Help answer threads with 0 replies.
Go Back > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.


  Search this Thread
Old 10-18-2006, 10:13 AM   #1
LQ Newbie
Registered: Aug 2006
Location: Nebraska
Distribution: RHEL 4, CentOS 4, Fedora 4&5
Posts: 5

Rep: Reputation: 0
Winbind and 2003 AD issue

I have a samba server, integrated with active directory, and for the most part, working great. The server is running RHEL4. (Samba 3.0.10-1.4E.9) I'm using the "idmap_rid" to maintain some semblance of order and consistency between all my samba servers as far as UID->SID mapping.

The issue I have been running into, is that occasionally one or two user accounts can't access the samba shares. On further investigation, wbinfo can get all normal info for the user (SID, SID>UID, UID>SID, --user-sids, etc.) except the -r option. When I run wbinfo -r DOMAIN+username, I get the response: Could not get groups for user DOMAIN+username I can "su - DOMAIN+username" without issue.

In the samba log for the users workstation, I get the following:

[2006/10/18 08:59:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
make_server_info_from_pw failed!

This can happen seemingly randomly. It also doesn't happen often, about 1 user or so every couple weeks. The only method I've discovered to fix it is to stop winbind and delete the winbindd_cache.tdb and winbindd_idmap.tdb files. When I restart winbind, everything is good to go again, sometimes. I have one user now that this fix does not work for.

One item to note: The only consistency between the users this has affected is that they are also members of groups from trusted domains within our AD forest.

My winbind settings in the smb.conf:

winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U
idmap uid = 1000000-3000000
idmap gid = 1000000-3000000
idmap backend = idmap_ridOMAIN=1000000-3000000
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
realm = DOMAIN

Any thoughts or suggestions are greatly appreciated.

Last edited by jgeiger; 10-18-2006 at 10:54 AM.
Old 10-27-2006, 01:01 AM   #2
LQ Newbie
Registered: Aug 2006
Location: Nebraska
Distribution: RHEL 4, CentOS 4, Fedora 4&5
Posts: 5

Original Poster
Rep: Reputation: 0
I had previously thought that only the winbindd_*.tdb files had anything to do with the winbind AD mappings. Following an old tip I found on the web, I killed winbind, deleted the netsamlogon_cache.tdb file, and restarted winbind. At that point the accounts came back to life, as near as I can tell. (I can at least enumerate group memberships for those users using wbinfo r, which was a symptom of the problem before.)

It's got me stumped.


samba, winbind

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory 2003 Integration (Winbind dead) matthewhardwick Fedora 2 09-16-2006 04:54 PM
Evolution setup issue - Exchange 2003 williamx Linux - Software 1 05-19-2006 02:59 PM
Winbind will not authenticate new 2003 domain users kaiser.jd Linux - Networking 2 04-09-2006 08:48 PM
Samba Winbind and 2003 domain carnold SUSE / openSUSE 0 08-26-2005 05:53 PM
Sendmail Issue 2003 Aug 11 Skoh Linux - Software 0 08-10-2003 08:37 PM > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 12:17 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration