Bug 878564 – IPA trust cannot always lookup AD users with wbinfo

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 878564 - IPA trust cannot always lookup AD users with wbinfo

Summary:	IPA trust cannot always lookup AD users with wbinfo

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	samba4 (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Andreas Schneider
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	886216
	Show dependency tree / graph

Reported:	2012-11-20 12:02 EST by Scott Poore
Modified:	2013-02-21 03:46 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	samba4-4.0.0-48.el6.rc4
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 03:46:18 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Samba Project	9426	None	None	None	Never
Samba Project	9439	None	None	None	Never
Red Hat Product Errata	RHSA-2013:0506	normal	SHIPPED_LIVE	Moderate: samba4 security, bug fix and enhancement update	2013-02-20 16:30:25 EST

Groups: None (edit)

Description Scott Poore 2012-11-20 12:02:24 EST

Description of problem:

Winbind appears to have a problem looking up users occasionally or for some specific environments.  

[root@cypher log]# wbinfo -u
ADLAB\administrator
ADLAB\guest
ADLAB\krbtgt
ADLAB\fuser
ADLAB\steeve
ADLAB\tuser1
ADLAB\tuser2
ADLAB\nuser1
ADLAB\nuser2
ADLAB\tuser3
ADLAB\testrelm$
ADLAB\ipa1$
ADLAB\ipa3$
ADLAB\ipa4$
ADLAB\aduser1

[root@cypher log]# wbinfo -n "ADLAB\ipa1$"
S-1-5-21-3655990580-1375374850-1633065477-1169 SID_USER (1)

[root@cypher log]# wbinfo -n "ADLAB\tuser1"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADLAB\tuser1

[root@cypher log]# wbinfo -n "ADLAB\tuser3"
S-1-5-21-3655990580-1375374850-1633065477-1157 SID_USER (1)

[root@cypher log]# wbinfo -n "ADLAB\tuser2"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADLAB\tuser2

[root@cypher log]# wbinfo -n "ADLAB\tuser1"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADLAB\tuser1

When this happens, I see something like this in /var/log/samba/log.winbindd:

[2012/11/18 19:51:08.284832, 10, pid=5530, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:650(process_request)
  process_request: Handling async request 5548:LOOKUPNAME
[2012/11/18 19:51:08.284906,  3, pid=5530, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
  lookupname ADLAB\tuser1
[2012/11/18 19:51:08.284999,  1, pid=5530, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          in: struct wbint_LookupName
              domain                   : *
                  domain                   : 'ADLAB'
              name                     : *
                  name                     : 'TUSER1'
              flags                    : 0x00000000 (0)
[2012/11/18 19:51:08.285421,  1, pid=5530, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          out: struct wbint_LookupName
              type                     : *
                  type                     : SID_NAME_USE_NONE (0)
              sid                      : *
                  sid                      : S-0-0
              result                   : NT_STATUS_ACCESS_DENIED
[2012/11/18 19:51:08.285666,  5, pid=5530, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_lookupname.c:104(winbindd_lookupname_recv)
  Could not convert sid S-0-0: NT_STATUS_ACCESS_DENIED
[2012/11/18 19:51:08.285732, 10, pid=5530, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:712(wb_request_done)
  wb_request_done[5548:LOOKUPNAME]: NT_STATUS_ACCESS_DENIED
Version-Release number of selected component (if applicable):


How reproducible:
Unknown

Steps to Reproduce:
1.  Setup IPA Master
2.  Setup AD Server and create some users
3.  ipa-adtrust-install
4.  ipa trust-add <addomain> --admin Administrator --password
5.  wbinfo -u
6.  wbinfo -n "<ADNETBIOSNAME>\<aduser>"
  
Actual results:
Fails with errors similar to above


Expected results:
Returns user SID

Additional info:

Comment 6 Scott Poore 2012-12-06 15:07:53 EST

So, since I was not able to reproduce this on a consistent basis, is there a better way I could reproduce/verify this than using wbinfo?

Comment 9 Sumit Bose 2012-12-07 03:07:14 EST

Rebooting the AD always triggered the issue for me.

Comment 10 Scott Poore 2012-12-07 17:49:10 EST

Ok, I was able to reproduce this by rebooting AD AND waiting:

[root@rhel6-1 yum.repos.d]# rpm -qa samba4
samba4-4.0.0-44.el6.rc4.x86_64

[root@rhel6-1 yum.repos.d]# wbinfo -n "ADTESTDOM\$RANDOM"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADTESTDOM$RANDOM

[root@rhel6-1 yum.repos.d]# wbinfo -n "ADTESTDOM\testuser2"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADTESTDOM\testuser2

[root@rhel6-1 yum.repos.d]# wbinfo -n "ADTESTDOM\testuser2"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADTESTDOM\testuser2

On fixed version after AD reboot:

[root@rhel6-2 ~]# rpm -q samba4-client
samba4-client-4.0.0-48.el6.rc4.x86_64

[root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\$RANDOM"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADTESTDOM$RANDOM

[root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\testuser2"
S-1-5-21-1246088475-3077293710-2580964704-1133 SID_USER (1)

[root@rhel6-2 ~]# sleep 900 ; wbinfo -n "ADTESTDOM\testuser2"
S-1-5-21-1246088475-3077293710-2580964704-1133 SID_USER (1)


Is there also something in the log I can search for?

Comment 11 Sumit Bose 2012-12-10 05:15:07 EST

I think it is ok to just see that wbinfo is working again. In the logs (with debug level 10 or higher) you should only see messages from cm_connect_lsa_tcp() but no from cm_connect_lsa().

In in old version if cm_connect_lsa_tcp() failed due to some connection issues cm_connect_lsa() was directly used as a fallback on the new connection. With the patches cm_connect_lsa_tcp() is tried again if the connection is restablished and so you shouldn't see any message from cm_connect_lsa().

