Re: [Samba] winbind stop working
Lowering idmap cache time from default 604800 to 900 did not helped... Something different here. -- View this message in context: http://samba.2283325.n4.nabble.com/winbind-stop-working-tp4597615p4631620.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
We have similar problem to with samba file server, serving about 800 users. After server restart samba/winbind works as intended. After some time (it may be couple of weeks, or it may be 1 day) server does not authenticate new connections. Old connections work. For example: I don't turn off my computer, and next day I can access samba shares, reade/create/delete files and directories as usual. Users who just started computers and try to access shares are rejected with unknown user/password. After winbind restart (don't need to restart samba) everything works as intended again for day or sometimes for couple of weeks. Server configuration: security=ADS realm=our.domain.com client schanel=no wins support=no domain logons=no domain master=auto password server=dc.our.domain.com server string=failai local master=yes idmap uid=1-2 idmap gid=1-2 winbind enum users=yes winbind enum groups=yes encrypt password=true keepalive=600 socket options=TCP_NODELAY dns proxy=no log level=1 large readwrite=yes When users can't connect I see in log file: [2012/05/10] 00:59:59.024569, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2012/05/10] 00:59:59.025649, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED ... What's interesting, some users (I would gues 1 from 10) can connect even at this time, as I see log: [2012/05/10] 07:48:07.777869, 1] smbd/service.c:678(make_connection_snum) ___10.23.15.20 (:::10.23.14.20) connect to service apps initially as user CENTRAS\nijovizb (uid=10717, guid=10004) (pid 6861) ... Than after winbind all users can connect -- View this message in context: http://samba.2283325.n4.nabble.com/winbind-stop-working-tp4597615p4622980.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
On 05/10/2012 11:21 AM, sigunas wrote: We have similar problem to with samba file server, serving about 800 users. After server restart samba/winbind works as intended. After some time (it may be couple of weeks, or it may be 1 day) server does not authenticate new connections. Old connections work. For example: I don't turn off my computer, and next day I can access samba shares, reade/create/delete files and directories as usual. Users who just started computers and try to access shares are rejected with unknown user/password. After winbind restart (don't need to restart samba) everything works as intended again for day or sometimes for couple of weeks. Server configuration: security=ADS realm=our.domain.com client schanel=no wins support=no domain logons=no domain master=auto password server=dc.our.domain.com server string=failai local master=yes idmap uid=1-2 idmap gid=1-2 winbind enum users=yes winbind enum groups=yes encrypt password=true keepalive=600 socket options=TCP_NODELAY dns proxy=no log level=1 large readwrite=yes From my experience reducing idmap cache time seems to solve the problem. I also experienced problems with idmap uid and idmap gid to such values (1-2); try lo raise over 65536 (10-20). I made some tests on another server acting as a file server with validation on AD (no user and group mappings) in which winbind is usually off. Starting winbind and playing with parameters brought samba to deny the service after about 1 day; after stopping winbind and restarting nmbd smbd it works good ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
Il 08/05/2012 21:37, Kevin Elliott ha scritto: Interesting. I'l try this and see what happens. Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this? My server is still in test, so I don't know what will happen when hundreds of users became to connect. As a reference, in the current working server with samba Version 3.0.33-3.29.el5_7.4 the parameter idmap cache time is set to the default (900). I wonder about such difference (900 vs 604800) and I did use 900 instead of 300. Now it looks good (after 1 day), but I'll keep in test for some while. I also had bad mapping problems: winbind reported uncorrect number of groups and wrong group for some users. I guess this is also related to the cache because after yesterday is working correctly and I don't know why (may be: net cache flush or some smb.conf parameter or ...). I also verified that setting idmap uid and idmap gid at a value like 1-2 does not work (I have no unix user or group in the range 1000-65000, so I supposed the range 1-2 was equivalent to 15000-25000 ...) My actual settings are: [global] workgroup = CED realm = CED.AOS server string = Samba Server Version %v security = ADS password server = 172.18.10.24 172.18.10.23 name resolve order = lmhosts host bcast passdb backend = tdbsam ldap ssl = no idmap uid = 10-20 idmap gid = 10-20 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes cups options = raw winbind cache time = 300 idmap cache time = 900 encrypt passwords = yes Regards Daniele Bernazzi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
Interesting. I'l try this and see what happens. Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this? -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of daniele Sent: Sunday, May 06, 2012 11:13 PM To: samba@lists.samba.org Subject: Re: [Samba] winbind stop working Il 04/05/2012 23:47, Kevin Elliott ha scritto: So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted? Here's my idmap cache values: idmap backend = tdb idmap alloc backend = idmap cache time = 604800 idmap negative cache time = 120 idmap uid = 1-7 idmap gid = 1-7 winbind separator = + winbind cache time = 300 winbind reconnect delay = 30 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = No winbind nested groups = Yes winbind expand groups = 1 winbind nss info = template winbind refresh tickets = No winbind offline logon = No winbind normalize names = No After playing with parameters I found that lowering idmap cache time has some effects. Now, with a value of 300, looks good. I have to do other tests to understand what is happening, but it seems a good staring point. Daniele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
Il 04/05/2012 23:47, Kevin Elliott ha scritto: So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted? Here's my idmap cache values: idmap backend = tdb idmap alloc backend = idmap cache time = 604800 idmap negative cache time = 120 idmap uid = 1-7 idmap gid = 1-7 winbind separator = + winbind cache time = 300 winbind reconnect delay = 30 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = No winbind nested groups = Yes winbind expand groups = 1 winbind nss info = template winbind refresh tickets = No winbind offline logon = No winbind normalize names = No After playing with parameters I found that lowering idmap cache time has some effects. Now, with a value of 300, looks good. I have to do other tests to understand what is happening, but it seems a good staring point. Daniele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
No one else has seen this issue? Should I move this to samba-technical? Or submit a bug report? Is there any other information that would be helpful in troubleshooting this? -Original Message- From: Kevin Elliott Sent: Monday, April 30, 2012 9:51 AM To: samba@lists.samba.org Subject: RE: [Samba] winbind stop working We're also seeing similar symptoms with our Squid proxy's winbindd as well. After an indeterminate amount of time (sometimes an hour, sometimes a day) the winbind process will lose the ability to resolve UID/GIDs to SIDS and authentication to the proxy will fail: [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. If we try doing a winbind -p we get a sucessful return however trying to lookup a SID from UID/GID fails. We're on Debian 6.0.4 and Samba 2.3.5.6. Has anyone else seen this issue? Any possible workarounds or patches? Here's an the debugging output for a particular user: [2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message) switch message SMBtconX (pid 15651) conn 0x0 [2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217062, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217085, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X) Client requested device type [?] for share [FTP] [2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection) making a connection to 'normal' service ftp [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. [2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup) Unable to get default yp domain, let's try without specifying it [2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup) looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup) looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name) lookup_name: CBJ_NT\domain users = CBJ_NT (domain), domain users (name) [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name) lookup_name: flags = 0x077 [2012/04/27 11:04:52.217841, 10] passdb/util_wellknown.c:152(lookup_wellknown_name) map_name_to_wellknown_sid: looking up domain users [2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217966, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217987, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.219317, 5] smbd/share_access.c:117(token_contains_name) lookup_name CBJ_NT+domain users failed [2012/04/27 11:04:52.219365, 10] smbd/share_access.c:216(user_ok_token) User CBJ_NT+kevin_miller not in 'valid users' [2012/04/27 11:04:52.219394, 2] smbd/service.c:598(create_connection_server_info) user 'CBJ_NT+kevin_miller' (from session setup) not permitted to access this share (ftp) [2012/04/27 11:04:52.219420, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set) error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED Here's the debugging output from the winbindd-idmap.old log: 2012/04/27 10:58:37.616201, 10] winbindd/idmap_util.c:115(idmap_gid_to_sid) idmap_gid_to_sid: gid = [1004], domain = '' [2012/04/27 10:58:37.616243, 10] lib/gencache.c:334(gencache_get_data_blob) Cache entry with key = IDMAP/GID2SID/1004 couldn't be found [2012/04/27 10:58:37.616265, 10] winbindd/idmap.c:745(idmap_backends_unixid_to_sid) idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2) [2012/04/27 10:58:37.616331, 10] winbindd/idmap.c:475(idmap_find_domain) idmap_find_domain called for domain '' [2012/04/27 10:58:37.616352, 5] winbindd
Re: [Samba] winbind stop working
I had a problem with Samba 3.0.x on Solaris 10 some time back. The samba servers were DC's for the domain- they were not in an ADS domain. However I did have domain trusts set up so winbind was required.Winbind would allocate uid's and gid's. There is a cache time value for either winbind or idmap (testparm -v will tell you.) When the cache time expired the cached info was - obviously - invalid BUT samba/winbind would not refresh the cache. Thus users from the trusted domain would loose access. The cache files are local TDB files- even tho (in case) the idmap and other account info was in ldap. The cache issue was resolved when I upgraded to samba 3.4.x. However, it seems that winbind now can't even create new idmap entries. Since there is practically no personnel change in the trusted ADS domain this isn't really an issue- I can always add the idmap entries in ldap. Check your cache values. Backup and delete the idmap cache TBD files. (Maybe the winbind cache files as well) Restarting winbind and typing getent passwd and getent group should repopulate.TDBDump command is useful for looking at the contents of the file if you aren't sure what the file is for. On 05/04/12 16:02, Kevin Elliott wrote: No one else has seen this issue? Should I move this to samba-technical? Or submit a bug report? Is there any other information that would be helpful in troubleshooting this? -Original Message- From: Kevin Elliott Sent: Monday, April 30, 2012 9:51 AM To: samba@lists.samba.org Subject: RE: [Samba] winbind stop working We're also seeing similar symptoms with our Squid proxy's winbindd as well. After an indeterminate amount of time (sometimes an hour, sometimes a day) the winbind process will lose the ability to resolve UID/GIDs to SIDS and authentication to the proxy will fail: [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. If we try doing a winbind -p we get a sucessful return however trying to lookup a SID from UID/GID fails. We're on Debian 6.0.4 and Samba 2.3.5.6. Has anyone else seen this issue? Any possible workarounds or patches? Here's an the debugging output for a particular user: [2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message) switch message SMBtconX (pid 15651) conn 0x0 [2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217062, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217085, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X) Client requested device type [?] for share [FTP] [2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection) making a connection to 'normal' service ftp [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. [2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup) Unable to get default yp domain, let's try without specifying it [2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup) looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup) looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name) lookup_name: CBJ_NT\domain users = CBJ_NT (domain), domain users (name) [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name) lookup_name: flags = 0x077 [2012/04/27 11:04:52.217841, 10] passdb/util_wellknown.c:152(lookup_wellknown_name) map_name_to_wellknown_sid: looking up domain users [2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217966, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217987, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.219317, 5] smbd/share_access.c:117(token_contains_name) lookup_name CBJ_NT+domain users failed [2012/04/27 11
Re: [Samba] winbind stop working
So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted? Here's my idmap cache values: idmap backend = tdb idmap alloc backend = idmap cache time = 604800 idmap negative cache time = 120 idmap uid = 1-7 idmap gid = 1-7 winbind separator = + winbind cache time = 300 winbind reconnect delay = 30 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = No winbind nested groups = Yes winbind expand groups = 1 winbind nss info = template winbind refresh tickets = No winbind offline logon = No winbind normalize names = No -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Friday, May 04, 2012 12:16 PM To: samba@lists.samba.org Subject: Re: [Samba] winbind stop working I had a problem with Samba 3.0.x on Solaris 10 some time back. The samba servers were DC's for the domain- they were not in an ADS domain. However I did have domain trusts set up so winbind was required.Winbind would allocate uid's and gid's. There is a cache time value for either winbind or idmap (testparm -v will tell you.) When the cache time expired the cached info was - obviously - invalid BUT samba/winbind would not refresh the cache. Thus users from the trusted domain would loose access. The cache files are local TDB files- even tho (in case) the idmap and other account info was in ldap. The cache issue was resolved when I upgraded to samba 3.4.x. However, it seems that winbind now can't even create new idmap entries. Since there is practically no personnel change in the trusted ADS domain this isn't really an issue- I can always add the idmap entries in ldap. Check your cache values. Backup and delete the idmap cache TBD files. (Maybe the winbind cache files as well) Restarting winbind and typing getent passwd and getent group should repopulate. TDBDump command is useful for looking at the contents of the file if you aren't sure what the file is for. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind stop working
Hi, I am trying to use squid proxy with validation on win 2003 active directory to filter internet navigation and for it I installed an ubuntu 10.04 server 64 bit with samba. My installation looks ok, the server is joined to the AD, ntlm is able to validate user, wbinfo report corret information and squid works good. The problem arise after some hours: winbind become not able to resolv info for users and to retrieve info for groups, so squid become not able to know id a user belong to a group allowed to navigate and refuse connection. Restarting winbind solve the problem for some hours. wbinfo report no particular problem; just give back messages like could not get info for user xx and also setting debuglevel to various numbers reports (to me) no significant clues. I made a workaround scheduling a restart of winbind service at every half hour and it works, but is not so elegant ... Do you have any suggestion to solve this problem? Thank you Daniele samba/winbind version is 3.4.7 squid is 2.7.STABLE7 os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux smb.conf: [global] workgroup = CED realm = CED.AOS server string = Samba Server Version %v security = ADS password server = 172.18.10.24 172.18.10.23 name resolve order = lmhosts host bcast ldap ssl = no idmap uid = 15000-25000 idmap gid = 15000-25000 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes cups options = raw [homes] comment = Home Directories read only = No browseable = No browsable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No browsable = No Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso in cui questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione e' contraria alla legge, pertanto Vi preghiamo di darci prontamente avviso e di cancellare quanto ricevuto. Grazie. This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind stop working after some hours
Hi, I am trying to use squid proxy with validation on win 2003 active directory to filter internet navigation and for it I installed an ubuntu 10.04 server 64 bit with samba. My installation looks ok, the server is joined to the AD, ntlm is able to validate user, wbinfo report corret information and squid works good. The problem arise after some hours: winbind become not able to resolv info for users and to retrieve info for groups, so squid become not able to know id a user belong to a group allowed to navigate and refuse connection. Restarting winbind solve the problem for some hours. wbinfo report no particular problem; just give back messages like could not get info for user xx and also setting debuglevel to various numbers reports (to me) no significant clues. I made a workaround scheduling a restart of winbind service at every half hour and it works, but is not so elegant ... Do you have any suggestion to solve this problem? Thank you Daniele samba/winbind version is 3.4.7 squid is 2.7.STABLE7 os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux smb.conf: [global] workgroup = CED realm = CED.AOS server string = Samba Server Version %v security = ADS password server = 172.18.10.24 172.18.10.23 name resolve order = lmhosts host bcast ldap ssl = no idmap uid = 15000-25000 idmap gid = 15000-25000 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes cups options = raw [homes] comment = Home Directories read only = No browseable = No browsable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No browsable = No Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso in cui questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione e' contraria alla legge, pertanto Vi preghiamo di darci prontamente avviso e di cancellare quanto ricevuto. Grazie. This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
) wbint_Gid2Sid: struct wbint_Gid2Sid out: struct wbint_Gid2Sid sid : * sid : S-0-0 result : NT_STATUS_NONE_MAPPED -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniele Sent: Sunday, April 29, 2012 11:50 PM To: samba@lists.samba.org Subject: [Samba] winbind stop working Hi, I am trying to use squid proxy with validation on win 2003 active directory to filter internet navigation and for it I installed an ubuntu 10.04 server 64 bit with samba. My installation looks ok, the server is joined to the AD, ntlm is able to validate user, wbinfo report corret information and squid works good. The problem arise after some hours: winbind become not able to resolv info for users and to retrieve info for groups, so squid become not able to know id a user belong to a group allowed to navigate and refuse connection. Restarting winbind solve the problem for some hours. wbinfo report no particular problem; just give back messages like could not get info for user xx and also setting debuglevel to various numbers reports (to me) no significant clues. I made a workaround scheduling a restart of winbind service at every half hour and it works, but is not so elegant ... Do you have any suggestion to solve this problem? Thank you Daniele samba/winbind version is 3.4.7 squid is 2.7.STABLE7 os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux smb.conf: [global] workgroup = CED realm = CED.AOS server string = Samba Server Version %v security = ADS password server = 172.18.10.24 172.18.10.23 name resolve order = lmhosts host bcast ldap ssl = no idmap uid = 15000-25000 idmap gid = 15000-25000 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes cups options = raw [homes] comment = Home Directories read only = No browseable = No browsable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No browsable = No Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso in cui questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione e' contraria alla legge, pertanto Vi preghiamo di darci prontamente avviso e di cancellare quanto ricevuto. Grazie. This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
Correction. I was reading the Debian versioning numbers. We are on Samba/Winbind: 3.5.6 (Debian package: 2:3.5.6~dfsg-3squeeze6). -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Kevin Elliott Sent: Monday, April 30, 2012 9:51 AM To: samba@lists.samba.org Subject: Re: [Samba] winbind stop working We're also seeing similar symptoms with our Squid proxy's winbindd as well. After an indeterminate amount of time (sometimes an hour, sometimes a day) the winbind process will lose the ability to resolve UID/GIDs to SIDS and authentication to the proxy will fail: [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. If we try doing a winbind -p we get a sucessful return however trying to lookup a SID from UID/GID fails. We're on Debian 6.0.4 and Samba 2.3.5.6. Has anyone else seen this issue? Any possible workarounds or patches? Here's an the debugging output for a particular user: [2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message) switch message SMBtconX (pid 15651) conn 0x0 [2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217062, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217085, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X) Client requested device type [?] for share [FTP] [2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection) making a connection to 'normal' service ftp [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. [2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup) Unable to get default yp domain, let's try without specifying it [2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup) looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup) looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name) lookup_name: CBJ_NT\domain users = CBJ_NT (domain), domain users (name) [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name) lookup_name: flags = 0x077 [2012/04/27 11:04:52.217841, 10] passdb/util_wellknown.c:152(lookup_wellknown_name) map_name_to_wellknown_sid: looking up domain users [2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217966, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217987, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.219317, 5] smbd/share_access.c:117(token_contains_name) lookup_name CBJ_NT+domain users failed [2012/04/27 11:04:52.219365, 10] smbd/share_access.c:216(user_ok_token) User CBJ_NT+kevin_miller not in 'valid users' [2012/04/27 11:04:52.219394, 2] smbd/service.c:598(create_connection_server_info) user 'CBJ_NT+kevin_miller' (from session setup) not permitted to access this share (ftp) [2012/04/27 11:04:52.219420, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set) error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED Here's the debugging output from the winbindd-idmap.old log: 2012/04/27 10:58:37.616201, 10] winbindd/idmap_util.c:115(idmap_gid_to_sid) idmap_gid_to_sid: gid = [1004], domain = '' [2012/04/27 10:58:37.616243, 10] lib/gencache.c:334(gencache_get_data_blob) Cache entry with key = IDMAP/GID2SID/1004 couldn't be found [2012/04/27 10:58:37.616265, 10] winbindd/idmap.c:745(idmap_backends_unixid_to_sid) idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2) [2012/04/27 10:58:37.616331, 10] winbindd
