Improved logging in Samba Winbind
Keeping Track
The Winbind service offers various services for the name service switch (NSS) and pluggable authentication modules (PAMs). On the Windows side, Winbind communicates with the Local Security Authority (LSA), Netlogon, and Lightweight Directory Access Protocol (LDAP) services of a domain controller to localize user accounts, read user data, and ultimately authenticate users. You can use Samba's own net tool, but also Realm [1], as the front end for joining a client to a domain. With Realm, you need to specify the --client-software=winbind
option to ensure that the Winbind service and not the system security services daemon (SSSD) is used to join a domain.
Cluttered Logfiles
The primary Winbind process creates a separate child process for each logical AD domain that the service wants to access. Each process is also assigned its own logfile, where you will find varying amounts of information depending on the configured logging level. If you experience issues with integration into a Windows environment, you should set the logging level to a high value to glean as much information as possible for debugging.
The problem in this case is that the sheer volume of log data makes it difficult to understand communication between the Winbind process and a domain controller. The individual entries each comprise a header and the message. Besides a timestamp, the header also contains various other details, such as the configured logging level, Winbind's process ID, the log message class, and the Winbind function that was used, as shown in the following example of a log message from the nss_winbind library:
[2023/05/04 16:20:51.998105, 3, pid=1153814, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:502(process_request_send) process_request_send: [nss_winbind (1153856)] Handling async...
Buy this article as PDF
(incl. VAT)