LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices



Reply
 
Search this Thread
Old 10-18-2006, 11:13 AM   #1
jgeiger
LQ Newbie
 
Registered: Aug 2006
Location: Nebraska
Distribution: RHEL 4, CentOS 4, Fedora 4&5
Posts: 5

Rep: Reputation: 0
Winbind and 2003 AD issue


I have a samba server, integrated with active directory, and for the most part, working great. The server is running RHEL4. (Samba 3.0.10-1.4E.9) I'm using the "idmap_rid" to maintain some semblance of order and consistency between all my samba servers as far as UID->SID mapping.

The issue I have been running into, is that occasionally one or two user accounts can't access the samba shares. On further investigation, wbinfo can get all normal info for the user (SID, SID>UID, UID>SID, --user-sids, etc.) except the -r option. When I run wbinfo -r DOMAIN+username, I get the response: Could not get groups for user DOMAIN+username I can "su - DOMAIN+username" without issue.

In the samba log for the users workstation, I get the following:

[2006/10/18 08:59:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
make_server_info_from_pw failed!

This can happen seemingly randomly. It also doesn't happen often, about 1 user or so every couple weeks. The only method I've discovered to fix it is to stop winbind and delete the winbindd_cache.tdb and winbindd_idmap.tdb files. When I restart winbind, everything is good to go again, sometimes. I have one user now that this fix does not work for.

One item to note: The only consistency between the users this has affected is that they are also members of groups from trusted domains within our AD forest.

My winbind settings in the smb.conf:

winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U
idmap uid = 1000000-3000000
idmap gid = 1000000-3000000
idmap backend = idmap_ridOMAIN=1000000-3000000
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
realm = DOMAIN


Any thoughts or suggestions are greatly appreciated.

Last edited by jgeiger; 10-18-2006 at 11:54 AM.
 
Old 10-27-2006, 02:01 AM   #2
jgeiger
LQ Newbie
 
Registered: Aug 2006
Location: Nebraska
Distribution: RHEL 4, CentOS 4, Fedora 4&5
Posts: 5

Original Poster
Rep: Reputation: 0
I had previously thought that only the winbindd_*.tdb files had anything to do with the winbind AD mappings. Following an old tip I found on the web, I killed winbind, deleted the netsamlogon_cache.tdb file, and restarted winbind. At that point the accounts came back to life, as near as I can tell. (I can at least enumerate group memberships for those users using wbinfo r, which was a symptom of the problem before.)

It's got me stumped.
 
  


Reply

Tags
samba, winbind


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory 2003 Integration (Winbind dead) matthewhardwick Fedora 2 09-16-2006 05:54 PM
Evolution setup issue - Exchange 2003 williamx Linux - Software 1 05-19-2006 03:59 PM
Winbind will not authenticate new 2003 domain users kaiser.jd Linux - Networking 2 04-09-2006 09:48 PM
Samba Winbind and 2003 domain carnold Suse/Novell 0 08-26-2005 06:53 PM
Sendmail Issue 2003 Aug 11 Skoh Linux - Software 0 08-10-2003 09:37 PM


All times are GMT -5. The time now is 07:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration