Ubuntu
samba package

wbinfo fails to enumerate users and groups

Bug #220844 reported by spencer
2
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: winbind

Running off the Ubuntu 8.04 Beta livecd and when installed to the local computer, I try to join the computer to an existing Windows Server 2003 Active Directory using Kerberos, Winbind, and Samba. I discovered errors, so I tested the same steps against a Debian stable server, a server that had no problems joining the domain. Here are the exact steps I took:

$ sudo su
# gedit /etc/hosts
[here are the contents of the file:
 127.0.0.1 localhost
 127.0.1.1 ubuntu
 127.0.0.1 ubuntu.domainname localhost ubuntu
 ::1 ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts
]
# cat /etc/resolv.conf
[here are the contents of the file:
 search domainname
 nameserver 192.168.1.2
]
# apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config
[ installs these versions:
 samba: 3.0.28a-1ubuntu4
 smbclient: 3.0.28a-1ubuntu4
 winbind: 3.0.28a-1ubuntu4
 krb5-doc: 1.6.dfsg.3~beta1-2ubuntu1
 krb5-user: 1.6.dfsg.3~beta1-2ubuntu1
 krb5-config: 1.17
]
# sudo gedit /etc/krb5.conf
[here are the contents of the file:
 [libdefaults]
  default_realm = DOMAINNAME

 [realms]
  DOMAINNAME = {
   kdc = adserver
   admin_server = adserver
  }

 [domain_realm]
  .domainname = DOMAINNAME
  domainname = DOMAINNAME
]
# kinit Administrator
# klist
# kdestroy
# apt-get install ntpdate
[installs these versions:
 ntpdate: 1:4.2.4p4+dfsg-3ubuntu2
]
# gedit /etc/default/ntpdate
[here are the contents of the file:
 NTPDATE_USE_NTP_CONF=yes
 NTPSERVERS="adserver"
 NTPOPTIONS="-u"
]
# gedit /etc/samba/smb.conf
[here are the contents of the file:
 [global]
  security = ads
  password server = adserver
  encrypt passwords = yes
  workgroup = DOMAINNAME
  realm = DOMAINNAME
  netbios name = ubuntu
  idmap uid = 10000 - 20000
  idmap gid = 10000 - 20000
  winbind enum users = yes
  winbind enum groups = yes
  winbind use default domain = yes
]
# /etc/init.d/winbind stop
# /etc/init.d/samba restart
# /etc/init.d/winbind start
# kinit Administrator
# klist
[returns this information:
 Ticket cache: FILE:/tmp/krb5cc_999
 Default principal: Administrator@DOMAINNAME

 Valid starting Expires Service principal
 04/23/08 00:47:19 04/23/08 10:47:23 krbtgt/DOMAINNAME@DOMAINNAME
 renew until 04/24/08 00:47:19

 Kerberos 4 ticket cache: /tmp/tkt999
 klist: You have no tickets cached
]
# net ads join -U Administrator
[returns this information:
 Administrator's password:
 Using short domain name -- DOMAINNAME
 Joined 'UBUNTU' to realm 'DOMAINNAME'
]
# wbinfo -u
[returns this information:
 Error looking up domain users
]
# wbinfo -g
[returns this information:
 Error looking up domain groups
]
# wbinfo -a Administrator
[returns this information: (sic)
 plaintext password authentication failed
 error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
 error messsage was: No such user
 Could not authenticate user Administrator with plaintext password
 challenge/response password authentication failed
 error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
 error messsage was: Invalid handle
 Could not authenticate user Administrator with challenge/response
]

getent passwd contains only local users, not remote users.

Revision history for this message
spencer (spencerdubya) wrote :

I've discovered what's happening here. On the Debian etch development box that these steps worked, the IP address is set statically, outside the normal DHCP range. On the Ubuntu 8.04 workstation that I performed the above, the IP address was set dynamically.

I discovered that I could work around this problem by giving the workstation a manual IP address and registering it with DNS. If I then re-join the domain, I can properly enumerate users and groups and log in. This seems to either be a bug or by design, but something is definitely wrong if I have to set a static IP by hand in Linux but not in Windows.

Revision history for this message
Mathias Gug (mathiaz) wrote :

Could you confirm that using a dynamic IP with windows works correctly ?

Could you check if the hostname is resolvable (both hostname to IP and IP to hostname) when using a dynamic IP with Hardy ? Could you compare with using a dynamic IP with windows ?

Changed in samba:
status: New → Incomplete
Revision history for this message
spencer (spencerdubya) wrote :

> Could you confirm that using a dynamic IP with windows works correctly ?

Yes, all of my Windows workstations talk to AD with dynamic IPs.

> Could you check if the hostname is resolvable (both hostname to IP and IP to hostname) when using a dynamic IP with Hardy ?

Hostname to IP: works fine.
IP to hostname: can't be found.

> Could you compare with using a dynamic IP with windows ?

Hostname to IP: 192.168.1.3
IP to hostname: can't be found.

Revision history for this message
Steve Langasek (vorlon) wrote :

Thank you for taking the time to report this bug and help to improve Ubuntu.

I see a few inconsistencies in the output you've shown. I don't know if any of them relate to this bug, but they might, so I point them out.

/etc/hosts:
 127.0.0.1 localhost
 127.0.1.1 ubuntu
 127.0.0.1 ubuntu.domainname localhost ubuntu

This third record is wrong. The authoritative name (the one in the first column) for 127.0.0.1 must always be localhost. Assuming you want ubuntu.domainname to be your canonical hostname, this should be:
 127.0.0.1 localhost
 127.0.1.1 ubuntu.domainname ubuntu

/etc/samba/smb.conf:
  workgroup = DOMAINNAME
  realm = DOMAINNAME

This must also be wrong, because a realm is a DNS domain name and a workgroup is a NetBIOS name. The realm name should therefore have at least one dot in it, and the workgroup name should have no dots in it, so these shouldn't be the same. (I've seen reports from other users who used the realm name as the workgroup name and they didn't have any problems as a result of this - but it is incorrect and renders your system incompatible with some others.)

  netbios name = ubuntu

This is not wrong, but definitely redundant; I recommend not encoding this here, since that increases the number of places you would need to change it if your hostname ever changed.

# /etc/init.d/winbind stop
# /etc/init.d/samba restart
# /etc/init.d/winbind start
[...]
# net ads join -U Administrator

This looks backwards to me. Surely you need to restart winbind /after/ you've done your net ads join, so that winbind picks up the domain join information?

ADS doesn't need to be able to resolve your hostname at all in order to let you enumerate groups or users, so I think the static vs. dynamic IP question is a red herring, and the real issue is probably that winbind was not restarted after the join.

Here is an abridged test showing this behavior:

$ sudo net ads join -U Administrator
Administrator's password:
Using short domain name -- UBUNTU-WP
Joined 'DARIO' to realm 'UBUNTU-WP.COM'
$ wbinfo -u
Error looking up domain users
$ sudo /etc/init.d/winbind restart
 * Stopping the Winbind daemon winbind [ OK ]
 * Starting the Winbind daemon winbind [ OK ]
$ wbinfo -u
UBUNTU-WP\administrator
[...]
$

So indeed, wbinfo only works after you've restarted winbind.

I'm therefore closing this bug as invalid; please reopen if you think this is a mistake.

Changed in samba:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.