Re: [Samba] winbindd using FQDN domain name now?
On Tue, Oct 07, 2003 at 08:35:41AM -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Sorry for the delayed repsonse... > > Adrian Chung wrote: > | As of RC3 and RC4, I've noticed that winbindd's wb_getpwuid function > | is using the form , and > | before, it was simply . > > This is due to new code in smbd that grabs the domain name > from the krb5 principal name. > > | The net effect of what I'm seeing is that users which have a UNIX > | account locally on the samba box and also a domain account are being > | authenticated against the AD DC, but their UIDs are getting resolved > | to the local UNIX UIDs rather than AD UIDs. > > | > |>From XP SP1 boxes that are domain members: > | > | [2003/09/15 15:49:17, 3] > | nsswitch/winbindd_user.c:winbindd_getpwnam(112) > | [ 6453]: getpwnam genosha.enfusion-group.com-adrian > | [2003/09/15 15:49:17, 5] > | nsswitch/winbindd_user.c:winbindd_getpwnam(140) > | no such domain: GENOSHA.ENFUSION > | [2003/09/15 15:49:17, 3] > | nsswitch/winbindd_user.c:winbindd_getpwnam(112) > | [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-adrian > | [2003/09/15 15:49:17, 5] > | nsswitch/winbindd_user.c:winbindd_getpwnam(140) > | no such domain: GENOSHA.ENFUSION > > You have the wionbind separator set to '-' don't you? > The probl;em here is that you have a '-' in the realm name. I sure did, changed it back to '+' and we're back in business. Thanks! -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian/ GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.genosha.enfusion-group.com] up 5 days, 8:51, 2 users -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbindd using FQDN domain name now?
As of RC3 and RC4, I've noticed that winbindd's wb_getpwuid function is using the form , and before, it was simply . The net effect of what I'm seeing is that users which have a UNIX account locally on the samba box and also a domain account are being authenticated against the AD DC, but their UIDs are getting resolved to the local UNIX UIDs rather than AD UIDs. Here's a snippet of the winbind log (level 5) from an XP Home box (not a domain member): [2003/09/15 15:46:49, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) [ 6439]: getpwnam genosha-neil [2003/09/15 15:46:49, 3] nsswitch/winbindd_ads.c:sequence_number(778) ads: fetch sequence_number for GENOSHA [2003/09/15 15:46:49, 5] libads/ldap_utils.c:ads_do_search_retry(52) Search for (objectclass=*) gave 1 replies [2003/09/15 15:46:49, 3] nsswitch/winbindd_ads.c:name_to_sid(312) ads: name_to_sid [2003/09/15 15:46:49, 5] libads/ldap_utils.c:ads_do_search_retry(52) Search for (|(sAMAccountName=neil)([EMAIL PROTECTED])) gave 1 replies [2003/09/15 15:46:49, 3] libads/ads_ldap.c:ads_name_to_sid(82) ads name_to_sid mapped neil [2003/09/15 15:46:50, 3] nsswitch/winbindd_misc.c:winbindd_ping(208) [ 6439]: ping [2003/09/15 15:46:50, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) [ 6439]: getpwnam genosha-neil [2003/09/15 15:46:50, 3] nsswitch/winbindd_ads.c:name_to_sid(312) ads: name_to_sid [2003/09/15 15:46:50, 5] libads/ldap_utils.c:ads_do_search_retry(52) Search for (|(sAMAccountName=neil)([EMAIL PROTECTED])) gave 1 replies >From XP SP1 boxes that are domain members: [2003/09/15 15:49:17, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) [ 6453]: getpwnam genosha.enfusion-group.com-adrian [2003/09/15 15:49:17, 5] nsswitch/winbindd_user.c:winbindd_getpwnam(140) no such domain: GENOSHA.ENFUSION [2003/09/15 15:49:17, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-adrian [2003/09/15 15:49:17, 5] nsswitch/winbindd_user.c:winbindd_getpwnam(140) no such domain: GENOSHA.ENFUSION [2003/09/15 15:49:17, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-ADRIAN [2003/09/15 15:49:17, 5] nsswitch/winbindd_user.c:winbindd_getpwnam(140) no such domain: GENOSHA.ENFUSION [2003/09/15 15:49:23, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(231) [ 6455]: request interface version [2003/09/15 15:49:23, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267) [ 6455]: request location of privileged pipe [2003/09/15 15:49:23, 5] nsswitch/winbindd.c:winbind_client_read(462) read failed on sock 19, pid 6455: EOF [2003/09/15 15:49:23, 3] nsswitch/winbindd_user.c:winbindd_getpwuid(213) [ 6455]: getpwuid 20007 [2003/09/15 15:49:23, 4] nsswitch/winbindd_acct.c:wb_getpwuid(413) wb_getpwuid: failed to locate uid == 20007 At this point, I'm authenticated as the UNIX UID and have access via samba, but smbstatus shows the wrong username (the non-domain user). Anyone know how I can fix this? -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian/ GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.genosha.enfusion-group.com] 3:55pm up 4 days, 17:09, 3 users -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo fails with disable netbios = yes
I'm hoping someone can shed some light on this one. Ever since beta3 I've been unable to get wbinfo to work properly. I finally worked around it today, and it seems that with the disable netbios = yes parameter in my smb.conf file, I get no results. Commenting out that parameter seems to work fine. It looks like the DNS queries for DCs is unsuccessful without NetBIOS enabled. I'm running samba-3.0.0rc2-rh8_2 from samba.org. Here's my smb.conf file: # Global parameters [global] workgroup = GENOSHA realm = GENOSHA.ENFUSION-GROUP.COM server string = Enfusion Group fileserver interfaces = 192.168.100.10/24 security = ADS password server = beast.genosha.enfusion-group.com nightcrawler.genosha.enfusion-group.com client lanman auth = No client plaintext auth = No log level = 1 log file = /var/log/samba/log.%m name resolve order = host wins bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No domain master = No dns proxy = No wins server = 192.168.100.6, 192.168.100.7 idmap uid = 1-2 idmap gid = 1-2 winbind separator = - invalid users = root hosts allow = 192.168.101., 192.168.100., 127. hide unreadable = Yes veto files = /lost+found/ with 'disable netbios = yes': [2003/09/03 09:41:12, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(219) [31890]: request interface version [2003/09/03 09:41:12, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(255) [31890]: request location of privileged pipe [2003/09/03 09:41:12, 3] nsswitch/winbindd_misc.c:winbindd_show_sequence(153) [31890]: show sequence [2003/09/03 09:41:12, 3] nsswitch/winbindd_ads.c:sequence_number(776) ads: fetch sequence_number for GENOSHA [2003/09/03 09:41:12, 5] libsmb/namecache.c:namecache_fetch(195) no entry for #1C found. [2003/09/03 09:41:12, 5] libsmb/namequery.c:resolve_hosts(899) resolve_hosts: Attempting to resolve DC's for using DNS ^^ (no %s, "name"?) [2003/09/03 09:41:12, 5] libsmb/namequery.c:resolve_wins(741) resolve_wins(#1c): netbios is disabled [2003/09/03 09:41:12, 5] libsmb/namequery.c:name_resolve_bcast(679) name_resolve_bcast(#1c): netbios is disabled [2003/09/03 09:41:12, 1] nsswitch/winbindd_ads.c:ads_cached_connection(70) ads_connect for domain GENOSHA failed: No such file or directory [2003/09/03 09:41:12, 5] nsswitch/winbindd.c:winbind_client_read(462) read failed on sock 17, pid 31890: EOF [2003/09/03 09:41:12, 5] nsswitch/winbindd.c:winbind_client_read(462) read failed on sock 18, pid 31890: EOF [EMAIL PROTECTED] libsmb]# wbinfo --sequence GENOSHA : DISCONNECTED [EMAIL PROTECTED] libsmb]# wbinfo -u Error looking up domain users [EMAIL PROTECTED] libsmb]# wbinfo -g Error looking up domain groups with disable netbios = no: [EMAIL PROTECTED] libsmb]# /etc/init.d/winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] libsmb]# wbinfo --sequence GENOSHA : 113107 [EMAIL PROTECTED] libsmb]# wbinfo -u GENOSHA-Administrator GENOSHA-Guest GENOSHA-TsInternetUser GENOSHA-IUSR_BEAST GENOSHA-IWAM_BEAST GENOSHA-krbtgt GENOSHA-__vmware_user__ GENOSHA-adrian GENOSHA-kelly GENOSHA-neil GENOSHA-IUSR_W2K3-01-DC GENOSHA-IWAM_W2K3-01-DC GENOSHA-F925147A-88DD-4998-8 GENOSHA-anthony GENOSHA-gamroot [EMAIL PROTECTED] libsmb]# wbinfo -g GENOSHA-DHCP Users GENOSHA-DHCP Administrators GENOSHA-Domain Computers GENOSHA-Domain Controllers GENOSHA-Schema Admins GENOSHA-Enterprise Admins GENOSHA-Cert Publishers GENOSHA-Domain Admins GENOSHA-Domain Users GENOSHA-Domain Guests GENOSHA-Group Policy Creator Owners GENOSHA-RAS and IAS Servers GENOSHA-DnsAdmins GENOSHA-DnsUpdateProxy GENOSHA-__vmware__ GENOSHA-Exchange Domain Servers GENOSHA-Exchange Enterprise Servers GENOSHA-_Web Anonymous Users GENOSHA-_Web Applications GENOSHA-IIS_WPG Any ideas? -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian/ GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.genosha.enfusion-group.com] 9:45am up 10 days, 7:56, 5 users -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind/kerberos with multiple DCs fail to authenticate.
While testing the latest Samba3.0.0beta3, I notice that if I don't specify a password server winbind appears to look it up via DNS, and with two DCs, picks one. However, my krb5.conf specifies a particular Kerberos server (one of the two DCs), and so occasionally, winbind will pick the first DC, and kerberos uses the other. When this happens, I can't seem to connect to any shares on the Samba servers, and also can't authenticate against the domain. Once I set the 'password server' directive to reflect the same DC as in my krb5.conf file, everything works fine. Is this expected behaviour, or am I missing something that would make it possible for me to specify both DCs in both my smb.conf and krb5.conf configs? Does it even matter if Kerberos uses the first DC, and winbind uses the other? Or is that just a red herring? I know that I can specify both servers in both my password server list and krb5.conf, but that's still no guarantee that they'll both pick the same server each time. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian/ GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [gambit.enfusion-group.com] 9:03pm up 57 days, 22:40, 10 users -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind stops authenticating until a restart.
About a month ago, I setup a Windows 2000 native-mode domain, and had a couple of Linux machines join the active directory. I followed the steps outlined in the Samba 3.0 docs regarding winbind/PAM/NSS. The machines joined the domain fine, and 'wbinfo -t', as well as 'wbinfo -u/-g' and 'getent passwd/group' return expected results. Connecting from other Windows clients in the domain with NetBIOS off works as expected. The problem I have is every day or so, all of a sudden, winbind/PAM just stops authenticating users. At this point in time, 'wbinfo -u' still succeeds but both 'wbinfo -u/-g' and 'getent passwd/group' return absolutely no results. Once I restart winbindd, everything works fine again. This has been happening for about a month, almost every day, starting with Samba 3.0.0beta1, and now still with 3.0.0beta3. I've got (among other settings): security = ads realm = GENOSHA.ENFUSION-GROUP.COM password server = beast.genosha.enfusion-group.com obey pam restrictions = yes idmap uid = 1-2 idmap gid = 1-2 winbind separator = + domain master = no local master = no My setup is as follows: 2 Windows 2000 DCs, and two Linux servers, one running RH 8.0 with kernel 2.4.20 and Samba 3.0.0beta3, the other running Debian Sid, with kernel 2.6.0-test1 (has been running 2.4.18) and Samba 3.0.0beta2. Both Linux boxes exhibit the exact same symptoms and failures. After the latest failure tonight, I ran 'wbinfo --sequence' after which point I was again able to query domain users and groups without having to do a full restart of winbindd. Can anyone offer any advice as to what would be useful in troubleshooting this problem? I've turned the debug level up on winbind, and have some logs from a failure with the debug level up, but they're quite long. If they'd be helpful, I can post a URL. Thanks! -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian/ GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [gambit.enfusion-group.com] 8:38pm up 57 days, 22:15, 10 users -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Possible memory leak password.c/pass_check_smb().
Hi! I'm running Samba 2.2.3a with a whole bunch of Windows XP clients, and have been noticing that Samba has been consuming all available memory resources if left unchecked for about a week. After some digging, and correlating the following messages in my logs: [2002/04/07 19:42:17, 1] smbd/password.c:pass_check_smb(555) Couldn't find user 'nobody' in passdb. I decided to put 'nobody' in my smbpasswd file. After doing that, the leak seems to have gone away. On further inspection, looking at source/smbd/password.c close to line 555: [...] BOOL pass_check_smb... [..] /* get the account information */ pdb_init_sam(&sampass); if (!pdb_getsampwnam(sampass, user)) { DEBUG(1,("Couldn't find user '%s' in passdb.\n", user)); return(False); } [...] It looks like pdb_init_sam() is called which actually malloc's memory, but never free's it, and returns. Not having looked at Samba code much, it is possible that this is free'd elsewhere, but it seems suspicious given my symptoms, and the fact that the rest of the code looks like: /* Quit if the account was disabled. */ if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { DEBUG(1,("Account for user '%s' was disabled.\n", user)); pdb_free_sam(sampass); return(False); } if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) { if (lp_null_passwords()) { DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user)); pdb_free_sam(sampass); return(True); } else { DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user)); pdb_free_sam(sampass); return(False); } } if (smb_password_ok(sampass, chal, lm_pwd, nt_pwd)) { pdb_free_sam(sampass); return(True); } DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user)); pdb_free_sam(sampass); return False; -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [toad.enfusion-group.com] up 15 days, 7:45, 8 users -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba