headers
Andrew Bartlett | 1 Aug 2007 01:29
Picon
Favicon

Re: Problem with mod_auth_ntlm_winbind

On Wed, 2007-07-04 at 18:42 +0200, nils.kloth <at> hauni.com wrote:
> Hello,
> 
> I don't get mod_auth_ntlm_winbind working.
> 
> I've followed: <http://adldap.sourceforge.net/mod_auth_ntlm_winbind.php> winbindd is running,
and ntlm_auth seems to work:
> ntlm_auth --username=kloth
> password:
> NT_STATUS_OK: Success (0x0)
> 
> I am using the following apache config:
>     <Directory "/srv/www/htdocs/intranet">
> 	Options +FollowSymLinks -Indexes
> 	AllowOverride All
> 	Order 			deny,allow
>     	AuthName "HAUNI Intranet Login: Bitte mit dem Windows Benutzernamen und Kennwort anmelden"
> 	NTLMAuth on
> 	NegotiateAuth on
> 	NTLMBasicAuthoritative on
> 	NTLMAUTHHelper "/usr/bin/ntlm_auth -d10 --diagnostics --helper-protocol=squid-2.5-ntlmssp"
> 	NegotiateAuthHelper "/usr/bin/ntlm_auth -d10 --diagnostics --helper-protocol=gss-spnego"

Just looking over your message from the archives...

The --diagnostics option is for testing winbind and the target domain,
to determine what encryption types are supported.  It isn't useful from
inside apache or squid.

Andrew Bartlett
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jeremy Allison | 1 Aug 2007 01:59
Picon
Favicon

Re: share mode locks on directories

On Tue, Jul 31, 2007 at 01:51:19PM -0700, Tim Prouty wrote:
> Hi Jeremy,
> 
> I was talking to Volker earlier today about share mode locks on  
> directories, and he said that you may be able to answer some of my  
> questions, since you wrote the most of this code.  Do you have any  
> examples of where it is important to take share mode lock on a  
> directory?  I'm looking at all of the callers of open_directory(),  
> and so far the close_file() is called on the dir's fsp before the  
> calling function returns.  Is it purely for delete on close semantics?

Pretty much. We do have a codepath (not currently turned on
by default) that allows the correct semantics of preventing look-ups
in directories that have delete on close set.

Jeremy.
Permalink | Reply | 0 comments |
headers
Aravinda Guzzar | 1 Aug 2007 03:40
Picon

winbindd question

Hi,

1.

Can any one please tell me how does winbind daemon decides when to create a
new child process to service a request. I see that when winbind daemon
starts it creates a new child process (apart from the main parent) to handle
"WINBINDD_INIT_CONNECTION" command during its startup. When you execute any
command say wbinfo -u or -g or --allocate-uid I could see that it creates a
new child process some times and doesn't at sometimes. I couldn't come to
any conclusions either through code study or through these experiments when
and how it decides to create child process to handle a particular request.

2.

I could see the fork call gets hit even when I run "winbindd -i" in
interactive mode. The initialization sets Fork = False but fork() call is
infact get called even in interactive mode. Is it not possible to run
winbind daemon in single process, w/o child processes getting created?

3.

If some one can point me to a document to understand the winbind daemon
better it would be of very helpful to me.

Thanks in advance for any help regarding this.

regards
Aravind
(Continue reading)

Permalink | Reply | 3 comments |
headers
Gerald (Jerry) Carter | 1 Aug 2007 04:30
Picon
Favicon

Re: winbindd question


Aravinda Guzzar wrote:

> Can any one please tell me how does winbind daemon decides 
> when to create a new child process to service a request.

Did you look at async_domain_request() ?  If the domain is
not initialized, then we send a request to the child to
establish it's connections to the DC for its domain.

> I could see the fork call gets hit even when I 
> run "winbindd -i" in interactive mode. The initialization
> sets Fork = False but fork() call is infact get
> called even in interactive mode. Is it not possible to run
> winbind daemon in single process, w/o child 
> processes getting created?

No.

> If some one can point me to a document to understand 
> the winbind daemon better it would be of very helpful to me.

I'm afraid your best friend in this case is the code.
I have some slides on the idmap manager in 3.0.25 from
this past SambaXP but no overall architecture documentation.

It's basically an async state machine.  The parent winbindd
is a dispatcher (except in a few cases).  The child cases are
the equivalent of worker threads.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Aravinda Guzzar | 1 Aug 2007 11:53
Picon

Re: winbindd question

Hi Jerry,

thanks a lot for those explanations.

I had further questions regarding the same as below:

>>>The child cases are the equivalent of worker threads.
Is there a specific reason why "thread" implementation was not used to
handle different WinBind commands and processes were chosen instead.

>>>Did you look at async_domain_request() ?  If the domain is
>>>not initialized, then we send a request to the child to
>>>establish it's connections to the DC for its domain.

I see that apart from the async_domain_request (domain is not initialized
command WINBINDD_INIT_CONNECTION), the below set of the actions/commands
also creates a child processes:

- winbindd_allocate_uid
- winbindd_allocate_gid
- add_trusted_domains\WINBINDD_LIST_TRUSTDOM
- winbindd_show_sequence\WINBINDD_SHOW_SEQUENCE
- winbindd_lookupsid_async\WINBINDD_LOOKUPSID
- winbindd_lookupname_async\WINBINDD_LOOKUPNAME
- winbindd_getsidaliases_async\WINBINDD_DUAL_GETSIDALIASES
- winbindd_gettoken_async\WINBINDD_GETUSERDOMGROUPS
- query_user_async\WINBINDD_DUAL_USERINFO
- winbindd_getsidaliases_async\WINBINDD_DUAL_GETSIDALIASES
- idmap_set_mapping_async\WINBINDD_DUAL_IDMAPSET
- idmap_sid2uid_async\WINBINDD_DUAL_SID2UID
(Continue reading)

Permalink | Reply | 1 comment |
headers
Hansjörg Maurer | 1 Aug 2007 11:47
Picon
Favicon

wbinfo -u (security = ads) does not show computers after upgrade to 3.0.25b any more

Hi

I still did not find a solution to the problem, therefore I would like
to ask the technical list...

After an upgrade from 3.0.21c to 3.0.25b
wbinfo -u only shows the Users

DOMAIN\user
and not the computers
DOMAIN\PCNAME$

like it did before

In the logs I see

[2006/02/17 09:10:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username DOMAIN\PCNAME$ is invalid on this system

We use

idmap domains =  DOMAIN
idmap config DOMAIN:backend  = nss
idmap config DOMAIN:readonly = yes

because we use the Unix-User and Group  information from NIS

I am not sure, if we should ignore the message form above, or if
something is missconfigured :-)
(Continue reading)

Permalink | Reply | 2 comments |
headers
Gerald (Jerry) Carter | 1 Aug 2007 15:07
Picon
Favicon

Re: wbinfo -u (security = ads) does not show computers after upgrade to 3.0.25b any more


Hansjörg Maurer wrote:
> Hi
> 
> I still did not find a solution to the problem, therefore I would like
> to ask the technical list...
> 
> 
> After an upgrade from 3.0.21c to 3.0.25b
> wbinfo -u only shows the Users
> 
> DOMAIN\user
> and not the computers
> DOMAIN\PCNAME$
> 
> like it did before

I'd have to look at the svn logs.  I don't remember a specific
change here.  Is this causing your a problem?  Or are you just
curious?

> In the logs I see
> 
> [2006/02/17 09:10:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>   Username DOMAIN\PCNAME$ is invalid on this system
> 
> We use
> 
> idmap domains =  DOMAIN
> idmap config DOMAIN:backend  = nss
(Continue reading)

Permalink | Reply | 1 comment |
headers
Hansjörg Maurer | 1 Aug 2007 16:03
Picon
Favicon

Re: wbinfo -u (security = ads) does not show computers after upgrade to 3.0.25b any more

Hi

>
>
> I'd have to look at the svn logs.  I don't remember a specific
> change here.  Is this causing your a problem?  Or are you just
> curious?

we do not have problems at the moment, I recognized the errors below and
thought,
that they might be related to the fact, that the computers did not show
up in wbinfo -u .

>
> The error msg is technically correct.  Whether this is a problem
> for you depends.  Windows clients in an AD domain use the machine
> trust account for browsing for DFS referrals.
>
> In this case (also for using the idmap ad backend), I set
> a username map script like so:
>
>     #!/usr/bin/perl
>     print "compguest\n" if ( $ARGV[0] =~ /.*\$$/ );
>
> and map all machines to the Unix user compguest.

ok, I will give it a try.

Thank you very much
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gerald (Jerry) Carter | 1 Aug 2007 16:33
Picon
Favicon

Re: Memory leaks


Atsushi Nakabayashi wrote:
> Hi, samba-tech,
> 
> I have found a memory leak in the error path of the samba-3.0.24.

I believe this has already been fixed in the current code.
Would you check and confirm that this has been fixed
in SAMBA_3_2_0?  Thanks.

cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Permalink | Reply | 1 comment |
headers
Volker Lendecke | 1 Aug 2007 19:06
Picon
Favicon

Re: winbindd question

On Wed, Aug 01, 2007 at 03:23:21PM +0530, Aravinda Guzzar wrote:
> >>>The child cases are the equivalent of worker threads.
> Is there a specific reason why "thread" implementation was not used to
> handle different WinBind commands and processes were chosen instead.

Our base libs are not thread safe.

> But few commands like "wbinfo --domain-users  to Lists all domain users" and
> "wbinfo --domain-groups  Lists all domain groups" doesn't create the child
> processes to service the request.
> 
> 1.    My question is how and on what basis is the creation of child process
> is decided. I see that sometimes upto 5 child processes getting created when
> I execute few wbinfo commands and connect to samba which is configured as
> Member Server to windows PDC.

Amount of work vs benefit. Getting user enumeration async
with the architecture we have is pretty hard, and as this is
not executed in any of the hot code paths, it was not yet
seen as pressing enough. No technical reason.

> 2.    If the child process is created when does it get terminated? Currently
> I see that even after processing the command the child processes continues
> to stay there.

It's never terminated. If it dies for some reason, it's
restarted.

> 3.    There is a loop in the below code chain which I couldn't understand
> from the code study/experiments. Can anyone help me in understanding this.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane