Re: [Samba] winbindd using FQDN domain name now?

2003-10-07 Thread Adrian Chung 
On Tue, Oct 07, 2003 at 08:35:41AM -0500, Gerald (Jerry) Carter wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Sorry for the delayed repsonse...
> 
> Adrian Chung wrote:
> | As of RC3 and RC4, I've noticed that winbindd's wb_getpwuid function
> | is using the form , and
> | before, it was simply .
> 
> This is due to new code in smbd that grabs the domain name
> from the krb5 principal name.
> 
> | The net effect of what I'm seeing is that users which have a UNIX
> | account locally on the samba box and also a domain account are being
> | authenticated against the AD DC, but their UIDs are getting resolved
> | to the local UNIX UIDs rather than AD UIDs.
> 
> |
> |>From XP SP1 boxes that are domain members:
> |
> | [2003/09/15 15:49:17, 3]
> | nsswitch/winbindd_user.c:winbindd_getpwnam(112)
> |   [ 6453]: getpwnam genosha.enfusion-group.com-adrian
> | [2003/09/15 15:49:17, 5]
> | nsswitch/winbindd_user.c:winbindd_getpwnam(140)
> |   no such domain: GENOSHA.ENFUSION
> | [2003/09/15 15:49:17, 3]
> | nsswitch/winbindd_user.c:winbindd_getpwnam(112)
> |   [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-adrian
> | [2003/09/15 15:49:17, 5]
> | nsswitch/winbindd_user.c:winbindd_getpwnam(140)
> |   no such domain: GENOSHA.ENFUSION
> 
> You have the wionbind separator set to '-' don't you?
> The probl;em here is that you have a '-' in the realm name.

I sure did, changed it back to '+' and we're back in business.
Thanks!

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.genosha.enfusion-group.com] up 5 days, 8:51, 2 users

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] winbindd using FQDN domain name now?

2003-09-15 Thread Adrian Chung 
As of RC3 and RC4, I've noticed that winbindd's wb_getpwuid function
is using the form , and
before, it was simply .

The net effect of what I'm seeing is that users which have a UNIX
account locally on the samba box and also a domain account are being
authenticated against the AD DC, but their UIDs are getting resolved
to the local UNIX UIDs rather than AD UIDs.

Here's a snippet of the winbind log (level 5) from an XP Home box (not
a domain member):

[2003/09/15 15:46:49, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6439]: getpwnam genosha-neil
[2003/09/15 15:46:49, 3] nsswitch/winbindd_ads.c:sequence_number(778)
  ads: fetch sequence_number for GENOSHA
[2003/09/15 15:46:49, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for (objectclass=*) gave 1 replies
[2003/09/15 15:46:49, 3] nsswitch/winbindd_ads.c:name_to_sid(312)
  ads: name_to_sid
[2003/09/15 15:46:49, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for
(|(sAMAccountName=neil)([EMAIL PROTECTED]))
gave 1 replies
[2003/09/15 15:46:49, 3] libads/ads_ldap.c:ads_name_to_sid(82)
  ads name_to_sid mapped neil
[2003/09/15 15:46:50, 3] nsswitch/winbindd_misc.c:winbindd_ping(208)
  [ 6439]: ping
[2003/09/15 15:46:50, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6439]: getpwnam genosha-neil
[2003/09/15 15:46:50, 3] nsswitch/winbindd_ads.c:name_to_sid(312)
  ads: name_to_sid
[2003/09/15 15:46:50, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for
(|(sAMAccountName=neil)([EMAIL PROTECTED]))
gave 1 replies

>From XP SP1 boxes that are domain members:

[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6453]: getpwnam genosha.enfusion-group.com-adrian
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
  no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-adrian
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
  no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-ADRIAN
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
  no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(231)
  [ 6455]: request interface version
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)
  [ 6455]: request location of privileged pipe
[2003/09/15 15:49:23, 5] nsswitch/winbindd.c:winbind_client_read(462)
  read failed on sock 19, pid 6455: EOF
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_user.c:winbindd_getpwuid(213)
  [ 6455]: getpwuid 20007
[2003/09/15 15:49:23, 4] nsswitch/winbindd_acct.c:wb_getpwuid(413)
  wb_getpwuid: failed to locate uid == 20007

At this point, I'm authenticated as the UNIX UID and have access via
samba, but smbstatus shows the wrong username (the non-domain user).

Anyone know how I can fix this?

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.genosha.enfusion-group.com] 3:55pm up 4 days, 17:09, 3 users

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] wbinfo fails with disable netbios = yes

2003-09-03 Thread Adrian Chung 
I'm hoping someone can shed some light on this one.  Ever since beta3
I've been unable to get wbinfo to work properly.  I finally worked
around it today, and it seems that with the disable netbios = yes
parameter in my smb.conf file, I get no results.  Commenting out that
parameter seems to work fine.  It looks like the DNS queries for DCs
is unsuccessful without NetBIOS enabled.

I'm running samba-3.0.0rc2-rh8_2 from samba.org.

Here's my smb.conf file:

# Global parameters
[global]
workgroup = GENOSHA
realm = GENOSHA.ENFUSION-GROUP.COM
server string = Enfusion Group fileserver
interfaces = 192.168.100.10/24
security = ADS
password server = beast.genosha.enfusion-group.com 
nightcrawler.genosha.enfusion-group.com
client lanman auth = No
client plaintext auth = No
log level = 1
log file = /var/log/samba/log.%m
name resolve order = host wins bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
domain master = No
dns proxy = No
wins server = 192.168.100.6, 192.168.100.7
idmap uid = 1-2
idmap gid = 1-2
winbind separator = -
invalid users = root
hosts allow = 192.168.101., 192.168.100., 127.
hide unreadable = Yes
veto files = /lost+found/

with 'disable netbios = yes':

[2003/09/03 09:41:12, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(219)
  [31890]: request interface version
[2003/09/03 09:41:12, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(255)
  [31890]: request location of privileged pipe
[2003/09/03 09:41:12, 3]
nsswitch/winbindd_misc.c:winbindd_show_sequence(153)
  [31890]: show sequence
[2003/09/03 09:41:12, 3] nsswitch/winbindd_ads.c:sequence_number(776)
  ads: fetch sequence_number for GENOSHA
[2003/09/03 09:41:12, 5] libsmb/namecache.c:namecache_fetch(195)
  no entry for #1C found.
[2003/09/03 09:41:12, 5] libsmb/namequery.c:resolve_hosts(899)
  resolve_hosts: Attempting to resolve DC's for  using DNS
 ^^ (no %s, "name"?)
[2003/09/03 09:41:12, 5] libsmb/namequery.c:resolve_wins(741)
  resolve_wins(#1c): netbios is disabled
[2003/09/03 09:41:12, 5] libsmb/namequery.c:name_resolve_bcast(679)
  name_resolve_bcast(#1c): netbios is disabled
[2003/09/03 09:41:12, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
  ads_connect for domain GENOSHA failed: No such file or directory
[2003/09/03 09:41:12, 5] nsswitch/winbindd.c:winbind_client_read(462)
  read failed on sock 17, pid 31890: EOF
[2003/09/03 09:41:12, 5] nsswitch/winbindd.c:winbind_client_read(462)
  read failed on sock 18, pid 31890: EOF

[EMAIL PROTECTED] libsmb]# wbinfo --sequence
GENOSHA : DISCONNECTED
[EMAIL PROTECTED] libsmb]# wbinfo -u
Error looking up domain users
[EMAIL PROTECTED] libsmb]# wbinfo -g
Error looking up domain groups

with disable netbios = no:

[EMAIL PROTECTED] libsmb]# /etc/init.d/winbind restart
Shutting down Winbind services:[  OK  ]
Starting Winbind services: [  OK  ]
[EMAIL PROTECTED] libsmb]# wbinfo --sequence
GENOSHA : 113107
[EMAIL PROTECTED] libsmb]# wbinfo -u
GENOSHA-Administrator
GENOSHA-Guest
GENOSHA-TsInternetUser
GENOSHA-IUSR_BEAST
GENOSHA-IWAM_BEAST
GENOSHA-krbtgt
GENOSHA-__vmware_user__
GENOSHA-adrian
GENOSHA-kelly
GENOSHA-neil
GENOSHA-IUSR_W2K3-01-DC
GENOSHA-IWAM_W2K3-01-DC
GENOSHA-F925147A-88DD-4998-8
GENOSHA-anthony
GENOSHA-gamroot
[EMAIL PROTECTED] libsmb]# wbinfo -g
GENOSHA-DHCP Users
GENOSHA-DHCP Administrators
GENOSHA-Domain Computers
GENOSHA-Domain Controllers
GENOSHA-Schema Admins
GENOSHA-Enterprise Admins
GENOSHA-Cert Publishers
GENOSHA-Domain Admins
GENOSHA-Domain Users
GENOSHA-Domain Guests
GENOSHA-Group Policy Creator Owners
GENOSHA-RAS and IAS Servers
GENOSHA-DnsAdmins
GENOSHA-DnsUpdateProxy
GENOSHA-__vmware__
GENOSHA-Exchange Domain Servers
GENOSHA-Exchange Enterprise Servers
GENOSHA-_Web Anonymous Users
GENOSHA-_Web Applications
GENOSHA-IIS_WPG

Any ideas?

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.genosha.enfusion-group.com] 9:45am up 10 days, 7:56, 5 users

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] winbind/kerberos with multiple DCs fail to authenticate.

2003-07-20 Thread Adrian Chung 
While testing the latest Samba3.0.0beta3, I notice that if I don't
specify a password server winbind appears to look it up via DNS, and
with two DCs, picks one.  However, my krb5.conf specifies a particular
Kerberos server (one of the two DCs), and so occasionally, winbind
will pick the first DC, and kerberos uses the other.

When this happens, I can't seem to connect to any shares on the Samba
servers, and also can't authenticate against the domain.

Once I set the 'password server' directive to reflect the same DC as
in my krb5.conf file, everything works fine.

Is this expected behaviour, or am I missing something that would make
it possible for me to specify both DCs in both my smb.conf and
krb5.conf configs?

Does it even matter if Kerberos uses the first DC, and winbind uses
the other?  Or is that just a red herring?

I know that I can specify both servers in both my password server list
and krb5.conf, but that's still no guarantee that they'll both pick
the same server each time.

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[gambit.enfusion-group.com] 9:03pm up 57 days, 22:40, 10 users

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] winbind stops authenticating until a restart.

2003-07-20 Thread Adrian Chung 
About a month ago, I setup a Windows 2000 native-mode domain, and had
a couple of Linux machines join the active directory.  I followed the
steps outlined in the Samba 3.0 docs regarding winbind/PAM/NSS.  The
machines joined the domain fine, and 'wbinfo -t', as well as 'wbinfo
-u/-g' and 'getent passwd/group' return expected results.  Connecting
from other Windows clients in the domain with NetBIOS off works as
expected.

The problem I have is every day or so, all of a sudden, winbind/PAM
just stops authenticating users.  At this point in time, 'wbinfo -u'
still succeeds but both 'wbinfo -u/-g' and 'getent passwd/group'
return absolutely no results.

Once I restart winbindd, everything works fine again.  This has been
happening for about a month, almost every day, starting with Samba
3.0.0beta1, and now still with 3.0.0beta3.

I've got (among other settings):

  security = ads
  realm  = GENOSHA.ENFUSION-GROUP.COM
  password server = beast.genosha.enfusion-group.com
  obey pam restrictions = yes
  idmap uid = 1-2
  idmap gid = 1-2
  winbind separator = +
  domain master = no
  local master = no

My setup is as follows:  2 Windows 2000 DCs, and two Linux servers,
one running RH 8.0 with kernel 2.4.20 and Samba 3.0.0beta3, the other
running Debian Sid, with kernel 2.6.0-test1 (has been running 2.4.18)
and Samba 3.0.0beta2.  Both Linux boxes exhibit the exact same
symptoms and failures.

After the latest failure tonight, I ran 'wbinfo --sequence' after
which point I was again able to query domain users and groups without
having to do a full restart of winbindd.

Can anyone offer any advice as to what would be useful in
troubleshooting this problem?  I've turned the debug level up on
winbind, and have some logs from a failure with the debug level up,
but they're quite long.  If they'd be helpful, I can post a URL.

Thanks!

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[gambit.enfusion-group.com] 8:38pm up 57 days, 22:15, 10 users

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Possible memory leak password.c/pass_check_smb().

2002-04-07 Thread Adrian Chung 

Hi!  I'm running Samba 2.2.3a with a whole bunch of Windows XP
clients, and have been noticing that Samba has been consuming all
available memory resources if left unchecked for about a week.

After some digging, and correlating the following messages in my logs:

[2002/04/07 19:42:17, 1] smbd/password.c:pass_check_smb(555)
  Couldn't find user 'nobody' in passdb.

I decided to put 'nobody' in my smbpasswd file.

After doing that, the leak seems to have gone away.

On further inspection, looking at source/smbd/password.c close to line
555:

[...]
BOOL pass_check_smb...
[..]
/* get the account information */
pdb_init_sam(&sampass);
if (!pdb_getsampwnam(sampass, user)) {
DEBUG(1,("Couldn't find user '%s' in passdb.\n", user));
return(False);
}
[...]

It looks like pdb_init_sam() is called which actually malloc's memory,
but never free's it, and returns.

Not having looked at Samba code much, it is possible that this is
free'd elsewhere, but it seems suspicious given my symptoms, and the
fact that the rest of the code looks like:

/* Quit if the account was disabled. */
if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
DEBUG(1,("Account for user '%s' was disabled.\n",
user));
pdb_free_sam(sampass);
return(False);
}


if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) {
if (lp_null_passwords()) {
DEBUG(3,("Account for user '%s' has no
password and null passwords are allowed.\n", user));
pdb_free_sam(sampass);
return(True);
} else {
DEBUG(3,("Account for user '%s' has no
password and null passwords are NOT allowed.\n", user));
pdb_free_sam(sampass);
return(False);
}
}

if (smb_password_ok(sampass, chal, lm_pwd, nt_pwd)) {
pdb_free_sam(sampass);
return(True);
}

    DEBUG(2,("pass_check_smb failed - invalid password for user
[%s]\n", user));

pdb_free_sam(sampass);
return False;

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[toad.enfusion-group.com] up 15 days, 7:45, 8 users


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba