From: Robert LeBlanc on
On Tue, Dec 8, 2009 at 7:55 AM, Georg Roelli <roellig(a)hotmail.com> wrote:

>
> Hello
>
> My is environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a
>
> For Squid I need the query of a global group from Active Directory 2003.
> This works beautifully, but unfortunately not always. There are global
> groups which works to transform and others where it does not work.
>
> Here are my entries for test:
>
> # wbinfo -n nobadurl
> S-1-5-21-986273330-1409306274-1541874228-9965 Domain Group (2)
>
> # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-9965
> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-9965 to gid
>
> # wbinfo -n www-Access
> S-1-5-21-986273330-1409306274-1541874228-2514 Domain Group (2)
>
> # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-2514
> 10011
>
> I am a little confused. Why the conversion goes for one group but for the
> other one not?
> I've tried a lot, unfortunately without success.
>
> Is there a log I can turn on what can help me?
> What is the value wbinfo take out of the AD to convert the SID to UID or
> GID?
> Is there another way I can figure out why the conversion does not work?
>
> Thanks for your help.
>
> Kind regards, G.
>
>
I would check /var/log/samba/log.winbindd or /var/log/samba/log.wb.<DOMAIN>.
I would suspect that you may have run out of gids allocated to groups (your
rang is not big enough). The logs should help you pinpoint the problem
though.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Georg Roelli on



________________________________
> Date: Tue, 8 Dec 2009 08:55:05 -0700
> Subject: Re: [Samba] wbinfo / Could not convert sid to gid / uid
> From: robert(a)leblancnet.us
> To: roellig(a)hotmail.com
> CC: samba(a)lists.samba.org
>
> On Tue, Dec 8, 2009 at 7:55 AM, Georg Roelli> wrote:
>
>
>
> Hello
>
>
>
> My is environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a
>
>
>
> For Squid I need the query of a global group from Active Directory 2003.
>
> This works beautifully, but unfortunately not always. There are global groups which works to transform and others where it does not work.
>
>
>
> Here are my entries for test:
>
>
>
> # wbinfo -n nobadurl
>
> S-1-5-21-986273330-1409306274-1541874228-9965 Domain Group (2)
>
>
>
> # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-9965
>
> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-9965 to gid
>
>
>
> # wbinfo -n www-Access
>
> S-1-5-21-986273330-1409306274-1541874228-2514 Domain Group (2)
>
>
>
> # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-2514
>
> 10011
>
>
>
> I am a little confused. Why the conversion goes for one group but for the other one not?
>
> I've tried a lot, unfortunately without success.
>
>
>
> Is there a log I can turn on what can help me?
>
> What is the value wbinfo take out of the AD to convert the SID to UID or GID?
>
> Is there another way I can figure out why the conversion does not work?
>
>
>
> Thanks for your help.
>
>
>
> Kind regards, G.
>
>
>
> I would check /var/log/samba/log.winbindd or /var/log/samba/log.wb.. I would suspect that you may have run out of gids allocated to groups (your rang is not big enough). The logs should help you pinpoint the problem though.
>
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
>

Thanks for the note.

I get following results in the logs for those SID which couldn't convert.

log.winbindd:

[2009/12/09 10:57:14, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[15791]: request interface version
[2009/12/09 10:57:14, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[15791]: request location of privileged pipe
[2009/12/09 10:57:14, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
[15791]: sid to gid S-1-5-21-986273330-1409306274-1541874228-9965

log.wb-MYDOM:

[2009/12/09 10:57:14, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(754)
[21931]: lookupsid S-1-5-21-986273330-1409306274-1541874228-9965
[2009/12/09 10:57:14, 3] nsswitch/winbindd_ads.c:sequence_number(1010)
ads: fetch sequence_number for MYDOM
[2009/12/09 10:57:14, 3] nsswitch/winbindd_rpc.c:msrpc_sid_to_name(304)
sid_to_name [rpc] S-1-5-21-986273330-1409306274-1541874228-9965 for domain MYDOM

How can this help us now?

Regards, G.







