winbindd on PDC - Samba

This is a discussion on winbindd on PDC - Samba ; I'm reading through winbindd code. When we are PDC and want to run winbindd on the same machine to be able, for example, to run Squid with ntlm_auth helper, how to setup winbindd so that it actually works? >From the ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: winbindd on PDC

  1. winbindd on PDC

    I'm reading through winbindd code. When we are PDC and want to run
    winbindd on the same machine to be able, for example, to run Squid
    with ntlm_auth helper, how to setup winbindd so that it actually
    works?

    >From the code in winbindd_misc.c and winbindd_cm.c I see that we

    intentionally mark our own (internal) domain as offline so that
    winbind's child wouldn't get into loop with main winbindd. However,
    this means that it is unable to serve any requests that rely to this
    child's domain (our own domain) that require connection to netlogon
    share and wbinfo -t, wbinfo -a don't work, reporting
    NT_STATUS_NO_LOGON_SERVERS from init_dc_connection() (because
    domain->online is false there).

    What am I missing here? Is it at all possible to have samba/squid on
    one box that serves as PDC?
    --
    / Alexander Bokovoy


  2. Re: winbindd on PDC

    On Sunday 25 May 2008 11:46:48 am Alexander Bokovoy wrote:
    > I'm reading through winbindd code. When we are PDC and want to run
    > winbindd on the same machine to be able, for example, to run Squid
    > with ntlm_auth helper, how to setup winbindd so that it actually
    > works?
    >
    > >From the code in winbindd_misc.c and winbindd_cm.c I see that we

    >
    > intentionally mark our own (internal) domain as offline so that
    > winbind's child wouldn't get into loop with main winbindd. However,
    > this means that it is unable to serve any requests that rely to this
    > child's domain (our own domain) that require connection to netlogon
    > share and wbinfo -t, wbinfo -a don't work, reporting
    > NT_STATUS_NO_LOGON_SERVERS from init_dc_connection() (because
    > domain->online is false there).
    >
    > What am I missing here? Is it at all possible to have samba/squid on
    > one box that serves as PDC?


    Alexander,

    Thanks for asking these questions. I've been trying to help someone who has
    complained that winbind is broken because of the behavior you have pointed
    out.

    When I tried the commands he claims are not working I can reproduce this on my
    system too. At a very minimum we must document this behavior to avoid
    further confusion.

    The following is executed on my PDC:

    # wbinfo -t
    checking the trust secret via RPC calls failed
    error code was (0x0)
    Could not check secret


    # wbinfo -i joeuser
    Could not get info for user joeuser


    # wbinfo -u
    Error looking up domain users


    # wbinfo -g
    Error looking up domain groups


    Note: Immediately following restarting of winbindd I get:

    # wbinfo -g
    BUILTIN\administrators
    BUILTIN\users
    BUILTIN\power users
    BUILTIN\print operators
    BUILTIN\guests


    # wbinfo -t
    checking the trust secret via RPC calls failed
    error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
    Could not check secret


    Asking what is our domain name works:

    # wbinfo --own-domain
    MIDEARTH


    So this means that initially winbind behaves differently from when it has been
    running for a few hours, and some commands can be used to querry the PDC from
    itself, yet other commands fail.. Why do we have this inconsistency?


    What do we have the following command line arguments for:

    --allocate-uid
    --allocate-gid

    When and how do we expect to use them? It is not obvious from the man page,
    nor from the help messages.

    Winbind appears to be SID centric, but then executing "wbinfo -r joeuser"
    yeilds:
    513
    20
    6
    512
    1009

    This appears to be the GIDs the joeuser belongs to in the POSIX subsystem, not
    the SIDs of the groups he belongs to.

    Can someone help me to understand what winbind is designed to do so I can
    document it better. If winbind's behavior is not as it should be, what can I
    do to help so we can fix it?

    - John T.


  3. Re: winbindd on PDC

    On Sun, 2008-05-25 at 20:46 +0400, Alexander Bokovoy wrote:
    > I'm reading through winbindd code. When we are PDC and want to run
    > winbindd on the same machine to be able, for example, to run Squid
    > with ntlm_auth helper, how to setup winbindd so that it actually
    > works?
    >
    > >From the code in winbindd_misc.c and winbindd_cm.c I see that we

    > intentionally mark our own (internal) domain as offline so that
    > winbind's child wouldn't get into loop with main winbindd. However,
    > this means that it is unable to serve any requests that rely to this
    > child's domain (our own domain) that require connection to netlogon
    > share and wbinfo -t, wbinfo -a don't work, reporting
    > NT_STATUS_NO_LOGON_SERVERS from init_dc_connection() (because
    > domain->online is false there).
    >
    > What am I missing here? Is it at all possible to have samba/squid on
    > one box that serves as PDC?


    Alexander,
    what samba version is this ?

    We did quite some work to fix exactly this problem after 3.0.28

    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer
    Senior Software Engineer at Red Hat Inc.


  4. Re: winbindd on PDC

    On Sunday 25 May 2008 08:10:01 pm simo wrote:
    > On Sun, 2008-05-25 at 20:46 +0400, Alexander Bokovoy wrote:
    > > I'm reading through winbindd code. When we are PDC and want to run
    > > winbindd on the same machine to be able, for example, to run Squid
    > > with ntlm_auth helper, how to setup winbindd so that it actually
    > > works?
    > >
    > > >From the code in winbindd_misc.c and winbindd_cm.c I see that we

    > >
    > > intentionally mark our own (internal) domain as offline so that
    > > winbind's child wouldn't get into loop with main winbindd. However,
    > > this means that it is unable to serve any requests that rely to this
    > > child's domain (our own domain) that require connection to netlogon
    > > share and wbinfo -t, wbinfo -a don't work, reporting
    > > NT_STATUS_NO_LOGON_SERVERS from init_dc_connection() (because
    > > domain->online is false there).
    > >
    > > What am I missing here? Is it at all possible to have samba/squid on
    > > one box that serves as PDC?

    >
    > Alexander,
    > what samba version is this ?
    >
    > We did quite some work to fix exactly this problem after 3.0.28


    Simo,

    Just FYI - I am using 3.0.29 (just released).

    - John T.


  5. Re: winbindd on PDC

    2008/5/26 simo :
    > On Sun, 2008-05-25 at 20:46 +0400, Alexander Bokovoy wrote:
    >> I'm reading through winbindd code. When we are PDC and want to run
    >> winbindd on the same machine to be able, for example, to run Squid
    >> with ntlm_auth helper, how to setup winbindd so that it actually
    >> works?
    >>
    >> >From the code in winbindd_misc.c and winbindd_cm.c I see that we

    >> intentionally mark our own (internal) domain as offline so that
    >> winbind's child wouldn't get into loop with main winbindd. However,
    >> this means that it is unable to serve any requests that rely to this
    >> child's domain (our own domain) that require connection to netlogon
    >> share and wbinfo -t, wbinfo -a don't work, reporting
    >> NT_STATUS_NO_LOGON_SERVERS from init_dc_connection() (because
    >> domain->online is false there).
    >>
    >> What am I missing here? Is it at all possible to have samba/squid on
    >> one box that serves as PDC?

    >
    > Alexander,
    > what samba version is this ?
    >
    > We did quite some work to fix exactly this problem after 3.0.28

    As John said, it is 3.0.29. In fact, in my case it is 3-0-test.
    --
    / Alexander Bokovoy


  6. Re: winbindd on PDC

    Added #5489 to Samba bugzilla to track status of this bug.

    2008/5/26 Alexander Bokovoy :
    > 2008/5/26 simo :
    >> On Sun, 2008-05-25 at 20:46 +0400, Alexander Bokovoy wrote:
    >>> I'm reading through winbindd code. When we are PDC and want to run
    >>> winbindd on the same machine to be able, for example, to run Squid
    >>> with ntlm_auth helper, how to setup winbindd so that it actually
    >>> works?
    >>>
    >>> >From the code in winbindd_misc.c and winbindd_cm.c I see that we
    >>> intentionally mark our own (internal) domain as offline so that
    >>> winbind's child wouldn't get into loop with main winbindd. However,
    >>> this means that it is unable to serve any requests that rely to this
    >>> child's domain (our own domain) that require connection to netlogon
    >>> share and wbinfo -t, wbinfo -a don't work, reporting
    >>> NT_STATUS_NO_LOGON_SERVERS from init_dc_connection() (because
    >>> domain->online is false there).
    >>>
    >>> What am I missing here? Is it at all possible to have samba/squid on
    >>> one box that serves as PDC?

    >>
    >> Alexander,
    >> what samba version is this ?
    >>
    >> We did quite some work to fix exactly this problem after 3.0.28

    > As John said, it is 3.0.29. In fact, in my case it is 3-0-test.


    --
    / Alexander Bokovoy


+ Reply to Thread