Comment 12 Sumit Bose 2012-12-10 16:06:51 EST

Sorry, please look for messages from cm_prepare_connection() in the logs instead of cm_connect_lsa().

Comment 13 Scott Poore 2012-12-10 21:50:02 EST

Is it possible that I wouldn't see it for every failure?  I'm just trying to finish 

[root@rhel6-1 samba]# wbinfo -n "ADTESTDOM\adtestuser1"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADTESTDOM\adtestuser1

[root@rhel6-1 samba]# date
Mon Dec 10 20:28:33 EST 2012

[root@rhel6-1 samba]# grep cm_prepare_connection log.wb-ADTESTDOM 
<snip/>
[2012/12/10 20:02:25.271601, 10, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:965(cm_prepare_connection)
  cm_prepare_connection: falling back to anonymous connection for DC W2K8R2-1
[2012/12/10 20:02:25.279598,  5, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:969(cm_prepare_connection)

Testing again I do see it:

[2012/12/10 21:21:56.670091, 10, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:806(cm_prepare_connection)
  cm_prepare_connection: connecting to DC w2k8r2-1.adtestdom.com for domain ADTESTDOM
[2012/12/10 21:21:56.671134,  3, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:597(cm_get_ipc_userpass)
  cm_get_ipc_userpass: No auth-user defined
[2012/12/10 21:21:56.671200, 10, pid=18169, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:965(cm_prepare_connection)
  cm_prepare_connection: falling back to anonymous connection for DC w2k8r2-1.adtestdom.com

Comment 14 Guenther Deschner 2012-12-11 03:07:43 EST

As long as 'ADTESTDOM\adtestuser1' really exists on AD, wbinfo must never fail to lookup that user.

Comment 15 Scott Poore 2012-12-11 09:38:34 EST

I mean are there some cases where I wouldn't see the cm_prepare_connection messages when I do see failure to lookup a user that does exist?

That's what I saw at first above.  Sorry I didn't make that clear but, the first log entries I listed happened before the failed lookup I listed.

Thanks

Comment 16 Scott Poore 2012-12-11 10:15:59 EST

Verified.

Version ::

samba4-4.0.0-48.el6.rc4.x86_64

Manual Test Results ::

I've run wbinfo -n commands many times and so far I have seen no errors with the fixed version.  As far as I am able to tell right now, this is verified.

[root@rhel6-2 ~]# kinit admin
Password for admin@TESTRELM2.COM: 

[root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\adtestuser1"
S-1-5-21-1246088475-3077293710-2580964704-1136 SID_USER (1)

[root@rhel6-2 ~]# grep cm_prepare /var/log/samba/log.wb-ADTESTDOM 

[root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\adtestuser1"
S-1-5-21-1246088475-3077293710-2580964704-1136 SID_USER (1)

[root@rhel6-2 ~]# wbinfo -n "ADTESTDOM\adtestuser2"
S-1-5-21-1246088475-3077293710-2580964704-1138 SID_USER (1)

[root@rhel6-2 ~]# for u in $(wbinfo -u); do echo "########### $u" ; wbinfo -n "$u"; done
########### ADTESTDOM\administrator
S-1-5-21-1246088475-3077293710-2580964704-500 SID_USER (1)
########### ADTESTDOM\guest
S-1-5-21-1246088475-3077293710-2580964704-501 SID_USER (1)
########### ADTESTDOM\krbtgt
S-1-5-21-1246088475-3077293710-2580964704-502 SID_USER (1)
########### ADTESTDOM\abc
S-1-5-21-1246088475-3077293710-2580964704-1105 SID_USER (1)
########### ADTESTDOM\anothertest
S-1-5-21-1246088475-3077293710-2580964704-1119 SID_USER (1)
########### ADTESTDOM\testuser1
S-1-5-21-1246088475-3077293710-2580964704-1127 SID_USER (1)
########### ADTESTDOM\testuser2
S-1-5-21-1246088475-3077293710-2580964704-1133 SID_USER (1)
########### ADTESTDOM\adtestuser1
S-1-5-21-1246088475-3077293710-2580964704-1136 SID_USER (1)
########### ADTESTDOM\adtestuser2
S-1-5-21-1246088475-3077293710-2580964704-1138 SID_USER (1)
########### ADTESTDOM\adtestuser3
S-1-5-21-1246088475-3077293710-2580964704-1139 SID_USER (1)
########### ADTESTDOM\adtestuser4
S-1-5-21-1246088475-3077293710-2580964704-1140 SID_USER (1)
########### ADTESTDOM\adtestuser5
S-1-5-21-1246088475-3077293710-2580964704-1142 SID_USER (1)
########### ADTESTDOM\adtestuser10
S-1-5-21-1246088475-3077293710-2580964704-1148 SID_USER (1)
########### ADTESTDOM\adtestuser200
S-1-5-21-1246088475-3077293710-2580964704-1153 SID_USER (1)
########### ADTESTDOM\testrelm$
S-1-5-21-1246088475-3077293710-2580964704-1166 SID_USER (1)
########### ADTESTDOM\testrelm1$
S-1-5-21-1246088475-3077293710-2580964704-1167 SID_USER (1)
########### ADTESTDOM\testrelm2$
S-1-5-21-1246088475-3077293710-2580964704-1169 SID_USER (1)
########### ADTESTDOM\testuser3
S-1-5-21-1246088475-3077293710-2580964704-1170 SID_USER (1)
########### ADTESTDOM\testuser4
S-1-5-21-1246088475-3077293710-2580964704-1171 SID_USER (1)

Comment 17 errata-xmlrpc 2013-02-21 03:46:18 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0506.html

Note You need to log in before you can comment on or make changes to this bug.