_________________________________________________________________
Samichlaus und Weihnachts Fotos: direkt im Messenger mit Freunden austauschen
http://www.microsoft.com/switzerland/windows/de/windowslive/products/messenger.aspx?tab=2
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Georg Roelli on



----------------------------------------
> From: roellig(a)hotmail.com
> To: samba(a)lists.samba.org
> Date: Wed, 9 Dec 2009 11:02:32 +0100
> Subject: Re: [Samba] wbinfo / Could not convert sid to gid / uid
>
>
>
>
> ________________________________
>> Date: Tue, 8 Dec 2009 08:55:05 -0700
>> Subject: Re: [Samba] wbinfo / Could not convert sid to gid / uid
>> From: robert(a)leblancnet.us
>> To: roellig(a)hotmail.com
>> CC: samba(a)lists.samba.org
>>
>> On Tue, Dec 8, 2009 at 7:55 AM, Georg Roelli> wrote:
>>
>>
>>
>> Hello
>>
>>
>>
>> My is environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a
>>
>>
>>
>> For Squid I need the query of a global group from Active Directory 2003.
>>
>> This works beautifully, but unfortunately not always. There are global groups which works to transform and others where it does not work.
>>
>>
>>
>> Here are my entries for test:
>>
>>
>>
>> # wbinfo -n nobadurl
>>
>> S-1-5-21-986273330-1409306274-1541874228-9965 Domain Group (2)
>>
>>
>>
>> # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-9965
>>
>> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-9965 to gid
>>
>>
>>
>> # wbinfo -n www-Access
>>
>> S-1-5-21-986273330-1409306274-1541874228-2514 Domain Group (2)
>>
>>
>>
>> # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-2514
>>
>> 10011
>>
>>
>>
>> I am a little confused. Why the conversion goes for one group but for the other one not?
>>
>> I've tried a lot, unfortunately without success.
>>
>>
>>
>> Is there a log I can turn on what can help me?
>>
>> What is the value wbinfo take out of the AD to convert the SID to UID or GID?
>>
>> Is there another way I can figure out why the conversion does not work?
>>
>>
>>
>> Thanks for your help.
>>
>>
>>
>> Kind regards, G.
>>
>>
>>
>> I would check /var/log/samba/log.winbindd or /var/log/samba/log.wb.. I would suspect that you may have run out of gids allocated to groups (your rang is not big enough). The logs should help you pinpoint the problem though.
>>
>>
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
>>
>>
>
> Thanks for the note.
>
> I get following results in the logs for those SID which couldn't convert.
>
> log.winbindd:
>
> [2009/12/09 10:57:14, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491)
> [15791]: request interface version
> [2009/12/09 10:57:14, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
> [15791]: request location of privileged pipe
> [2009/12/09 10:57:14, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
> [15791]: sid to gid S-1-5-21-986273330-1409306274-1541874228-9965
>
> log.wb-MYDOM:
>
> [2009/12/09 10:57:14, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(754)
> [21931]: lookupsid S-1-5-21-986273330-1409306274-1541874228-9965
> [2009/12/09 10:57:14, 3] nsswitch/winbindd_ads.c:sequence_number(1010)
> ads: fetch sequence_number for MYDOM
> [2009/12/09 10:57:14, 3] nsswitch/winbindd_rpc.c:msrpc_sid_to_name(304)
> sid_to_name [rpc] S-1-5-21-986273330-1409306274-1541874228-9965 for domain MYDOM
>
> How can this help us now?
>
> Regards, G.
>

Hello

I have something very interesting, which would confirm the statement from Robert.
Until now I have made all the tests on a virtual clone. Now I have reproduced the installation on the productive system.
Here I get a GID for the group nobadurl. Possibly I run out of gids allocated to groups.

How do I find out, how great my range for GID must be and how can I change this value. I now there exist to values in the smb.conf.
Idmap uid and Idmap gid are now 10000-20000. I have changed these values one time but without success. I got no GID for the group nobadurl.

Who can help me?

Kind regards, G.





_________________________________________________________________
Samichlaus und Weihnachts Fotos: direkt im Messenger mit Freunden austauschen
http://www.microsoft.com/switzerland/windows/de/windowslive/products/messenger.aspx?tab=2
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Robert LeBlanc on
On Thu, Dec 10, 2009 at 6:21 AM, Georg Roelli <roellig(a)hotmail.com> wrote

>
> Hello
>
> I have something very interesting, which would confirm the statement from
> Robert.
> Until now I have made all the tests on a virtual clone. Now I have
> reproduced the installation on the productive system.
> Here I get a GID for the group nobadurl. Possibly I run out of gids
> allocated to groups.
>
> How do I find out, how great my range for GID must be and how can I change
> this value. I now there exist to values in the smb.conf.
> Idmap uid and Idmap gid are now 10000-20000. I have changed these values
> one time but without success. I got no GID for the group nobadurl.
>
> Who can help me?
>
> Kind regards, G.
>
>
The logs didn't seem to give any additional info. Do you have less than
10,000 groups in your AD? You can set that as high as you want. You will
need to restart the winbind service. You probably do NOT want to clear the
id cache, this will mess up your old rids. We use idmap_hash which has 10
digits in the id and gid, so you can go very high, you just have to be
careful that some apps don't have problems. We only found a problem with a
database that stored the uid and it wasn't wide enough.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba