[Samba] winbind sometimes does not resolve sid to a name

Thu Dec 16 12:55:04 MST 2010

On Thu, Dec 2, 2010 at 3:13 PM, Shirish Pargaonkar
<shirishpargaonkar at gmail.com> wrote:
> On Tue, Nov 16, 2010 at 10:19 AM, Shirish Pargaonkar
> <shirishpargaonkar at gmail.com> wrote:
>> On Sat, Nov 13, 2010 at 5:34 PM, Michael Wood <esiotrot at gmail.com> wrote:
>>> On 14 November 2010 01:16, Shirish Pargaonkar
>>> <shirishpargaonkar at gmail.com> wrote:
>>>> On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam <obnox at samba.org> wrote:
>>>>> Hi Shirish,
>>>>>
>>>>> Shirish Pargaonkar wrote:
>>>>>> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison <jra at samba.org> wrote:
>>>>>> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote:
>>>>>> >> Sometimes a group sid does not get resolved to its name.
>>>>>> >>
>>>>>> >> Is this a settings problem?  Looks like winbind deamon
>>>>>> >> went dormant for a while and then woke up?
>>>>>> >> I am using interface wbcLookupSid provided by the
>>>>>> >> library libwbclient.so for resolving sids to names.
>>>>>> >>
>>>>>> >> These are the winbind related parameters in
>>>>>> >> /etc/samba/smb.conf
>>>>>> >
>>>>>> > Not enough information for useful debugging. What
>>>>>> > do the winbindd logs say ?
>>>>>> >
>>>>>>
>>>>>> ps -eaf | grep winbind
>>>>>> root     20085     1  0 14:03 ?        00:00:00 /usr/sbin/winbindd -D
>>>>>> root     20086 20085  0 14:03 ?        00:00:00 /usr/sbin/winbindd -D
>>>>>> root     20089 20085  0 14:03 ?        00:00:00 /usr/sbin/winbindd -D
>>>>>>
>>>>>> Cleared /var/log/samba/winbindd.log just before issueing
>>>>>> command getcifsacl which could not resolve the group SID
>>>>>>
>>>>>> winbindd.log attached.
>>>>>
>>>>> not really. :-)
>>>>>
>>>>> Cheers - Michael
>>>>
>>>> Michael, not sure what is implied.  The log is not sufficient?
>>>
>>> No, the mailing list (sometimes) strips attachments.  There was no log
>>> file attached to your e-mail when I received it.
>>>
>>>> I see two error messages in the log.
>>>>
>>>> [2010/11/08 14:32:56,  5] winbindd/winbindd_async.c:lookupsid_recv2(138)
>>>>  lookupsid (forest root) returned an error
>>>> [2010/11/08 14:32:56,  5] winbindd/winbindd_sid.c:lookupsid_recv(61)
>>>>  lookupsid returned an error
>>>
>>> --
>>> Michael Wood <esiotrot at gmail.com>
>>>
>>
>> Hope this attachment sticks.
>>
>> Regards,
>>
>> Shirish
>>
>
> I see one more type error while using winbind,
> wbcSidToUid returns error 7 but  wbcSidToGid succeeds.
>
> /tmp/getcifsacl /mnt/smb_d/Makefile
> REVISION:0x1
> CONTROL:0x9404
> OWNER:BUILTIN\Administrators
> GROUP:CIFSTESTDOM\Domain Users
> ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x10000
> ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1
> ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE
> ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL
>
> # cat /var/log/messages
>
> cifs.upcall: Owner wbcStringToSid: S-1-5-32-544, rc: 0
> cifs.upcall: Owner wbcSidToUid: S-1-5-32-544, uid: 0, rc: 7
> cifs.upcall: Group wbcStringToSid:
> S-1-5-21-2849063682-2007077719-983662776-513, rc: 0
> cifs.upcall: Group wbcSidToGid:
> S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0
>
> Error winbindd.log file is as follows:
> sid2uid_lookupsid_recv: Sid S-1-5-32-544 is not a user or a computer.
>
>
> I changed Owner of the file on the server to
>  OWNER:CIFSTESTDOM\Domain Users
> but the same error during wbcSidToUid
>
> [2010/12/02 14:36:20,  5] winbindd/winbindd_sid.c:sid2uid_lookupsid_recv(192)
>  sid2uid_lookupsid_recv: Sid
> S-1-5-21-2849063682-2007077719-983662776-513 is not a user or a
> computer.
>
> [[2010/12/02 14:36:20,  7] winbindd/winbindd_idmap.c:winbindd_sid2gid_async(363)
>  winbindd_sid2gid_async: Resolving
> S-1-5-21-2849063682-2007077719-983662776-513 to a gid
>
> If I change Owner to OWNER:CIFSTESTDOM\Administrator,  then it works
>
> /tmp/getcifsacl /mnt/smb_d/Makefile
> REVISION:0x1
> CONTROL:0x9404
> OWNER:CIFSTESTDOM\Administrator
> GROUP:CIFSTESTDOM\Domain Users
> ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x10000
> ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1
> ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE
> ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL
> cifstest6:/usr/src/linux.ssp.cifs.09092010.l/cifs-2.6 # cat /var/log/messages
>
> cifs.upcall: Owner wbcStringToSid:
> S-1-5-21-2849063682-2007077719-983662776-500, rc: 0
> cifs.upcall: Owner wbcSidToUid:
> S-1-5-21-2849063682-2007077719-983662776-500, uid: 10000, rc: 0
> cifs.upcall: Group wbcStringToSid:
> S-1-5-21-2849063682-2007077719-983662776-513, rc: 0
> cifs.upcall: Group wbcSidToGid:
> S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0
>
> Is this the expected behaviour, some sids can_not/will_not be mapped
> such as this
> Owner BUILTIN\Administrators.
>
> Regads,
>
> Shirish
>

One more observation.
winbind, for some IDs, can't/doesn't look up names, for some it does.

# wbinfo -s S-1-5-21-2849063682-2007077719-983662776-513
Could not lookup sid S-1-5-21-2849063682-2007077719-983662776-513

# wbinfo -s S-1-5-21-2849063682-2007077719-983662776-513
CIFSTESTDOM#Domain Users 2

# /tmp/getcifsacl /mnt/smb_f/Makefile2
REVISION:0x1
CONTROL:0x9004
OWNER:BUILTIN\Administrators
GROUP:CIFSTESTDOM\Domain Users
ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/D
ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1
ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE
ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL

# ls -ln /mnt/smb_f/Makefile2
---------- 1 0 10010 0 Nov 13 13:55 /mnt/smb_f/Makefile2

# wbinfo -s S-1-5-32-544
BUILTIN#Administrators 4

So here, the library libwbclient.so and winbind do_not/can_not lookup
SID S-1-5-32-544.

They can/do lookup SID S-1-5-21-2849063682-2007077719-983662776-513
but do_not/can_not lookup a name of that SID. They can and do
map it though (gid 10010).

Both are BUILTIN accounts at the server.

wbinfo -s command does eventually resolve SIDs to names but it can
take few tries.

wbcLookupSid() seems to work always but wbcSidToUid() and wbcSidToGid()
do not work for some SIDs and for some SID, work partially.

I will open a bug against winbind and log in that bug, all that I posted here.