Bug 878564
Summary: | IPA trust cannot always lookup AD users with wbinfo | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
Component: | samba4 | Assignee: | Andreas Schneider <asn> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4 | CC: | gdeschner, sbose, syeghiay |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | samba4-4.0.0-48.el6.rc4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 08:46:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 886216 |
Description
Scott Poore
2012-11-20 17:02:24 UTC
So, since I was not able to reproduce this on a consistent basis, is there a better way I could reproduce/verify this than using wbinfo? Rebooting the AD always triggered the issue for me. Ok, I was able to reproduce this by rebooting AD AND waiting: [root@rhel6-1 yum.repos.d]# rpm -qa samba4 samba4-4.0.0-44.el6.rc4.x86_64 [root@rhel6-1 yum.repos.d]# wbinfo -n "ADTESTDOM\$RANDOM" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADTESTDOM$RANDOM [root@rhel6-1 yum.repos.d]# wbinfo -n "ADTESTDOM\testuser2" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADTESTDOM\testuser2 [root@rhel6-1 yum.repos.d]# wbinfo -n "ADTESTDOM\testuser2" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADTESTDOM\testuser2 On fixed version after AD reboot: [root@rhel6-2 ~]# rpm -q samba4-client samba4-client-4.0.0-48.el6.rc4.x86_64 [root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\$RANDOM" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADTESTDOM$RANDOM [root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\testuser2" S-1-5-21-1246088475-3077293710-2580964704-1133 SID_USER (1) [root@rhel6-2 ~]# sleep 900 ; wbinfo -n "ADTESTDOM\testuser2" S-1-5-21-1246088475-3077293710-2580964704-1133 SID_USER (1) Is there also something in the log I can search for? I think it is ok to just see that wbinfo is working again. In the logs (with debug level 10 or higher) you should only see messages from cm_connect_lsa_tcp() but no from cm_connect_lsa(). In in old version if cm_connect_lsa_tcp() failed due to some connection issues cm_connect_lsa() was directly used as a fallback on the new connection. With the patches cm_connect_lsa_tcp() is tried again if the connection is restablished and so you shouldn't see any message from cm_connect_lsa(). Sorry, please look for messages from cm_prepare_connection() in the logs instead of cm_connect_lsa(). Is it possible that I wouldn't see it for every failure? I'm just trying to finish [root@rhel6-1 samba]# wbinfo -n "ADTESTDOM\adtestuser1" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADTESTDOM\adtestuser1 [root@rhel6-1 samba]# date Mon Dec 10 20:28:33 EST 2012 [root@rhel6-1 samba]# grep cm_prepare_connection log.wb-ADTESTDOM <snip/> [2012/12/10 20:02:25.271601, 10, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:965(cm_prepare_connection) cm_prepare_connection: falling back to anonymous connection for DC W2K8R2-1 [2012/12/10 20:02:25.279598, 5, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:969(cm_prepare_connection) Testing again I do see it: [2012/12/10 21:21:56.670091, 10, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:806(cm_prepare_connection) cm_prepare_connection: connecting to DC w2k8r2-1.adtestdom.com for domain ADTESTDOM [2012/12/10 21:21:56.671134, 3, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:597(cm_get_ipc_userpass) cm_get_ipc_userpass: No auth-user defined [2012/12/10 21:21:56.671200, 10, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:965(cm_prepare_connection) cm_prepare_connection: falling back to anonymous connection for DC w2k8r2-1.adtestdom.com As long as 'ADTESTDOM\adtestuser1' really exists on AD, wbinfo must never fail to lookup that user. I mean are there some cases where I wouldn't see the cm_prepare_connection messages when I do see failure to lookup a user that does exist? That's what I saw at first above. Sorry I didn't make that clear but, the first log entries I listed happened before the failed lookup I listed. Thanks Verified. Version :: samba4-4.0.0-48.el6.rc4.x86_64 Manual Test Results :: I've run wbinfo -n commands many times and so far I have seen no errors with the fixed version. As far as I am able to tell right now, this is verified. [root@rhel6-2 ~]# kinit admin Password for admin: [root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\adtestuser1" S-1-5-21-1246088475-3077293710-2580964704-1136 SID_USER (1) [root@rhel6-2 ~]# grep cm_prepare /var/log/samba/log.wb-ADTESTDOM [root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\adtestuser1" S-1-5-21-1246088475-3077293710-2580964704-1136 SID_USER (1) [root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\adtestuser2" S-1-5-21-1246088475-3077293710-2580964704-1138 SID_USER (1) [root@rhel6-2 ~]# for u in $(wbinfo -u); do echo "########### $u" ; wbinfo -n "$u"; done ########### ADTESTDOM\administrator S-1-5-21-1246088475-3077293710-2580964704-500 SID_USER (1) ########### ADTESTDOM\guest S-1-5-21-1246088475-3077293710-2580964704-501 SID_USER (1) ########### ADTESTDOM\krbtgt S-1-5-21-1246088475-3077293710-2580964704-502 SID_USER (1) ########### ADTESTDOM\abc S-1-5-21-1246088475-3077293710-2580964704-1105 SID_USER (1) ########### ADTESTDOM\anothertest S-1-5-21-1246088475-3077293710-2580964704-1119 SID_USER (1) ########### ADTESTDOM\testuser1 S-1-5-21-1246088475-3077293710-2580964704-1127 SID_USER (1) ########### ADTESTDOM\testuser2 S-1-5-21-1246088475-3077293710-2580964704-1133 SID_USER (1) ########### ADTESTDOM\adtestuser1 S-1-5-21-1246088475-3077293710-2580964704-1136 SID_USER (1) ########### ADTESTDOM\adtestuser2 S-1-5-21-1246088475-3077293710-2580964704-1138 SID_USER (1) ########### ADTESTDOM\adtestuser3 S-1-5-21-1246088475-3077293710-2580964704-1139 SID_USER (1) ########### ADTESTDOM\adtestuser4 S-1-5-21-1246088475-3077293710-2580964704-1140 SID_USER (1) ########### ADTESTDOM\adtestuser5 S-1-5-21-1246088475-3077293710-2580964704-1142 SID_USER (1) ########### ADTESTDOM\adtestuser10 S-1-5-21-1246088475-3077293710-2580964704-1148 SID_USER (1) ########### ADTESTDOM\adtestuser200 S-1-5-21-1246088475-3077293710-2580964704-1153 SID_USER (1) ########### ADTESTDOM\testrelm$ S-1-5-21-1246088475-3077293710-2580964704-1166 SID_USER (1) ########### ADTESTDOM\testrelm1$ S-1-5-21-1246088475-3077293710-2580964704-1167 SID_USER (1) ########### ADTESTDOM\testrelm2$ S-1-5-21-1246088475-3077293710-2580964704-1169 SID_USER (1) ########### ADTESTDOM\testuser3 S-1-5-21-1246088475-3077293710-2580964704-1170 SID_USER (1) ########### ADTESTDOM\testuser4 S-1-5-21-1246088475-3077293710-2580964704-1171 SID_USER (1) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0506.html |