failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Rowland Penny
repenny241155 at gmail.com
Mon Jan 16 11:22:24 UTC 2017
On Mon, 16 Jan 2017 11:50:12 +0100
Daniele Dario <d.dario76 at gmail.com> wrote:
> Hi list,
> I'm sorry to bother you with a request that probably is not for
> developers but I'm not able to find anywhere a real example of id
> mapping on a domain member and it's almost one week I'm
> googling and trying to figure out how to get things working :-(
>
> I have two samba AD DC in my domain and one of them is acting also as
> file server. I'd like to move the file server to a domain member and
> before to mess up things decided to create a test environment to find
> out how to proceed so I created 2 VMs with ubuntu 16.04 amd64 servers
> (named addc and addm1) and downloaded samba 4.5.3.
>
> Following the wiki I built/installed samba (just ./configure+make+make
> install) than provisioned test domain on addc as follow:
>
> [root at addc:~]# samba-tool domain provision --use-rfc2307 --interactive
> Realm [SAMDOM.LOC]: SAMDOM.LOC
> Domain [SAMDOM]: SAMDOM
> Server Role (dc, member, standalone) [dc]: dc
> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
> [SAMBA_INTERNAL]: SAMBA_INTERNAL
> DNS forwarder IP address (write 'none' to disable forwarding)
> [8.8.8.8]: 8.8.8.8
> Administrator password: ...
>
> than followed the other steps of the wiki to complete DC setup.
>
> This is the smb.conf on addc:
>
> [root at addc:~]# cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> netbios name = ADDC
> realm = SAMDOM.LOC
> workgroup = SAMDOM
> dns forwarder = 8.8.8.8
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> template shell = /bin/bash
> template homedir = /home/SAMDOM/%U
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/samdom.loc/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> I created the reverse lookup DNS zone
>
> [root at addc:~]# samba-tool dns zonecreate 192.168.12.204
> 12.168.192.in-addr.arpa -U administrator
> [root at addc:~]# samba-tool dns add 192.168.12.204
> 12.168.192.in-addr.arpa 204 PTR addc.samdom.loc -U administrator
>
> two test groups
>
> [root at addc:~]# samba-tool group add group1 --nis-domain=samdom
> --gid-number=4000100
> [root at addc:~]# samba-tool group add group2 --nis-domain=samdom
> --gid-number=4000101
>
> two test users
>
> [root at addc:~]# samba-tool user create user1 P4ssw0rd
> --nis-domain=samdom --unix-home=/home/SAMDOM/user1
> --uid-number=4001001 --login-shell=/bin/bash --gid-number=4000001
> [root at addc:~]# samba-tool user create user2 P4ssw0rd
> --nis-domain=samdom --unix-home=/home/SAMDOM/user2
> --uid-number=4001002 --login-shell=/bin/bash --gid-number=4000002
>
> and added users to groups
>
> [root at addc:~]# samba-tool group addmembers group1 user1
> [root at addc:~]# samba-tool group addmembers group2 user1
> [root at addc:~]# samba-tool group addmembers group1 user2
>
> Than tested if winbindd was working
>
> [root at addc:~]# getent passwd administrator
> SAMDOM\administrator:*:0:100::/home/SAMDOM/administrator:/bin/bash
>
> [root at addc:~]# getent passwd user1
> SAMDOM\user1:*:4001001:100::/home/SAMDOM/user1:/bin/bash
>
> [root at addc:~]# getent group 'domain users'
> SAMDOM\domain users:x:100:
>
> [root at addc:~]# getent group group1
> SAMDOM\group1:x:4000100:
>
> [root at addc:~]# id administrator
> uid=0(root) gid=0(root) groups=0(root)
>
> [root at addc:~]# id user1
> uid=4001001(SAMDOM\user1) gid=100(users)
> groups=100(users),4000100(SAMDOM\group1),4000101(SAMDOM
> \group2),3000009(BUILTIN\users)
>
> On the second VM: built/installed samba (just ./configure+make+make
> install) following instructions on wiki page "Setting Up Samba as a
> Domain Member".
