I have a problem that has got me going round in circles.
We have 14 Centos 6 AD integrated servers using Samba/Winbind with idmap_ad (security = ads, idmap backend = ad), this setup is running perfectly in 13 of them.
Problem
The problem lies with one server and one user. From the problem box you simply cannot resolve one particular user. This user resolves from all other servers.
Results when trying to resolve on problem server:
# id username
id: username: No such user
# wbinfo -i username
Could not get info for user username
Results when trying to resolve on good server:
# id username
uid=12830(username) gid=100(users) groups=100(users)
# wbinfo -i username
username:*:12830:100:User Name:/home/username:/bin/bash
Attempted Resolutions
I have stopped winbind and smb and cleared the winbind cache (winbindd_cache.tdb & winbindd_cidmap.tdb) the started them again - no joy
I have started winbind with -n to perform straight lookups - no joy
Unfortunately this is a production server so I can't get too drastic with it and I am unable to replicate the problem on any other server including a test server I built using the same configs.
I'm fairly convinced it is not winbind after the above test but am at a loss as to why the user won't resolve.
I can run wbinfo -n and get the users SID then run net cache list |grep thesid and see:
Key: IDMAP/SID2UID/S-1-5-21-746745685-249376194-4547331-1137 Timeout: Tue Apr 2 17:30:32 2013 Value: 1283 0 Key: IDMAP/UID2SID/12830 Timeout: Tue Apr 2 17:30:32 2013 Value: S-1-5-21-746745685-249376194-4547331 -1137
This shows the correct UID (12930) so the server can find him in AD and pull his Unix Attributes.
I can run net lookup sid S-1-etc and it returns it successfully as DOMAIN\username
I then tried net cache flush and restarted smb and winbind, this did not fix it either.
I still can't id the user nor wbinfo -i and therefore the user cannot log in nor access samba shares as the server can't resolve them.
The infuriating thing is that all other users work including newly created ones!
...
Can anyone help? I'm stuck!
...
Basic details are:
- Domain Controllers = Server 2008R2 Running at 2003 FFL and DFL and MSSFU
- Linux Servers = CentOS 6.1 Samba version = 3.5.10-125.el6
- Winbind version = 3.5.10-125.el6
This server runs the same config as the others on that site and those work perfectly, so I know they are not the problem. It's as if the server simply does not like the user SID or something similar and will not look him up through the standard methods.
Let me know if you need more info.
Thanks
