possible issue with Windows 2003 sp1

Alex de Vaal a.vaal at nh-hotels.com
Fri Apr 1 15:33:41 GMT 2005

Gerald (Jerry) Carter wrote:

># bin/rpcclient primary -I -U% -c 'schannel; lsaquery'
> Setting schannel - sign and seal
> Got Session key: B5BDF88A6FDC6EA70000000000000000
> result was NT code 0xc0020041

> $ bin/rpcclient primary -I -U% -c 'lsaquery'
> domain COLOR has sid S-1-5-21-3493585492-4029240144-3226775320

Verified (tested with 3.0.13):
#rpcclient primary -I -U% -c 'schannel; lsaquery'
Setting schannel - sign and seal
domain NH-HOTELES has sid S-1-5-21-1130960580-3026470530-2041411792

In appears:
[2005/04/01 17:14:35, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244)
  get_md4pw: Workstation DUSSEL$: no account in domain 
(Hostname of Samba server is 'DUSSEL')

#rpcclient primary -I -U% -c 'lsaquery'
domain NH-HOTELES has sid S-1-5-21-1130960580-3026470530-2041411792

Result is that 'wbinfo -u" "getent passwd" and "wbinfo -g" does work;
"getent group" does NOT work.

"getent group NH-HOTELES\dep_dussel_member" results in no reply.
In winbindd.log (level 10 debug) appears:

[2005/04/01 17:02:05, 10] nsswitch/winbindd_cache.c:centry_expired(411)
  centry_expired: Key NS/NH-HOTELES/DEP_DUSSEL_MEMBER for domain
  NH-HOTELES is good.
[2005/04/01 17:02:05, 10] nsswitch/winbindd_cache.c:wcache_fetch(490)
  wcache_fetch: returning entry NS/NH-HOTELES/DEP_DUSSEL_MEMBER for 
 domain NH-HOTELES
[2005/04/01 17:02:05, 10] nsswitch/winbindd_cache.c:name_to_sid(963)
  name_to_sid: [Cached] - cached name for domain NH-HOTELES status NT code
[2005/04/01 17:02:05, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(299)
  group dep_dussel_member in domain NH-HOTELES does not exist

Ergo: winbind breaks in resolving AD groups when SP1 is applied to Windows


More information about the samba-technical mailing list