[Samba] Winbind - DUAL_SID2UID empty domain?
in [Samba]
|
Prev: Compile errors for samba 3.5.2 on aix 5.3
Next: Can join AD 2003 domain; can't list shares from other servers
From: Ryan Hardy on 21 Apr 2010 17:20 I am having a strange problem that I thought someone might be help resolve. I am using Samba 3.4.7 at the moment, but I've had the same issue with Samba 3.4.6 and Samba 3.5.2. NOTE: Domain, hostnames, usernames and SIDs have been changed to protect the guilty. I am seeing an unable to successfully execute a variety of lookups from wbinfo and I think this is the underlying cause of some other issues I am seeing. For example: This works: # wbinfo -s "S-1-1-11-1111111111-1111111111-1111111111-11111" ADDOMAIN\joeuser 1 This also works: # wbinfo -n joeuser S-1-1-11-1111111111-1111111111-1111111111-11111 SID_USER (1) This fails: # wbinfo -i joeuser Could not get info for user joeuser It seems like pretty much anything that involves the idmap backend in some way fails. I noticed a strange message in the logs at the same time. I see the request come in. In log.wb-ADDOMAIN, I see several requests from winbindd come in, and they both work (first a LOOKUPNAME, then a DUAL_USERINFO). Then I see this: ==> winbindd.log <== [2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:492(refresh_sequence_number) refresh_sequence_number: ADDOMAIN time ok [2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:537(refresh_sequence_number) refresh_sequence_number: ADDOMAIN seq number is now 13991956 [2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:577(centry_expired) centry_expired: Key NSS/NA/JOEUSER for domain ADDOMAIN is good. [2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:661(wcache_fetch) wcache_fetch: returning entry NSS/NA/JOEUSER for domain ADDOMAIN [2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:1053(resolve_username_to_alias) resolve_username_to_alias: [Cached] - mapped joeuser to joeuser [2010/04/21 16:17:25, 10] winbindd/winbindd_idmap.c:269(winbindd_sid2uid_async) winbindd_sid2uid_async found domain ADDOMAIN, have_idmap_config = 0 [2010/04/21 16:17:25, 10] winbindd/winbindd_dual.c:125(async_request) Sending request to child pid 1607 (domain='') Upon which I see the following in log.winbindd-idmap (a request for DUAL_SID2UID): [2010/04/21 16:17:25, 4] winbindd/winbindd_dual.c:1452(fork_domain_child) child daemon request 51 [2010/04/21 16:17:25, 10] winbindd/winbindd_dual.c:452(child_process_request) child_process_request: request fn DUAL_SID2UID [2010/04/21 16:17:25, 3] winbindd/winbindd_idmap.c:293(winbindd_dual_sid2uid) [ 1599]: sid to uid S-1-1-11-1111111111-1111111111-1111111111-11111 [2010/04/21 16:17:25, 10] winbindd/idmap_util.c:157(idmap_sid_to_uid) idmap_sid_to_uid: sid = [S-1-1-11-1111111111-1111111111-1111111111-11111], domain = '' [2010/04/21 16:17:25, 10] winbindd/idmap.c:765(idmap_backends_sid_to_unixid) idmap_backends_sid_to_unixid: domain = '', sid = [S-1-1-11-1111111111-1111111111-1111111111-11111] [2010/04/21 16:17:25, 10] winbindd/idmap.c:465(idmap_find_domain) idmap_find_domain called for domain '' [2010/04/21 16:17:25, 10] winbindd/idmap_ad.c:71(ad_idmap_cached_connection_internal) ad_idmap_cached_connection: called for domain '*' [2010/04/21 16:17:25, 10] winbindd/idmap_ad.c:112(ad_idmap_cached_connection_internal) ldap_server from saf cache: '' [2010/04/21 16:17:25, 10] winbindd/idmap_ad.c:117(ad_idmap_cached_connection_internal) find_domain_from_name_noinit did not find domain '*' [2010/04/21 16:17:30, 1] winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal) ad_idmap_init: failed to connect to AD [2010/04/21 16:17:30, 1] winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids) ADS uninitialized: No logon servers [2010/04/21 16:17:30, 10] winbindd/idmap.c:465(idmap_find_domain) idmap_find_domain called for domain 'NULL' [2010/04/21 16:17:30, 3] winbindd/idmap.c:674(idmap_new_mapping) default domain not writable [2010/04/21 16:17:30, 10] winbindd/idmap_util.c:212(idmap_sid_to_uid) idmap_new_mapping failed: NT_STATUS_MEDIA_WRITE_PROTECTED This seems to me to indicate that it is trying to do a SID to UID translation for the wrong (empty) domain. In that context, it makes a certain amount of sense that it can't connect to any login servers (I assume it looks for DCs for the domain '', can't find them, and fails). Since various other commands that make use of data from the AD work (and it was able to get the SID from the AD in this very request), I don't think it is having trouble talking to the AD. Does anyone have any thoughts as to why that might be? Environment Information: OS: Centos 5.4 (kernel: 2.6.18) Samba version: 3.4.6, 3.4.7, 3.5.2 (sernet packages) Relevant bits of smb.conf: workgroup = ADDOMAIN security = ads realm = ADDOMAIN.SOME.ORG idmap backend = ad idmap uid = 1000-1999999 idmap gid = 1000-1999999 client ntlmv2 auth = yes ntlm auth = no password server = a_random_dc.addomain.some.org winbind nss info = rfc2307 winbind normalize names = yes winbind use default domain = yes winbind nested groups = yes The domain is a Windows 2000 Active Directory with RFC2307 extensions. I have this server set up with krb5/nss_ldap configured against the AD as well. Commands like 'id', 'groups', and 'getent passwd/groups' work just fine. I can make queries via the openldap client and all the attributes seem valid. -- Ryan Hardy <ryan.hardy(a)duke.edu> Sr. Systems Programmer Duke University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |