Problem: How can i debug my fileshare access problem on a UCS memberserver

samba
winbind
shares
debugging

#1

Problem:

Your shares are located on a UCS memberserver, your share access was fine and next day you cannot access them anymore.

Investigation:

The check on the commandline shows:

:~# kinit <username> 
:~# smbclient -k  //$(hostname -f)/<Sharename>  -U <username>
Enter SCHEIN\<username>'s password:
Try "help" to get a list of possible commands.
smb: \>; dir
NT_STATUS_ACCESS_DENIED listing \*

You should check:

  • the acls via getfacl
getfacl /data/
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: data
# owner: cscheini 
# group: admins
# flags: -s-
user::rwx
group::rwx
other::---
  • the wbinfo check is very important, and should work:
wbinfo -a <username>%<password> oder wbinfo -a WINDOWSDOMAIN+<username>
wbinfo -u |grep -i <username>
wbinfo -n <username>
wbinfo -S <result of wbinfo -n >
wbinfo -U <result of  wbinfo -S>
wbinfo -s <result of wbinfo -U >

But you get this errors:

:~# wbinfo -S S-1-5-21-2258265772-2118630786-446722657-500
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2258265772-2118630786-446722657-500 to uid

and using the uid shows the same:

:~# wbinfo -U 2002
failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert uid 2002 to sid
  • net rpc testjoin
    Join to 'SCHEIN' is OK
  • net cache flush
  • systemctl restart winbindd.service

So we can see, winbind has a problem here, converting SID to UID.

Investigation by by digging deep down:

  • Deep, but not deep enough:
    Activate logging in backgroud, this helps, because you can see the entire winbind comunication in order of appearance.
    tail -f /var/log/samba/log.w* &
    Raise winbind debuglevel on the fly and loose the cache:
    smbcontrol winbindd debug 10
    net cache flush
    Execute the problematic command:
wbinfo -S S-1-5-21-2258265772-2118630786-446722657-500
==> /var/log/samba/log.winbindd-idmap <==

[2019/03/12 12:51:09.383683, 10, pid=23133, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:525(idmap_find_domain)
idmap_find_domain called for domain 'SCHEIN'
[2019/03/12 12:51:09.383699, 10, pid=23133, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:168(_wbint_Sids2UnixIDs)
idmap domain SCHEIN: S-1-5-21-2258265772-2118630786-446722657-500 not found

Unfortunately this is not helping, because we do not see WHY

  • deep in the pit
    We will need the winbind startup with debug 10, so:
    Stopping the daemon
    /etc/init.d/winbindd stop
    and starting it again on the commandline
    /usr/sbin/winbindd -F -n -i -S > 2.log 2>&1 &
    net cache flush
    wbinfo -S S-1-5-21-2258265772-2118630786-446722657-500
[...]
idmap_init(): calling static_init_idmap
calling idmap_tdb_init
Successfully added idmap backend 'tdb'
Successfully added idmap backend 'passdb'
Successfully added idmap backend 'nss'
idmap backend ldap not found
load_module_absolute_path: Probing module '/usr/lib/x86_64-linux-gnu/samba/idmap/ldap.so'
load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/idmap/ldap.so' loaded
Successfully added idmap backend 'ldap'
smbldap_search_ext: base => [cn=idmap,cn=univention,dc=schein,dc=ig], filter => [(objectclass=sambaUnixIdPool)], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://master.schein.ig:7389
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://master.schein.ig:7389 as "cn=member,cn=memberserver,cn=computers,dc=schein,dc=ig"
failed to bind to server ldap://master.schein.ig:7389 with dn="cn=member,cn=memberserver,cn=computers,dc=schein,dc=ig" Error: Invalid credentials
(unknown)
Connection to LDAP server failed for the 1 try!

Solution:

failed to bind to server ldap://master.schein.ig:7389 with dn=“cn=member,cn=memberserver,cn=computers,dc=schein,dc=ig” Error: Invalid credentials

Maybe something went wrong within server-password-change. So we need to reset the machine.secret of the memberserver accouont.

  ucr get samba/user/pwdfile
  smbpasswd -w "$(cat /etc/machine.secret)"
  net idmap set secret '*' "$(cat /etc/machine.secret)"
  net cache flush

closed #2