I'm fairly new to winbind but the issue doesn't seem trivial so it may require more knowledge.
Basically, I was able to get a new install of winbind (samba3x) to join the domain without issue and the domain I'm worried about authenticating against is showing as "online" but it's not authenticating against AD:
# wbinfo --online-status
BUILTIN: online
PROFESSORCHAOS: online
EMPLOYEE: online
# wbinfo -u
# echo $?
0
Relevant portion of smb.conf:
workgroup = EMPLOYEE
realm = EMPLOYEE.NCAT.EDU
winbind enum users = yes
winbind enum groups = yes
security = ADS
encrypt passwords = yes
log level = 10
log file = /var/log/samba/%m
winbind separator = %
idmap uid = 98000-99000
idmap gid = 98000-99000
password server = ebryant.employee.ncat.edu
with the exception of some messages about descriptor limits and "idmap gid" being deprecated, testparm returns successful. /var/log/samba/log.wb-EMPLOYEE mentions that a CLDAP query is timing out which causes the operation to fail (but farther up in the same log file it shows successful LDAP connections to that box). It may be interesting to know that when trying to execute "net ads info jadavis6" it attempts to authenticate as "root@EMPLOYEE.NCAT.EDU" and errors with "client not found in database while getting initial credentials."
I'm able to netcat the server (by fqdn) on that port and it makes a successfully connects at the tcp level. I'm also able to get regular kerberos credentials by configuring /etc/krb5.conf for the domain. Commands "wbinfo -p" and "wbinfo -P" both return successfully most of the time but "wbinfo -P" failed a net logon after I rebooted the box (wbinfo -p hasn't failed me yet).
Any help would be appreciated.
- Joel
---------- Post updated 03-14-12 at 02:25 PM ---------- Previous update was 03-13-12 at 08:07 PM ----------
I re-joined the domain and it kept giving me the same issues, but while I was running strace on the "wbinfo -u" and "wbinfo -P" commands (to see what the lower level differences were) it started inexplicably working. I'd like input on what might have been happening if anybody has any but I now have getent entries from active directory showing up.
---------- Post updated at 03:01 PM ---------- Previous update was at 02:25 PM ----------
Ok problem re-presented after restarting the winbind service, it looks like "wbinfo -u" is timing out when trying to read from a named pipe:
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
fcntl64(3, F_GETFD) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/winbindd/pipe"}, 110) = 0
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 0) = 0 (Timeout)
write(3, "0\10\0\0\0\0\0\0\0\0\0\0S\v\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2096) = 2096
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout)
close(3) = 0
stat64("/usr/lib/samba/en_US.UTF-8.msg", 0xbf898740) = -1 ENOENT (No such file or directory)
write(2, "Error looking up domain users\n", 30) = 30
close(-1) = -1 EBADF (Bad file descriptor)
close(-1) = -1 EBADF (Bad file descriptor)
exit_group(1) = ?
But I can see in the strace of a "wbinfo -P" that it's able to use the same pipe without issue, so I'm willing to bet the pipe and how wbinfo is using it is fine, but there's something wrong on the winbindd end of things (i.e: my smb.conf configuration or DC availability). I've been able to netcat all the DC's that have SRV records underneath _kerberos._tcp.employee.ncat.edu and all appear to be listening on port 389.
I'm basically confused about how it seems to work but only some of the time. Either I've misconfigured something that's only occasionally correct or there's something going on the DC end. Is there a reliable way to determine at least where the issue is?