-   Linux - Enterprise (
-   -   Winbind and 2003 AD issue (

jgeiger 10-18-2006 11:13 AM

Winbind and 2003 AD issue
I have a samba server, integrated with active directory, and for the most part, working great. The server is running RHEL4. (Samba 3.0.10-1.4E.9) I'm using the "idmap_rid" to maintain some semblance of order and consistency between all my samba servers as far as UID->SID mapping.

The issue I have been running into, is that occasionally one or two user accounts can't access the samba shares. On further investigation, wbinfo can get all normal info for the user (SID, SID>UID, UID>SID, --user-sids, etc.) except the -r option. When I run wbinfo -r DOMAIN+username, I get the response: Could not get groups for user DOMAIN+username I can "su - DOMAIN+username" without issue.

In the samba log for the users workstation, I get the following:

[2006/10/18 08:59:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
make_server_info_from_pw failed!

This can happen seemingly randomly. It also doesn't happen often, about 1 user or so every couple weeks. The only method I've discovered to fix it is to stop winbind and delete the winbindd_cache.tdb and winbindd_idmap.tdb files. When I restart winbind, everything is good to go again, sometimes. I have one user now that this fix does not work for.

One item to note: The only consistency between the users this has affected is that they are also members of groups from trusted domains within our AD forest.

My winbind settings in the smb.conf:

winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U
idmap uid = 1000000-3000000
idmap gid = 1000000-3000000
idmap backend = idmap_rid:DOMAIN=1000000-3000000
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
realm = DOMAIN

Any thoughts or suggestions are greatly appreciated.

jgeiger 10-27-2006 02:01 AM

I had previously thought that only the winbindd_*.tdb files had anything to do with the winbind AD mappings. Following an old tip I found on the web, I killed winbind, deleted the netsamlogon_cache.tdb file, and restarted winbind. At that point the accounts came back to life, as near as I can tell. (I can at least enumerate group memberships for those users using wbinfo r, which was a symptom of the problem before.)

It's got me stumped.

All times are GMT -5. The time now is 02:59 PM.