failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Daniele Dario
d.dario76 at gmail.com
Mon Jan 16 10:50:12 UTC 2017
Hi list,
I'm sorry to bother you with a request that probably is not for
developers but I'm not able to find anywhere a real example of id
mapping on a domain member and it's almost one week I'm
googling and trying to figure out how to get things working :-(
I have two samba AD DC in my domain and one of them is acting also as
file server. I'd like to move the file server to a domain member and
before to mess up things decided to create a test environment to find
out how to proceed so I created 2 VMs with ubuntu 16.04 amd64 servers
(named addc and addm1) and downloaded samba 4.5.3.
Following the wiki I built/installed samba (just ./configure+make+make
install) than provisioned test domain on addc as follow:
[root at addc:~]# samba-tool domain provision --use-rfc2307 --interactive
Realm [SAMDOM.LOC]: SAMDOM.LOC
Domain [SAMDOM]: SAMDOM
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
[SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding)
[8.8.8.8]: 8.8.8.8
Administrator password: ...
than followed the other steps of the wiki to complete DC setup.
This is the smb.conf on addc:
[root at addc:~]# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = ADDC
realm = SAMDOM.LOC
workgroup = SAMDOM
dns forwarder = 8.8.8.8
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/SAMDOM/%U
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.loc/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
I created the reverse lookup DNS zone
[root at addc:~]# samba-tool dns zonecreate 192.168.12.204
12.168.192.in-addr.arpa -U administrator
[root at addc:~]# samba-tool dns add 192.168.12.204 12.168.192.in-addr.arpa
204 PTR addc.samdom.loc -U administrator
two test groups
[root at addc:~]# samba-tool group add group1 --nis-domain=samdom
--gid-number=4000100
[root at addc:~]# samba-tool group add group2 --nis-domain=samdom
--gid-number=4000101
two test users
[root at addc:~]# samba-tool user create user1 P4ssw0rd --nis-domain=samdom
--unix-home=/home/SAMDOM/user1 --uid-number=4001001
--login-shell=/bin/bash --gid-number=4000001
[root at addc:~]# samba-tool user create user2 P4ssw0rd --nis-domain=samdom
--unix-home=/home/SAMDOM/user2 --uid-number=4001002
--login-shell=/bin/bash --gid-number=4000002
and added users to groups
[root at addc:~]# samba-tool group addmembers group1 user1
[root at addc:~]# samba-tool group addmembers group2 user1
[root at addc:~]# samba-tool group addmembers group1 user2
Than tested if winbindd was working
[root at addc:~]# getent passwd administrator
SAMDOM\administrator:*:0:100::/home/SAMDOM/administrator:/bin/bash
[root at addc:~]# getent passwd user1
SAMDOM\user1:*:4001001:100::/home/SAMDOM/user1:/bin/bash
[root at addc:~]# getent group 'domain users'
SAMDOM\domain users:x:100:
[root at addc:~]# getent group group1
SAMDOM\group1:x:4000100:
[root at addc:~]# id administrator
uid=0(root) gid=0(root) groups=0(root)
[root at addc:~]# id user1
uid=4001001(SAMDOM\user1) gid=100(users)
groups=100(users),4000100(SAMDOM\group1),4000101(SAMDOM
\group2),3000009(BUILTIN\users)
On the second VM: built/installed samba (just ./configure+make+make
install) following instructions on wiki page "Setting Up Samba as a
Domain Member".
I wrote an smb.conf based on the one on wiki:
[root at addm1:~]# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.LOC
log file = /usr/local/samba/var/%m.log
log level = 1
winbind nss info = rfc2307
winbind use default domain = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# ID mapping configuration for SAMDOM accounts
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-4999999
# Map the domain administrator to the local root account
username map = /usr/local/samba/etc/user.map
Domain join succeeded and than modified nsswitch.conf as wiki says than
started winbindd. Not having yet configured any share nor printer I
didn't start smbd nor nmbd.
Testing winbindd connectivity succeeded
[root at addm1:~]# wbinfo --ping-dc
checking the NETLOGON for domain[SAMDOM] dc connection to
"DC.SAMDOM.LOC" succeeded
so I linked libnss_winbind.so, restarted winbindd and tried lookup of
user1 but had no output. So tried with wbinfo and increased debug level
to 10.
[root at addm1:~]# wbinfo -i user1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user user1
[2017/01/12 09:40:43.825777, 6, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:918(new_connection)
accepted socket 29
[2017/01/12 09:40:43.826709, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:760(process_request)
process_request: request fn INTERFACE_VERSION
[2017/01/12 09:40:43.826770, 3, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
[ 1584]: request interface version (version = 28)
[2017/01/12 09:40:43.826837, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
winbind_client_response_written[1584:INTERFACE_VERSION]: delivered
response to client
[2017/01/12 09:40:43.827471, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:760(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2017/01/12 09:40:43.827522, 3, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
[ 1584]: request location of privileged pipe
[2017/01/12 09:40:43.827597, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
winbind_client_response_written[1584:WINBINDD_PRIV_PIPE_DIR]:
delivered response to client
[2017/01/12 09:40:43.828157, 6, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:918(new_connection)
accepted socket 33
[2017/01/12 09:40:43.828585, 6, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
closing socket 29, client exited
[2017/01/12 09:40:43.829039, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:733(process_request)
process_request: Handling async request 1584:GETPWNAM
[2017/01/12 09:40:43.829090, 3, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam user1
[2017/01/12 09:40:43.829150, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'SAMDOM'
name : *
name : 'USER1'
flags : 0x00000008 (8)
[2017/01/12 09:40:43.829311, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-2829196831-3808893492-1696772578-1105
result : NT_STATUS_OK
[2017/01/12 09:40:43.829435, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
in: struct wbint_QueryUser
sid : *
sid :
S-1-5-21-2829196831-3808893492-1696772578-1105
[2017/01/12 09:40:43.829619, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'user1'
full_name : *
full_name : 'user1'
homedir : *
homedir : '/home/user1'
shell : *
shell : '/bin/bash'
primary_gid : 0x00000000003d0901
(4000001)
user_sid :
S-1-5-21-2829196831-3808893492-1696772578-1105
group_sid :
S-1-5-21-2829196831-3808893492-1696772578-513
result : NT_STATUS_OK
[2017/01/12 09:40:43.829830, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
SID 0: S-1-5-21-2829196831-3808893492-1696772578-1105
[2017/01/12 09:40:43.829911, 10, pid=1506, effective(0, 0), real(0,
0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-1105]:
value=[4001001:U]
[2017/01/12 09:40:43.829955, 10, pid=1506, effective(0, 0), real(0,
0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-1105]:
id=[4001001], endptr=[:U]
[2017/01/12 09:40:43.830002, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:1036(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-1-5-21-2829196831-3808893492-1696772578-513)
[2017/01/12 09:40:43.830038, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:1046(find_lookup_domain_from_sid)
calling find_our_domain
[2017/01/12 09:40:43.830071, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
in: struct wbint_LookupSid
sid : *
sid :
S-1-5-21-2829196831-3808893492-1696772578-513
[2017/01/12 09:40:43.830182, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
out: struct wbint_LookupSid
type : *
type : SID_NAME_DOM_GRP (2)
domain : *
domain : *
domain : 'SAMDOM'
name : *
name : *
name : 'Domain Users'
result : NT_STATUS_OK
[2017/01/12 09:40:43.830404, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
SID 0: S-1-5-21-2829196831-3808893492-1696772578-513
[2017/01/12 09:40:43.830468, 10, pid=1506, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:326(gencache_set_data_blob)
Adding cache entry with
key=[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-513] and
timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1484210443 seconds in the
past)
[2017/01/12 09:40:43.830548, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:1036(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-1-5-21-2829196831-3808893492-1696772578-513)
[2017/01/12 09:40:43.830582, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:1046(find_lookup_domain_from_sid)
calling find_our_domain
[2017/01/12 09:40:43.830615, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupSids: struct wbint_LookupSids
in: struct wbint_LookupSids
sids : *
sids: struct lsa_SidArray
num_sids : 0x00000001 (1)
sids : *
sids: ARRAY(1)
sids: struct lsa_SidPtr
sid : *
sid :
S-1-5-21-2829196831-3808893492-1696772578-513
[2017/01/12 09:40:43.830797, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupSids: struct wbint_LookupSids
out: struct wbint_LookupSids
domains : *
domains: struct lsa_RefDomainList
count : 0x00000001 (1)
domains : *
domains: ARRAY(1)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000c
(12)
size : 0x000e
(14)
string : *
string :
'SAMDOM'
sid : *
sid :
S-1-5-21-2829196831-3808893492-1696772578
max_size : 0x00000020 (32)
names : *
names: struct lsa_TransNameArray
count : 0x00000001 (1)
names : *
names: ARRAY(1)
names: struct lsa_TranslatedName
sid_type :
SID_NAME_DOM_GRP (2)
name: struct lsa_String
length : 0x0018
(24)
size : 0x0018
(24)
string : *
string :
'Domain Users'
sid_index : 0x00000000
(0)
result : NT_STATUS_OK
[2017/01/12 09:40:43.831155, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
in: struct wbint_Sids2UnixIDs
domains : *
domains: struct lsa_RefDomainList
count : 0x00000001 (1)
domains : *
domains: ARRAY(1)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000c
(12)
size : 0x000e
(14)
string : *
string :
'SAMDOM'
sid : *
sid :
S-1-5-21-2829196831-3808893492-1696772578
max_size : 0x00000001 (1)
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_GID (2)
domain_index : 0x00000000 (0)
rid : 0x00000201
(513)
xid: struct unixid
id : 0xffffffff
(4294967295)
type : ID_TYPE_GID
(2)
[2017/01/12 09:40:43.833824, 1, pid=1506, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
out: struct wbint_Sids2UnixIDs
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_GID (2)
domain_index : 0x00000000 (0)
rid : 0x00000201
(513)
xid: struct unixid
id : 0xffffffff
(4294967295)
type :
ID_TYPE_NOT_SPECIFIED (0)
result : NT_STATUS_OK
[2017/01/12 09:40:43.833902, 10, pid=1506, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:326(gencache_set_data_blob)
Adding cache entry with
key=[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-513] and
timeout=[Thu Jan 12 09:42:43 AM 2017 CET] (120 seconds ahead)
[2017/01/12 09:40:43.833937, 5, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2829196831-3808893492-1696772578-1105:
NT_STATUS_NONE_MAPPED
[2017/01/12 09:40:43.833949, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:795(wb_request_done)
wb_request_done[1584:GETPWNAM]: NT_STATUS_NONE_MAPPED
[2017/01/12 09:40:43.833975, 10, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
winbind_client_response_written[1584:GETPWNAM]: delivered response to
client
[2017/01/12 09:40:43.835011, 6, pid=1506, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
closing socket 33, client exited
As far as I can see from logs, the problem is not that "user1" is not
found but that it failed to convert SID to UID and googling I found some
posts that point to wrong id mapping ranges. Could it be my problem or
am I doing something else wrong?
Best regards,
Daniele.
More information about the samba-technical
mailing list