Comment 22 for bug 207791

Torsten Krah (tkrah) wrote :

2. Please try everything below with a fresh install of lucid on a separate non-production system, if possible.

Tried a fresh install of Natty (11.04) and its even more worse now - i am seing this one more than 10 times a day and its "nearly" reproducable. All i have to do is to open say 20 gnome terminals - the last one will have this:

Ich habe keinen Benutzernamen!@sf050:~$

3. Please list the most recent package versions (e.g.: "dpkg -l|grep -i samba", and maybe other packages. ubuntu-bug might help). It'd also be useful to list your distribution even if it's clear from the version numbers, just to save time looking it up.

ii samba 2:3.5.8~dfsg-1ubuntu2.2 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:3.5.8~dfsg-1ubuntu2.2 common files used by both the Samba server and client
ii samba-common-bin 2:3.5.8~dfsg-1ubuntu2.2 common files used by both the Samba server and client
ii samba-tools 2:3.5.8~dfsg-1ubuntu2.2 Samba testing utilities
krah@sf050:~$ dpkg -l | grep winbind
ii libwbclient0 2:3.5.8~dfsg-1ubuntu2.2 Samba winbind client library
ii winbind 2:3.5.8~dfsg-1ubuntu2.2 Samba nameservice integration server

4. Please list relevant configuration options (e.g. both winbind and idmap sections of /etc/samba/smb.conf and maybe more. ubuntu-bug might post the entire configuration file).

Same configuration like initial report (excerpt):

        security = ADS
        idmap backend = rid:FRIENDS=10000-20000
        idmap uid = 10000-20000
        idmap gid = 10000-20000
 winbind cache time = 300
 winbind refresh tickets = true
 winbind enum users = yes
 winbind enum groups = yes
 winbind use default domain = Yes
 winbind offline logon = true

5. Check the log files for related information. /var/log/samba/log.winbind* might be more useful than some of the other log files. Post anything that might be relevant.

Log is empty - at least with configuration above.

6. If using rid or ads as the backend, try to find out if you can still query the domain controller with wbinfo -u and wbinfo -g.
You may need to check klist, net ads status, net ads info to see if your kerberos key didn't get renewed. Some of this should be run under sudo with an Active Directory (AD) authenticated user. Consider posting some of the output.

Yes i can still query the AD. wbinfo -u and wbinfo -g does work as does getent or id.

7. Try disabling the cache. Maybe try both "winbind cache time 0 " in smb.conf and with the line missing if you're not sure which disables the cache. Post to the bug the results of trying to get the mapping (e.g. by ls on a file owned by an Active Directory mapped user).

Using cache time = 0 it completely fails to get the mapping via wbinfo -u or wbinfo -g. (Error looking up domain users). If i set it to at least 1 winbind is able to get the mappings (strange)!
The only message in the logs i've seen so far is:

[2011/05/19 14:17:29.841087, 0] winbindd/winbindd.c:195(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)

8. Try "winbind offline logon = false" in smb.conf and post the results of before and after cache timeout.

Same as 7 - but i still try to get some effect here.

9. Post any information you can about the cache and mapping files. This could be a tbl file. The log files might give some information about this.

Need some help here, what to post?

10. List whether you did a fresh install of Ubuntu or an upgrade. If it was an upgrade, what version(s) did you upgrade from?

Its a fresh install of natty 11.04.

11. Did you try any other idmap backends? If so, please list which ones and what order. I believe there might be a bug on switching backends without deleting a mapping file.

No, i used security ads with rid backend.