from:"Victor Mataré"

[Samba] SID_TO_UID not working

2012-12-06 Thread Victor Mataré

Hello everyone,

I use winbind against a Samba DC for nsswich, and on one client it works 
perfectly (Samba 3.5.15 on all systems). On another client, everything works 
except SID_TO_UID (i.e. wbinfo -i, -S ... which breaks directory listings, 
too). I've now tried to narrow down the problem in a level 10 log, but I need 
some help interpreting. In log.winbindd, I see the following when running 
wbinfo -S S-1-5-21-5-55-55-3032 (SID changed):

===
[2012/12/06 17:43:12.841393,  3] 
winbindd/winbindd_sid_to_uid.c:47(winbindd_sid_to_uid_send)
  sid to uid S-1-5-21-5-55-55-3032
[2012/12/06 17:43:12.841517, 10] lib/gencache.c:334(gencache_get_data_blob)
  Cache entry with key = 
IDMAP/SID2UID/S-1-5-21-5-55-55-3032 couldn't be found
[2012/12/06 17:43:12.841564, 10] 
winbindd/winbindd_util.c:843(find_lookup_domain_from_sid)
  find_lookup_domain_from_sid(S-1-5-21-5-55-55-3032)
[2012/12/06 17:43:12.841605, 10] 
winbindd/winbindd_util.c:853(find_lookup_domain_from_sid)
  calling find_our_domain
[2012/12/06 17:43:12.841679, 10] 
winbindd/winbindd_cache.c:4805(wcache_fetch_ndr)
  Entry has timed out
[2012/12/06 17:43:12.852143,  5] 
winbindd/winbindd_sid_to_uid.c:90(winbindd_sid_to_uid_recv)
  Could not convert sid S-1-5-21-5-55-55-3032: 
NT_STATUS_NONE_MAPPED
[2012/12/06 17:43:12.852201, 10] winbindd/winbindd.c:655(wb_request_done)
  wb_request_done[10630:SID_TO_UID]: NT_STATUS_NONE_MAPPED
===

wbinfo -S then yields:
Could not convert sid S-1-5-21-5-55-55-3032 to uid

Now I'm not sure what "Entry has timed out" means. This occurs even when I do 
"net cache flush" before. In the meantime, /var/log/samba/log.wb-SGI looks 
like the request is correctly answered by the server. The request comes in:

===
[2012/12/06 17:43:12.841812, 10] 
winbindd/winbindd_dual.c:62(child_read_request)
  Need to read 28 extra bytes
[2012/12/06 17:43:12.841921,  4] 
winbindd/winbindd_dual.c:1528(fork_domain_child)
  child daemon request 63
[2012/12/06 17:43:12.841956, 10] 
winbindd/winbindd_dual.c:485(child_process_request)
  child_process_request: request fn NDRCMD
[2012/12/06 17:43:12.841986, 10] 
winbindd/winbindd_dual_ndr.c:263(winbindd_dual_ndrcmd)
  winbindd_dual_ndrcmd: Running command WBINT_LOOKUPSID (SGI)
[2012/12/06 17:43:12.842034,  1] 
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
   wbint_LookupSid: struct wbint_LookupSid
  in: struct wbint_LookupSid
  sid  : *
  sid  : 
S-1-5-21-5-55-55-3032
===

... Then there's a lot of parsing and other noise, until we return with the 
correct answer:

===
[2012/12/06 17:43:12.850133, 10] 
rpc_client/cli_lsarpc.c:191(rpccli_lsa_lookup_sids_noalloc)
  LSA_LOOKUPSIDS returned 'NT_STATUS_OK', mapped count = 1'
[2012/12/06 17:43:12.850170,  5] 
winbindd/winbindd_rpc.c:373(msrpc_sid_to_name)
  Mapped sid to [SGI]\[matare]
[2012/12/06 17:43:12.850205, 10] 
winbindd/winbindd_cache.c:555(refresh_sequence_number)
  refresh_sequence_number: SGI time ok
[2012/12/06 17:43:12.850234, 10] 
winbindd/winbindd_cache.c:600(refresh_sequence_number)
  refresh_sequence_number: SGI seq number is now 1354812192
[2012/12/06 17:43:12.850375, 10] 
winbindd/winbindd_cache.c:969(wcache_save_sid_to_name)
  wcache_save_sid_to_name: S-1-5-21-5-55-55-3032 -> 
matare (NT_STATUS_OK)
[2012/12/06 17:43:12.850410,  1] 
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
   wbint_LookupSid: struct wbint_LookupSid
  out: struct wbint_LookupSid
  type : *
  type : SID_NAME_USER (1)
  domain   : *
  domain   : *
  domain   : 'SGI'
  name : *
  name : *
  name : 'matare'
  result   : NT_STATUS_OK
===

Note the times, which show that the mapping is retrieved from the DC by the 
child process before the parent returns NT_STATUS_NONE_MAPPED. I find this 
really confusing and frankly, I'm out of ideas where to look. Please, if you 
have any idea let me know. Maybe I'm looking entirely in the wrong 
direction...

Thanks,
Victor-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent again

2011-11-02 Thread Victor Mataré


On Wednesday, 02.11.2011 13:04:00 Gaiseric Vandal wrote:
> Does it work if you explicitly state a domain user?
> e.g
>  getent passwd "TRUSTEDOMAIN\someuser"

Ok, that actually does work. But...

>
> I have the same symptom on my system-  I don't think it actually breaks
> anything.


I'm suspecting it breaks rpc.idmapd (NFS4). However NFS4 has always been kind
of complex and fragile, so it might in fact have some other cause. Anyways,
rpc.idmapd maps all domain groups to nobody, so it must be having some trouble
with them. Can anybody confirm that rpc.idmapd correctly resolves domain
groups from nss_winbind when getent group does not work?

>
> On 11/02/2011 12:26 PM, Victor Mataré wrote:
> > Hi everyone,
> >
> > I'm trying to use winbind as nsswitch module on a domain member against
> > a samba PDC, and it used to work fine with samba 3.4. But no
 after
> > upgrading to 3.5.11, getent group/passwd don't show domain users/groups
> > anymore. However wbinfo -g and wbinfo -u work as expected. Also:
> >
> > # wbinfo -i matare
> > matare:*:50011:5:Victor Mataré:/home/SGI/matare:/bin/false
> > # wbinfo -U 50011
> > S-1-5-21-154097467-3372353439-1977514440-3032
> > # wbinfo -G 5
> > S-1-5-21-154097467-3372353439-1977514440-513
> > # wbinfo -s S-1-5-21-154097467-3372353439-1977514440-3032
> > SGI\matare 1
> > # wbinfo -s S-1-5-21-154097467-3372353439-1977514440-513
> > SGI\Domain Users 2
> >
> > But getent passwd/group shows only local users. My smb.conf on the
> > member looks like this: [global]
> >
> >  workgroup = SGI
> >  server string = Auerhahn
> >  security = domain
> >  password server = BUSSARD GIRLITZ
> >  log file = /var/log/samba/log.%m
> >  log level = 2 winbind:10
> >  max log size = 50
> >  winbind expand groups = 4
> >  winbind neste
 groups = yes
> >  winbind enum groups = yes
> >  winbind enum users = yes
> >  idmap uid = 5-50
> >  idmap gid = 5-50
> >  winbind use default domain = yes
> >  idmap config SGI:range = 5-50
> >
> > I really don't see the problem the nss_winbind module might be having:
> >
> > # strace -e trace=file getent group
> > execve("/usr/bin/getent", ["getent", "group"], [/* 40 vars */]) = 0
> > access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or
> > directory) open("/etc/ld.so.cache", O_RDONLY)  = 3
> > open("/lib64/libc.so.6", O_RDONLY)  = 3
> > open("/usr/lib64/locale/locale-archive", O_RDONLY) = 3
> > open("/etc/nsswitch.conf", O_RDONLY)= 3
> > open("/etc/ld.so.cache", O_RDONLY)  = 3
> > open("/lib64/libnss_files.so.2", O_RDONLY) = 3
> > open("/etc/group", O_RDONLY|O_CLOEXEC)  = 3
> > root:x:0:root
> > bin:x:1:root,bin,daemon
> > [... prints local UNIX groups ...]
> > postgres:x:70:

> > open("/etc/ld.so.cache", O_RDONLY)  = 4
> > open("/lib64/libnss_winbind.so.2", O_RDONLY) = 4
> > lstat("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size@96, ...}) = 0
> > lstat("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) > > 0
> > lstat("/var/cache/samba/winbindd_privileged", {st_mode=S_IFDIR|0750,
> > st_size@96, ...}) = 0
> > lstat("/var/cache/samba/winbindd_privileged/pipe",
> > {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> >
> > And that's it. I also can't make out any error message in the logs, not
> > even with log level 10. On the PDC and BDC, getent group works
> > perfectly (also both via nss_winbind). Seriously, I'm out of ideas. Any
> > pointer is greatly appreciated.

pgp136VVBXwOy.pgp
Description: This is a digitally signed message part.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind and getent again

2011-11-02 Thread Victor Mataré

Hi everyone,

I'm trying to use winbind as nsswitch module on a domain member against a samba 
PDC, and it used to work fine with samba 3.4. But now after upgrading to 
3.5.11, getent group/passwd don't show domain users/groups anymore. However 
wbinfo -g and wbinfo -u work as expected. Also:

# wbinfo -i matare
matare:*:50011:50000:Victor Mataré:/home/SGI/matare:/bin/false
# wbinfo -U 50011
S-1-5-21-154097467-3372353439-1977514440-3032
# wbinfo -G 5
S-1-5-21-154097467-3372353439-1977514440-513
# wbinfo -s S-1-5-21-154097467-3372353439-1977514440-3032
SGI\matare 1
# wbinfo -s S-1-5-21-154097467-3372353439-1977514440-513
SGI\Domain Users 2

But getent passwd/group shows only local users. My smb.conf on the member looks 
like this:
[global]
workgroup = SGI
server string = Auerhahn
security = domain
password server = BUSSARD GIRLITZ
log file = /var/log/samba/log.%m
log level = 2 winbind:10
max log size = 50
winbind expand groups = 4
winbind nested groups = yes
winbind enum groups = yes
winbind enum users = yes
idmap uid = 5-50
idmap gid = 5-50
winbind use default domain = yes
idmap config SGI:range = 5-50

I really don't see the problem the nss_winbind module might be having:

# strace -e trace=file getent group
execve("/usr/bin/getent", ["getent", "group"], [/* 40 vars */]) = 0
access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)  = 3
open("/lib64/libc.so.6", O_RDONLY)  = 3
open("/usr/lib64/locale/locale-archive", O_RDONLY) = 3
open("/etc/nsswitch.conf", O_RDONLY)= 3
open("/etc/ld.so.cache", O_RDONLY)  = 3
open("/lib64/libnss_files.so.2", O_RDONLY) = 3
open("/etc/group", O_RDONLY|O_CLOEXEC)  = 3
root:x:0:root
bin:x:1:root,bin,daemon
[... prints local UNIX groups ...]
postgres:x:70:
open("/etc/ld.so.cache", O_RDONLY)  = 4
open("/lib64/libnss_winbind.so.2", O_RDONLY) = 4
lstat("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
lstat("/var/cache/samba/winbindd_privileged", {st_mode=S_IFDIR|0750, 
st_size=4096, ...}) = 0
lstat("/var/cache/samba/winbindd_privileged/pipe", {st_mode=S_IFSOCK|0777, 
st_size=0, ...}) = 0

And that's it. I also can't make out any error message in the logs, not even 
with log level 10. On the PDC and BDC, getent group works perfectly (also both 
via nss_winbind). Seriously, I'm out of ideas. Any pointer is greatly 
appreciated.


-- 
Victor Mataré
Sysadmin
Lehrstuhl für Ingenieur- und Hydrogeologie der RWTH Aachen
Lochnerstraße 4-20
52064 Aachen
Ph: +49-241-8096778
Fx: +49-241-8092280

http://www.lih.rwth-aachen.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ldapsam:editposix and add user script

2009-02-10 Thread Victor Mataré


Hello Everyone,

We run a Samba 3.0 PDC and got all account information in LDAP. No 
idealx scripts, as we let samba do all the work of creating unix 
accounts in LDAP.
Now until recently, the "add user script" parameter worked as expected, 
simply calling that script when I did a "net rpc user add".
Now it won't do that anymore, unless it finds that there's no unix 
account for a legitimage SMB user upon session setup (according to 
manpage). This condition however, is negated by ldapsam:editposix = yes.
As I understood it, the "add user script" was a general purpose option 
to do anything that needs to be done upon user addition in samba. The 
new behaviour just limits flexibility. Any idea how one could implement 
a custom script that's run when a user is created?


thanks,
Victor
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SID_TO_UID not working

Re: [Samba] winbind and getent again

[Samba] winbind and getent again

[Samba] ldapsam:editposix and add user script

4 matches

Site Navigation

Mail list logo

Footer information