[Pkg-samba-maint] Bug#858601: Bug#858601: winbind: user authentication using windows domain fails after upgrade to 4.2.14+dfsg-0+deb8u4

Albert Dengg albert at fsfe.org
Thu Mar 30 21:50:24 UTC 2017 

sorry for the late reply i was a bit busy and re-upgrading the
server is a slight problem as it is an activly used producticion
server were people need 
On Thu, Mar 30, 2017 at 10:34:28PM +0200, Mathieu Parent wrote:
> )Control: tag -1 + moreinfo
> 
> 2017-03-24 15:20 GMT+01:00 Mathieu Parent <math.parent at gmail.com>:
> > 2017-03-24 11:19 GMT+01:00 Albert Dengg <albert at fsfe.org>:
> >> Package: winbind
> >> Version: 2:4.2.14+dfsg-0+deb8u2
> >> Severity: important
> >>
> >> after upgrading windbind and samba to 4.2.14+dfsg-0+deb8u4, authentication of domains users using winbind
> >> does not work anymore:
> >> winbindd[8142]: [2017/03/24 10:20:10.040610,  0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
> >> winbindd[8142]:   Failed to find domain ''. Check connection to trusted domains!
> >>
> >> (getent did list at least users from winbind)
> >>
> >> the domain ins specified in smbd.conf and it works as expected in 4.2.14+dfsg-0+deb8u2
> >
> > Please send us your smb.conf.
see attachment
(i changed the domain name to something neutral, but 
> >
> > What does "net ads testjoin" tells?
Join is OK
(and both 'getent passwd' as well as 'getent group' produces the
desired output)
> 
> Appart from the above. This looks very strange. Nothing was changed on
> the winbind side between those versions.
> 
> Are you able to use gdb and post the backtrae in this function
> (fill_grent) and find why dom_name is empty?
i tried to install samba-dbg and start winbindd using gdb.

however a breakpoint on fill_grent did not trigger for some reason
(i played around with follow-mode and tried both starting without
passing arguments as well as passing -i)

> 
> Is your smb.conf a symlink?
no

side note:
i downgraded initially to work around the problem and upgraded today
to do the test (with the same result), but a downgrade of the
following packages solved it again:
libnss-winbind
libpam-winbind
libsmbclient
libwbclient0
python-samba
samba
samba-common
samba-common-bin
samba-dbg
samba-dsdb-modules
samba-libs
samba-vfs-modules
winbind

regards,
albert
-------------- next part --------------
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]
    workgroup = SOMEDOMAIN
    server string = Samba Server Version %v
    security = ads
    realm = SOMEDOMAIN.LOCAL
    domain master = no
    local master = no
    preferred master = no
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
    use sendfile = true
	 
    idmap config * : backend = tdb
    idmap config * : range = 100000-299999
    idmap config SOMEDOMAIN : backend = rid
    idmap config SOMEDOMAIN : range = 10000-99999
    winbind separator = +
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    template homedir = /home/%D/%U
    template shell = /bin/false
	 
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2
    log file = /var/log/samba/log.%m
    max log size = 50
    loglevel = 0

    ea support = yes
    acl check permissions = yes
    inherit acls =yes
    csc policy = disable
    store dos attributes = yes
    dos filemode = no
 
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes   
		 
#============================ Share Definitions ==============================
		 
[Individuell]
	comment = "Verzeichnis fuer Datenaustausch"
	path = /pools/share/Individuell
	read only = no
	browseable = yes
	guest ok = no
	delete readonly = yes
	vfs objects = acl_xattr shadow_copy2
	map acl inherit = Yes
	shadow: snapdir = .zfs/snapshot
	shadow: sort = desc
	shadow: format = %Y-%m-%d-%H%M
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = yes

[INSTALL]
	comment = "Div. Installer"
	path = /pools/share/INSTALL
	read only = no
	browseable = yes
	guest ok = no
	delete readonly = yes
	vfs objects = acl_xattr shadow_copy2
	map acl inherit = Yes
	shadow: snapdir = .zfs/snapshot
	shadow: sort = desc
	shadow: format = %Y-%m-%d-%H%M
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = yes

[backup]
	comment = "backup"
	path = /pools/share/backup
	read only = no
	browseable = yes
	guest ok = no
	delete readonly = yes
	vfs objects = acl_xattr shadow_copy2 streams_xattr
	streams_depot:directory = /pools/share/backup/.ads
        streams_depot:delete_lost = yes
	map acl inherit = Yes
	shadow: snapdir = .zfs/snapshot
	shadow: sort = desc
	shadow: format = %Y-%m-%d-%H%M
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = yes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20170330/b0dd18a8/attachment.sig>

More information about the Pkg-samba-maint mailing list