[Samba] Samba 4.2.10 AD DC not resolving user groups anymore
Sébastien Le Ray
sebastien-samba at orniz.org
Sat Apr 16 14:00:50 UTC 2016
Hi list,
I just upgraded an AD DC from 4.1.17 to 4.2.10 (using jessie package),
wbinfo -r someuser now fails randomly (well not THAT randomly I guess it
depends on group membership)
$ wbinfo -r oneuser
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user oneuser
$ wbinfo -r anotheruser
[list of GIDs]
wbinfo -u & wbinfo -g returns no error
wbinfo -i oneuser & wbinfo -i anotheruser work fine
I suspect that there is a relation with the switch to regular winbind to
do resolution, maybe some built in groups are mismapped but I don't know
how to reset these
I raised loglevel for winbind. For wbinfo -r oneuser I get
[2016/04/16 15:58:12.516222, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[28825]: request interface version (version = 27)
[2016/04/16 15:58:12.516290, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[28825]: request location of privileged pipe
[2016/04/16 15:58:12.516354, 3]
../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
getgroups oneuser
[2016/04/16 15:58:12.518716, 3]
../source3/winbindd/winbindd_util.c:1119(lookup_usergroups_cached)
: lookup_usergroups_cached
[2016/04/16 15:58:12.540592, 5]
../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
Could not convert sid S-1-5-21-1602783663-1404646826-877247859-1055:
NT_STATUS_INTERNAL_DB_CORRUPTION
wbinfo -r anotheruser got
[2016/04/16 15:59:13.261262, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[28832]: request interface version (version = 27)
[2016/04/16 15:59:13.261330, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[28832]: request location of privileged pipe
[2016/04/16 15:59:13.261401, 3]
../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
getgroups anotheruser
[2016/04/16 15:59:13.263659, 3]
../source3/winbindd/winbindd_util.c:1119(lookup_usergroups_cached)
: lookup_usergroups_cached
Is there a way to force winbind to rebuild its internal database?
For reference here is the smb.conf
[global]
workgroup = SOMEDOMAIN.LAN
realm = ad.somedomain.lan
netbios name = SECOND-DC
server role = active directory domain controller
idmap config *:backend = tdb
idmap config *:range = 3000000-3001000
idmap config SOMEDOMAIN.LAN:backend = ad
idmap config SOMEDOMAINLAN:schema_mode = rfc2307
idmap config SOMEDOMAIN.LAN:range = 100-40000
idmap_ldb:use rfc2307 = yes
log level = 5
# Avoid complaints about CUPS refusing connection
printing = bsd
printcap name = /dev/null
max log size = 102400
[netlogon]
path = /var/lib/samba/sysvol/ad.somedomain.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
# Make sysvolreset happy
inherit acls = true
dos filemode = true
force unknown acl user = true
acl_xattr:ignore system acls = yes
Regards
More information about the samba
mailing list