From: Ryan Hardy on
I am having a strange problem that I thought someone might be help resolve. I am using Samba 3.4.7 at the moment, but I've had the same issue with Samba 3.4.6 and Samba 3.5.2.

NOTE: Domain, hostnames, usernames and SIDs have been changed to protect the guilty.

I am seeing an unable to successfully execute a variety of lookups from wbinfo and I think this is the underlying cause of some other issues I am seeing. For example:

This works:
# wbinfo -s "S-1-1-11-1111111111-1111111111-1111111111-11111"
ADDOMAIN\joeuser 1

This also works:
# wbinfo -n joeuser
S-1-1-11-1111111111-1111111111-1111111111-11111 SID_USER (1)

This fails:
# wbinfo -i joeuser
Could not get info for user joeuser

It seems like pretty much anything that involves the idmap backend in some way fails.

I noticed a strange message in the logs at the same time. I see the request come in. In log.wb-ADDOMAIN, I see several requests from winbindd come in, and they both work (first a LOOKUPNAME, then a DUAL_USERINFO). Then I see this:

==> winbindd.log <==
[2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:492(refresh_sequence_number)
refresh_sequence_number: ADDOMAIN time ok
[2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:537(refresh_sequence_number)
refresh_sequence_number: ADDOMAIN seq number is now 13991956
[2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:577(centry_expired)
centry_expired: Key NSS/NA/JOEUSER for domain ADDOMAIN is good.
[2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:661(wcache_fetch)
wcache_fetch: returning entry NSS/NA/JOEUSER for domain ADDOMAIN
[2010/04/21 16:17:25, 10] winbindd/winbindd_cache.c:1053(resolve_username_to_alias)
resolve_username_to_alias: [Cached] - mapped joeuser to joeuser
[2010/04/21 16:17:25, 10] winbindd/winbindd_idmap.c:269(winbindd_sid2uid_async)
winbindd_sid2uid_async found domain ADDOMAIN, have_idmap_config = 0
[2010/04/21 16:17:25, 10] winbindd/winbindd_dual.c:125(async_request)
Sending request to child pid 1607 (domain='')

Upon which I see the following in log.winbindd-idmap (a request for DUAL_SID2UID):

[2010/04/21 16:17:25, 4] winbindd/winbindd_dual.c:1452(fork_domain_child)
child daemon request 51
[2010/04/21 16:17:25, 10] winbindd/winbindd_dual.c:452(child_process_request)
child_process_request: request fn DUAL_SID2UID
[2010/04/21 16:17:25, 3] winbindd/winbindd_idmap.c:293(winbindd_dual_sid2uid)
[ 1599]: sid to uid S-1-1-11-1111111111-1111111111-1111111111-11111
[2010/04/21 16:17:25, 10] winbindd/idmap_util.c:157(idmap_sid_to_uid)
idmap_sid_to_uid: sid = [S-1-1-11-1111111111-1111111111-1111111111-11111], domain = ''
[2010/04/21 16:17:25, 10] winbindd/idmap.c:765(idmap_backends_sid_to_unixid)
idmap_backends_sid_to_unixid: domain = '', sid = [S-1-1-11-1111111111-1111111111-1111111111-11111]
[2010/04/21 16:17:25, 10] winbindd/idmap.c:465(idmap_find_domain)
idmap_find_domain called for domain ''
[2010/04/21 16:17:25, 10] winbindd/idmap_ad.c:71(ad_idmap_cached_connection_internal)
ad_idmap_cached_connection: called for domain '*'
[2010/04/21 16:17:25, 10] winbindd/idmap_ad.c:112(ad_idmap_cached_connection_internal)
ldap_server from saf cache: ''
[2010/04/21 16:17:25, 10] winbindd/idmap_ad.c:117(ad_idmap_cached_connection_internal)
find_domain_from_name_noinit did not find domain '*'
[2010/04/21 16:17:30, 1] winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal)
ad_idmap_init: failed to connect to AD
[2010/04/21 16:17:30, 1] winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids)
ADS uninitialized: No logon servers
[2010/04/21 16:17:30, 10] winbindd/idmap.c:465(idmap_find_domain)
idmap_find_domain called for domain 'NULL'
[2010/04/21 16:17:30, 3] winbindd/idmap.c:674(idmap_new_mapping)
default domain not writable
[2010/04/21 16:17:30, 10] winbindd/idmap_util.c:212(idmap_sid_to_uid)
idmap_new_mapping failed: NT_STATUS_MEDIA_WRITE_PROTECTED

This seems to me to indicate that it is trying to do a SID to UID translation for the wrong (empty) domain. In that context, it makes a certain amount of sense that it can't connect to any login servers (I assume it looks for DCs for the domain '', can't find them, and fails). Since various other commands that make use of data from the AD work (and it was able to get the SID from the AD in this very request), I don't think it is having trouble talking to the AD.

Does anyone have any thoughts as to why that might be?

Environment Information:
OS: Centos 5.4 (kernel: 2.6.18)
Samba version: 3.4.6, 3.4.7, 3.5.2 (sernet packages)
Relevant bits of smb.conf:
workgroup = ADDOMAIN
security = ads
idmap backend = ad
idmap uid = 1000-1999999
idmap gid = 1000-1999999
client ntlmv2 auth = yes
ntlm auth = no
password server =
winbind nss info = rfc2307
winbind normalize names = yes
winbind use default domain = yes
winbind nested groups = yes

The domain is a Windows 2000 Active Directory with RFC2307 extensions.

I have this server set up with krb5/nss_ldap configured against the AD as well. Commands like 'id', 'groups', and 'getent passwd/groups' work just fine. I can make queries via the openldap client and all the attributes seem valid.

Ryan Hardy <ryan.hardy(a)>
Sr. Systems Programmer
Duke University

To unsubscribe from this list go to the following URL and read the