wbinfo fails when called from idmap tdb2 script

Joachim Achtzehnter joachima at netacquire.com
Mon Mar 28 21:04:30 UTC 2016

The idmap script module delegates control over the winbindd SID to 
GID/UID mappings to a script. It is configured like this:

     idmap config * : backend = tdb2
     idmap config * : range = 10000000-20000000
     idmap config * : script = /opt/bin/idmap.sh

The documentation for this feature explicitly mentions that the script 
can call "wbinfo -s" to convert its SID command line argument to the 
name of the group or user. More importantly, this is also required to 
determine whether the SID represents a user or a group. We find that all 
calls to wbinfo from that script fail. wbinfo writes the following error 
message to standard error when the idmap script is invoked by winbindd:

   failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
   Could not lookup sid S-1-X-XX-XXXX-XXXX-XXXX-XXXX

The exact same call works when the idmap script is called directly from 
a shell. Looking at the winbindd source code, and given that the domain 
does exist, I'm guessing that winbindd invokes the script while 
recursive calls to winbindd are disabled via the winbind_off() 
mechanism. Under those circumstances the same WBC_ERR_DOMAIN_NOT_FOUND 
error would occur. Am I right about this? What can be done to fix or 
work-around this problem?

We are using the latest stable version 4.3.6. Does anybody know if this 
was ever working in an earlier version?



joachima at netacquire.com http://www.netacquire.com

More information about the samba-technical mailing list