wbinfo fails when called from idmap tdb2 script
Joachim Achtzehnter
joachima at netacquire.com
Mon Mar 28 21:04:30 UTC 2016
The idmap script module delegates control over the winbindd SID to
GID/UID mappings to a script. It is configured like this:
idmap config * : backend = tdb2
idmap config * : range = 10000000-20000000
idmap config * : script = /opt/bin/idmap.sh
The documentation for this feature explicitly mentions that the script
can call "wbinfo -s" to convert its SID command line argument to the
name of the group or user. More importantly, this is also required to
determine whether the SID represents a user or a group. We find that all
calls to wbinfo from that script fail. wbinfo writes the following error
message to standard error when the idmap script is invoked by winbindd:
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-X-XX-XXXX-XXXX-XXXX-XXXX
The exact same call works when the idmap script is called directly from
a shell. Looking at the winbindd source code, and given that the domain
does exist, I'm guessing that winbindd invokes the script while
recursive calls to winbindd are disabled via the winbind_off()
mechanism. Under those circumstances the same WBC_ERR_DOMAIN_NOT_FOUND
error would occur. Am I right about this? What can be done to fix or
work-around this problem?
We are using the latest stable version 4.3.6. Does anybody know if this
was ever working in an earlier version?
Thanks,
Joachim
--
joachima at netacquire.com http://www.netacquire.com
More information about the samba-technical
mailing list