Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] winbind stop working
1,495 views
Skip to first unread message
Daniele
Apr 30, 2012, 4:00:02 AM4/30/12
to
Hi, I am trying to use squid proxy with validation on win 2003 active
directory to filter internet navigation and for it I installed an ubuntu
10.04 server 64 bit with samba.
My installation looks ok, the server is joined to the AD, ntlm is able
to validate user, wbinfo report corret information and squid works good.
The problem arise after some hours: winbind become not able to resolv
info for users and to retrieve info for groups, so squid become not able
to know id a user belong to a group allowed to navigate and refuse
connection.
Restarting winbind solve the problem for some hours.
wbinfo report no particular problem; just give back messages like "could
not get info for user xx" and also setting debuglevel to various numbers
reports (to me) no significant clues.
I made a workaround scheduling a restart of winbind service at every
half hour and it works, but is not so elegant ...
Do you have any suggestion to solve this problem?
Thank you
Daniele
samba/winbind version is 3.4.7
squid is 2.7.STABLE7
os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
smb.conf:
[global]
workgroup = CED
realm = CED.AOS
server string = Samba Server Version %v
security = ADS
password server = 172.18.10.24 172.18.10.23
name resolve order = lmhosts host bcast
ldap ssl = no
idmap uid = 15000-25000
idmap gid = 15000-25000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
browsable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
browsable = No
----
Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso in cui questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione e' contraria alla legge, pertanto Vi preghiamo di darci prontamente avviso e di cancellare quanto ricevuto.
Grazie.
This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message.
Thank you.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
directory to filter internet navigation and for it I installed an ubuntu
10.04 server 64 bit with samba.
My installation looks ok, the server is joined to the AD, ntlm is able
to validate user, wbinfo report corret information and squid works good.
The problem arise after some hours: winbind become not able to resolv
info for users and to retrieve info for groups, so squid become not able
to know id a user belong to a group allowed to navigate and refuse
connection.
Restarting winbind solve the problem for some hours.
wbinfo report no particular problem; just give back messages like "could
not get info for user xx" and also setting debuglevel to various numbers
reports (to me) no significant clues.
I made a workaround scheduling a restart of winbind service at every
half hour and it works, but is not so elegant ...
Do you have any suggestion to solve this problem?
Thank you
Daniele
samba/winbind version is 3.4.7
squid is 2.7.STABLE7
os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
smb.conf:
[global]
workgroup = CED
realm = CED.AOS
server string = Samba Server Version %v
security = ADS
password server = 172.18.10.24 172.18.10.23
name resolve order = lmhosts host bcast
ldap ssl = no
idmap uid = 15000-25000
idmap gid = 15000-25000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
browsable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
browsable = No
----
Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso in cui questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione e' contraria alla legge, pertanto Vi preghiamo di darci prontamente avviso e di cancellare quanto ricevuto.
Grazie.
This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message.
Thank you.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kevin Elliott
Apr 30, 2012, 2:00:01 PM4/30/12
to
We're also seeing similar symptoms with our Squid proxy's winbindd as well.
After an indeterminate amount of time (sometimes an hour, sometimes a day) the winbind process will lose the ability to resolve UID/GIDs to SIDS and authentication to the proxy will fail:
[2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
If we try doing a winbind -p we get a sucessful return however trying to lookup a SID from UID/GID fails.
We're on Debian 6.0.4 and Samba 2.3.5.6.
Has anyone else seen this issue? Any possible workarounds or patches?
Here's an the debugging output for a particular user:
[2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message)
switch message SMBtconX (pid 15651) conn 0x0
[2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/04/27 11:04:52.217062, 5] auth/token_util.c:525(debug_nt_user_token)
NT user token: (NULL)
[2012/04/27 11:04:52.217085, 5] auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X)
Client requested device type [?????] for share [FTP]
[2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection)
making a connection to 'normal' service ftp
[2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
[2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup)
Unable to get default yp domain, let's try without specifying it
[2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup)
looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users
[2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup)
looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users
[2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain users (name)
[2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
lookup_name: flags = 0x077
[2012/04/27 11:04:52.217841, 10] passdb/util_wellknown.c:152(lookup_wellknown_name)
map_name_to_wellknown_sid: looking up domain users
[2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/04/27 11:04:52.217966, 5] auth/token_util.c:525(debug_nt_user_token)
NT user token: (NULL)
[2012/04/27 11:04:52.217987, 5] auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/04/27 11:04:52.219317, 5] smbd/share_access.c:117(token_contains_name)
lookup_name CBJ_NT+domain users failed
[2012/04/27 11:04:52.219365, 10] smbd/share_access.c:216(user_ok_token)
User CBJ_NT+kevin_miller not in 'valid users'
[2012/04/27 11:04:52.219394, 2] smbd/service.c:598(create_connection_server_info)
user 'CBJ_NT+kevin_miller' (from session setup) not permitted to access this share (ftp)
[2012/04/27 11:04:52.219420, 1] smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
Here's the debugging output from the winbindd-idmap.old log:
2012/04/27 10:58:37.616201, 10] winbindd/idmap_util.c:115(idmap_gid_to_sid)
idmap_gid_to_sid: gid = [1004], domain = ''
[2012/04/27 10:58:37.616243, 10] lib/gencache.c:334(gencache_get_data_blob)
Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
[2012/04/27 10:58:37.616265, 10] winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
[2012/04/27 10:58:37.616331, 10] winbindd/idmap.c:475(idmap_find_domain)
idmap_find_domain called for domain ''
[2012/04/27 10:58:37.616352, 5] winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
Requested id (1004) out of range (10000 - 79999). Filtered!
[2012/04/27 10:58:37.616380, 10] lib/gencache.c:180(gencache_set_data_blob)
Adding cache entry with key = IDMAP/UID2SID/1004 and timeout = Fri Apr 27 11:00:37 2012
(120 seconds ahead)
[2012/04/27 10:58:37.616436, 10] winbindd/idmap_util.c:151(idmap_gid_to_sid)
gid [1004] not mapped
[2012/04/27 10:58:37.616456, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
wbint_Gid2Sid: struct wbint_Gid2Sid
out: struct wbint_Gid2Sid
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
--
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
After an indeterminate amount of time (sometimes an hour, sometimes a day) the winbind process will lose the ability to resolve UID/GIDs to SIDS and authentication to the proxy will fail:
[2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
If we try doing a winbind -p we get a sucessful return however trying to lookup a SID from UID/GID fails.
We're on Debian 6.0.4 and Samba 2.3.5.6.
Has anyone else seen this issue? Any possible workarounds or patches?
Here's an the debugging output for a particular user:
[2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message)
switch message SMBtconX (pid 15651) conn 0x0
[2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/04/27 11:04:52.217062, 5] auth/token_util.c:525(debug_nt_user_token)
NT user token: (NULL)
[2012/04/27 11:04:52.217085, 5] auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X)
Client requested device type [?????] for share [FTP]
[2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection)
making a connection to 'normal' service ftp
[2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
[2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup)
Unable to get default yp domain, let's try without specifying it
[2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup)
looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users
[2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup)
looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users
[2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
lookup_name: CBJ_NT\domain users => CBJ_NT (domain), domain users (name)
[2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
lookup_name: flags = 0x077
[2012/04/27 11:04:52.217841, 10] passdb/util_wellknown.c:152(lookup_wellknown_name)
map_name_to_wellknown_sid: looking up domain users
[2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/04/27 11:04:52.217966, 5] auth/token_util.c:525(debug_nt_user_token)
NT user token: (NULL)
[2012/04/27 11:04:52.217987, 5] auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/04/27 11:04:52.219317, 5] smbd/share_access.c:117(token_contains_name)
lookup_name CBJ_NT+domain users failed
[2012/04/27 11:04:52.219365, 10] smbd/share_access.c:216(user_ok_token)
User CBJ_NT+kevin_miller not in 'valid users'
[2012/04/27 11:04:52.219394, 2] smbd/service.c:598(create_connection_server_info)
user 'CBJ_NT+kevin_miller' (from session setup) not permitted to access this share (ftp)
[2012/04/27 11:04:52.219420, 1] smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
Here's the debugging output from the winbindd-idmap.old log:
2012/04/27 10:58:37.616201, 10] winbindd/idmap_util.c:115(idmap_gid_to_sid)
idmap_gid_to_sid: gid = [1004], domain = ''
[2012/04/27 10:58:37.616243, 10] lib/gencache.c:334(gencache_get_data_blob)
Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
[2012/04/27 10:58:37.616265, 10] winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
[2012/04/27 10:58:37.616331, 10] winbindd/idmap.c:475(idmap_find_domain)
idmap_find_domain called for domain ''
[2012/04/27 10:58:37.616352, 5] winbindd/idmap_tdb.c:696(idmap_tdb_id_to_sid)
Requested id (1004) out of range (10000 - 79999). Filtered!
[2012/04/27 10:58:37.616380, 10] lib/gencache.c:180(gencache_set_data_blob)
Adding cache entry with key = IDMAP/UID2SID/1004 and timeout = Fri Apr 27 11:00:37 2012
(120 seconds ahead)
[2012/04/27 10:58:37.616436, 10] winbindd/idmap_util.c:151(idmap_gid_to_sid)
gid [1004] not mapped
[2012/04/27 10:58:37.616456, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
wbint_Gid2Sid: struct wbint_Gid2Sid
out: struct wbint_Gid2Sid
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
--
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
Kevin Elliott
Apr 30, 2012, 2:40:01 PM4/30/12
to
Correction. I was reading the Debian versioning numbers.
We are on Samba/Winbind: 3.5.6 (Debian package: 2:3.5.6~dfsg-3squeeze6).
We are on Samba/Winbind: 3.5.6 (Debian package: 2:3.5.6~dfsg-3squeeze6).
Kevin Elliott
May 4, 2012, 4:10:01 PM5/4/12
to
No one else has seen this issue?
Should I move this to samba-technical? Or submit a bug report?
Is there any other information that would be helpful in troubleshooting this?
> -----Original Message-----
> From: Kevin Elliott
> Sent: Monday, April 30, 2012 9:51 AM
> To: sa...@lists.samba.org
Gaiseric Vandal
May 4, 2012, 4:20:03 PM5/4/12
to
I had a problem with Samba 3.0.x on Solaris 10 some time back. The
samba servers were DC's for the domain- they were not in an ADS
domain. However I did have domain trusts set up so winbind was
required. Winbind would allocate uid's and gid's. There is a cache
time value for either winbind or idmap (testparm -v will tell you.)
When the cache time expired the cached info was - obviously - invalid
BUT samba/winbind would not refresh the cache. Thus users from the
trusted domain would loose access. The cache files are local TDB
files- even tho (in case) the idmap and other account info was in ldap.
The cache issue was resolved when I upgraded to samba 3.4.x. However,
it seems that winbind now can't even create new idmap entries. Since
there is practically no personnel change in the trusted ADS domain this
isn't really an issue- I can always add the idmap entries in ldap.
Check your cache values. Backup and delete the idmap cache TBD files.
(Maybe the winbind cache files as well) Restarting winbind and typing
"getent passwd" and "getent group" should repopulate. TDBDump command
is useful for looking at the contents of the file if you aren't sure
what the file is for.
samba servers were DC's for the domain- they were not in an ADS
domain. However I did have domain trusts set up so winbind was
required. Winbind would allocate uid's and gid's. There is a cache
time value for either winbind or idmap (testparm -v will tell you.)
When the cache time expired the cached info was - obviously - invalid
BUT samba/winbind would not refresh the cache. Thus users from the
trusted domain would loose access. The cache files are local TDB
files- even tho (in case) the idmap and other account info was in ldap.
The cache issue was resolved when I upgraded to samba 3.4.x. However,
it seems that winbind now can't even create new idmap entries. Since
there is practically no personnel change in the trusted ADS domain this
isn't really an issue- I can always add the idmap entries in ldap.
Check your cache values. Backup and delete the idmap cache TBD files.
(Maybe the winbind cache files as well) Restarting winbind and typing
"getent passwd" and "getent group" should repopulate. TDBDump command
is useful for looking at the contents of the file if you aren't sure
what the file is for.
Kevin Elliott
May 4, 2012, 5:50:03 PM5/4/12
to
So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted?
Here's my idmap cache values:
idmap backend = tdb
idmap alloc backend =
idmap cache time = 604800
idmap negative cache time = 120
idmap uid = 10000-79999
idmap gid = 10000-79999
winbind separator = +
winbind cache time = 300
winbind reconnect delay = 30
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind trusted domains only = No
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind expand groups = 1
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
--
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
> -----Original Message-----
> From: samba-...@lists.samba.org
> [mailto:samba-...@lists.samba.org] On Behalf Of Gaiseric Vandal
> Sent: Friday, May 04, 2012 12:16 PM
> To: sa...@lists.samba.org
> Subject: Re: [Samba] winbind stop working
>
> Sent: Friday, May 04, 2012 12:16 PM
> To: sa...@lists.samba.org
> Subject: Re: [Samba] winbind stop working
>
daniele
May 7, 2012, 3:30:02 AM5/7/12
to
Il 04/05/2012 23:47, Kevin Elliott ha scritto:
>
> So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted?
>
>
> Here's my idmap cache values:
>
> idmap backend = tdb
> idmap alloc backend =
> idmap cache time = 604800
> idmap negative cache time = 120
> idmap uid = 10000-79999
> idmap gid = 10000-79999
> winbind separator = +
> winbind cache time = 300
> winbind reconnect delay = 30
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind trusted domains only = No
> winbind nested groups = Yes
> winbind expand groups = 1
> winbind nss info = template
> winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
>
After playing with parameters I found that lowering idmap cache time has
>
> So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted?
>
>
> Here's my idmap cache values:
>
> idmap backend = tdb
> idmap alloc backend =
> idmap cache time = 604800
> idmap negative cache time = 120
> idmap uid = 10000-79999
> idmap gid = 10000-79999
> winbind separator = +
> winbind cache time = 300
> winbind reconnect delay = 30
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind trusted domains only = No
> winbind nested groups = Yes
> winbind expand groups = 1
> winbind nss info = template
> winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
>
some effects.
Now, with a value of 300, looks good.
I have to do other tests to understand what is happening, but it seems a
good staring point.
Daniele
Kevin Elliott
May 8, 2012, 3:40:02 PM5/8/12
to
Interesting.
I'l try this and see what happens.
Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this?
--
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
> -----Original Message-----
> From: samba-...@lists.samba.org
> [mailto:samba-...@lists.samba.org] On Behalf Of daniele
> Sent: Sunday, May 06, 2012 11:13 PM
> To: sa...@lists.samba.org
> Subject: Re: [Samba] winbind stop working
>
I'l try this and see what happens.
Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this?
--
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
> -----Original Message-----
> From: samba-...@lists.samba.org
> [mailto:samba-...@lists.samba.org] On Behalf Of daniele
> Sent: Sunday, May 06, 2012 11:13 PM
> To: sa...@lists.samba.org
> Subject: Re: [Samba] winbind stop working
>
daniele
May 9, 2012, 5:20:01 AM5/9/12
to
Il 08/05/2012 21:37, Kevin Elliott ha scritto:
> Interesting.
>
> I'l try this and see what happens.
>
> Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this?
>
My server is still in test, so I don't know what will happen when
> Interesting.
>
> I'l try this and see what happens.
>
> Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this?
>
hundreds of users became to connect. As a reference, in the current
working server with samba Version 3.0.33-3.29.el5_7.4 the parameter
idmap cache time is set to the default (900).
I wonder about such difference (900 vs 604800) and I did use 900 instead
of 300. Now it looks good (after 1 day), but I'll keep in test for some
while.
I also had bad mapping problems: winbind reported uncorrect number of
groups and wrong group for some users.
I guess this is also related to the cache because after yesterday is
working correctly and I don't know why (may be: net cache flush or some
smb.conf parameter or ...).
I also verified that setting idmap uid and idmap gid at a value like
10000-20000 does not work (I have no unix user or group in the range
1000-65000, so I supposed the range 10000-20000 was equivalent to
15000-25000 ...)
My actual settings are:
[global]
workgroup = CED
realm = CED.AOS
server string = Samba Server Version %v
security = ADS
password server = 172.18.10.24 172.18.10.23
name resolve order = lmhosts host bcast
passdb backend = tdbsam
workgroup = CED
realm = CED.AOS
server string = Samba Server Version %v
security = ADS
password server = 172.18.10.24 172.18.10.23
name resolve order = lmhosts host bcast
ldap ssl = no
idmap uid = 100000-200000
idmap gid = 100000-200000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
cups options = raw
winbind enum groups = Yes
winbind use default domain = Yes
winbind cache time = 300
idmap cache time = 900
encrypt passwords = yes
Regards
Daniele Bernazzi
sigunas
May 10, 2012, 5:30:03 AM5/10/12
to
We have similar problem to with samba file server, serving about 800 users.
After server restart samba/winbind works as intended. After some time (it
may be couple of weeks, or it may be 1 day) server does not authenticate new
connections. Old connections work.
For example: I don't turn off my computer, and next day I can access samba
shares, reade/create/delete files and directories as usual. Users who just
started computers and try to access shares are rejected with unknown
user/password. After winbind restart (don't need to restart samba)
everything works as intended again for day or sometimes for couple of weeks.
Server configuration:
security=ADS
realm=our.domain.com
client schanel=no
wins support=no
domain logons=no
domain master=auto
password server=dc.our.domain.com
server string=failai
local master=yes
idmap uid=10000-20000
idmap gid=10000-20000
winbind enum users=yes
winbind enum groups=yes
encrypt password=true
keepalive=600
socket options=TCP_NODELAY
dns proxy=no
log level=1
large readwrite=yes
When users can't connect I see in log file:
[2012/05/10] 00:59:59.024569, 1] smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/05/10] 00:59:59.025649, 1] smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
.......
What's interesting, some users (I would gues 1 from 10) can connect even at
this time, as I see log:
[2012/05/10] 07:48:07.777869, 1] smbd/service.c:678(make_connection_snum)
__ffff_10.23.15.20 (::ffff:10.23.14.20) connect to service apps initially
as user CENTRAS\nijovizb (uid=10717, guid=10004) (pid 6861)
.......
Than after winbind all users can connect
--
View this message in context: http://samba.2283325.n4.nabble.com/winbind-stop-working-tp4597615p4622980.html
Sent from the Samba - General mailing list archive at Nabble.com.
After server restart samba/winbind works as intended. After some time (it
may be couple of weeks, or it may be 1 day) server does not authenticate new
connections. Old connections work.
For example: I don't turn off my computer, and next day I can access samba
shares, reade/create/delete files and directories as usual. Users who just
started computers and try to access shares are rejected with unknown
user/password. After winbind restart (don't need to restart samba)
everything works as intended again for day or sometimes for couple of weeks.
Server configuration:
security=ADS
realm=our.domain.com
client schanel=no
wins support=no
domain logons=no
domain master=auto
password server=dc.our.domain.com
server string=failai
local master=yes
idmap uid=10000-20000
idmap gid=10000-20000
winbind enum users=yes
winbind enum groups=yes
encrypt password=true
keepalive=600
socket options=TCP_NODELAY
dns proxy=no
log level=1
large readwrite=yes
When users can't connect I see in log file:
[2012/05/10] 00:59:59.024569, 1] smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/05/10] 00:59:59.025649, 1] smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
.......
What's interesting, some users (I would gues 1 from 10) can connect even at
this time, as I see log:
[2012/05/10] 07:48:07.777869, 1] smbd/service.c:678(make_connection_snum)
__ffff_10.23.15.20 (::ffff:10.23.14.20) connect to service apps initially
as user CENTRAS\nijovizb (uid=10717, guid=10004) (pid 6861)
.......
Than after winbind all users can connect
--
View this message in context: http://samba.2283325.n4.nabble.com/winbind-stop-working-tp4597615p4622980.html
Sent from the Samba - General mailing list archive at Nabble.com.
Daniele Bernazzi
May 10, 2012, 7:00:03 AM5/10/12
to
I also experienced problems with idmap uid and idmap gid to such values
(10000-20000); try lo raise over 65536 (100000-200000).
I made some tests on another server acting as a file server with
validation on AD (no user and group mappings) in which winbind is
usually off. Starting winbind and playing with parameters brought samba
to deny the service after about 1 day; after stopping winbind and
restarting nmbd smbd it works good ...
sigunas
May 16, 2012, 1:10:01 AM5/16/12
to
Lowering idmap cache time from default 604800 to 900 did not helped...
Something different here.
--
View this message in context: http://samba.2283325.n4.nabble.com/winbind-stop-working-tp4597615p4631620.html
Something different here.
--
View this message in context: http://samba.2283325.n4.nabble.com/winbind-stop-working-tp4597615p4631620.html
Sent from the Samba - General mailing list archive at Nabble.com.
0 new messages