg-0+deb8u4

2017-03-30 Thread Mathieu Parent 
)Control: tag -1 + moreinfo

2017-03-24 15:20 GMT+01:00 Mathieu Parent :
> 2017-03-24 11:19 GMT+01:00 Albert Dengg :
>> Package: winbind
>> Version: 2:4.2.14+dfsg-0+deb8u2
>> Severity: important
>>
>> after upgrading windbind and samba to 4.2.14+dfsg-0+deb8u4, authentication 
>> of domains users using winbind
>> does not work anymore:
>> winbindd[8142]: [2017/03/24 10:20:10.040610,  0] 
>> ../source3/winbindd/winbindd_group.c:45(fill_grent)
>> winbindd[8142]:   Failed to find domain ''. Check connection to trusted 
>> domains!
>>
>> (getent did list at least users from winbind)
>>
>> the domain ins specified in smbd.conf and it works as expected in 
>> 4.2.14+dfsg-0+deb8u2
>
> Please send us your smb.conf.
>
> What does "net ads testjoin" tells?

Appart from the above. This looks very strange. Nothing was changed on
the winbind side between those versions.

Are you able to use gdb and post the backtrae in this function
(fill_grent) and find why dom_name is empty?

Is your smb.conf a symlink?

Regards

-- 
Mathieu

Bug#858601: [Pkg-samba-maint] Bug#858601: winbind: user authentication using windows domain fails after upgrade to 4.2.14+dfsg-0+deb8u4

2017-03-24 Thread Mathieu Parent 
2017-03-24 11:19 GMT+01:00 Albert Dengg :
> Package: winbind
> Version: 2:4.2.14+dfsg-0+deb8u2
> Severity: important
>
> after upgrading windbind and samba to 4.2.14+dfsg-0+deb8u4, authentication of 
> domains users using winbind
> does not work anymore:
> winbindd[8142]: [2017/03/24 10:20:10.040610,  0] 
> ../source3/winbindd/winbindd_group.c:45(fill_grent)
> winbindd[8142]:   Failed to find domain ''. Check connection to trusted 
> domains!
>
> (getent did list at least users from winbind)
>
> the domain ins specified in smbd.conf and it works as expected in 
> 4.2.14+dfsg-0+deb8u2

Please send us your smb.conf.

What does "net ads testjoin" tells?

Regards
-- 
Mathieu Parent