>
> I wrote an smb.conf based on the one on wiki:
>
> [root at addm1:~]# cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> security = ADS
> workgroup = SAMDOM
> realm = SAMDOM.LOC
>
> log file = /usr/local/samba/var/%m.log
> log level = 1
>
> winbind nss info = rfc2307
> winbind use default domain = yes
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use an read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> # ID mapping configuration for SAMDOM accounts
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-4999999
>
> # Map the domain administrator to the local root account
> username map = /usr/local/samba/etc/user.map
>
> Domain join succeeded and than modified nsswitch.conf as wiki says
> than started winbindd. Not having yet configured any share nor
> printer I didn't start smbd nor nmbd.
>
> Testing winbindd connectivity succeeded
>
> [root at addm1:~]# wbinfo --ping-dc
> checking the NETLOGON for domain[SAMDOM] dc connection to
> "DC.SAMDOM.LOC" succeeded
>
> so I linked libnss_winbind.so, restarted winbindd and tried lookup of
> user1 but had no output. So tried with wbinfo and increased debug
> level to 10.
>
> [root at addm1:~]# wbinfo -i user1
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user user1
>
> [2017/01/12 09:40:43.825777, 6, pid=1506, effective(0, 0), real(0,
> 0), class=winbind] ../source3/winbindd/winbindd.c:918(new_connection)
> accepted socket 29
> [2017/01/12 09:40:43.826709, 10, pid=1506, effective(0, 0), real(0,
> 0), class=winbind] ../source3/winbindd/winbindd.c:760(process_request)
> process_request: request fn INTERFACE_VERSION
> [2017/01/12 09:40:43.826770, 3, pid=1506, effective(0, 0), real(0,
> 0),
> class=winbind] ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
> [ 1584]: request interface version (version = 28) [2017/01/12
> 09:40:43.826837, 10, pid=1506, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> winbind_client_response_written[1584:INTERFACE_VERSION]: delivered
> response to client [2017/01/12 09:40:43.827471, 10, pid=1506,
> effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:760(process_request)
> process_request: request fn WINBINDD_PRIV_PIPE_DIR [2017/01/12
> 09:40:43.827522, 3, pid=1506, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
> [ 1584]: request location of privileged pipe [2017/01/12
> 09:40:43.827597, 10, pid=1506, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> winbind_client_response_written[1584:WINBINDD_PRIV_PIPE_DIR]:
> delivered response to client [2017/01/12 09:40:43.828157, 6,
> pid=1506, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:918(new_connection)
> accepted socket 33 [2017/01/12 09:40:43.828585, 6, pid=1506,
> effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> closing socket 29, client exited [2017/01/12 09:40:43.829039, 10,
> pid=1506, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:733(process_request)
> process_request: Handling async request 1584:GETPWNAM [2017/01/12
> 09:40:43.829090, 3, pid=1506, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam user1 [2017/01/12 09:40:43.829150, 1, pid=1506,
> effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName
> domain : *
> domain : 'SAMDOM'
> name : *
> name : 'USER1'
> flags : 0x00000008 (8)
> [2017/01/12 09:40:43.829311, 1, pid=1506, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USER (1)
> sid : *
> sid :
> S-1-5-21-2829196831-3808893492-1696772578-1105
> result : NT_STATUS_OK
> [2017/01/12 09:40:43.829435, 1, pid=1506, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_QueryUser: struct wbint_QueryUser
> in: struct wbint_QueryUser
> sid : *
> sid :
> S-1-5-21-2829196831-3808893492-1696772578-1105
> [2017/01/12 09:40:43.829619, 1, pid=1506, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_QueryUser: struct wbint_QueryUser
> out: struct wbint_QueryUser
> info : *
> info: struct wbint_userinfo
> acct_name : *
> acct_name : 'user1'
> full_name : *
> full_name : 'user1'
> homedir : *
> homedir : '/home/user1'
> shell : *
> shell : '/bin/bash'
> primary_gid : 0x00000000003d0901
> (4000001)
> user_sid :
> S-1-5-21-2829196831-3808893492-1696772578-1105
> group_sid :
> S-1-5-21-2829196831-3808893492-1696772578-513
> result : NT_STATUS_OK
> [2017/01/12 09:40:43.829830, 10, pid=1506, effective(0, 0), real(0,
> 0),
> class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
> SID 0: S-1-5-21-2829196831-3808893492-1696772578-1105 [2017/01/12
> 09:40:43.829911, 10, pid=1506, effective(0, 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-1105]:
> value=[4001001:U] [2017/01/12 09:40:43.829955, 10, pid=1506,
> effective(0, 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-1105]:
> id=[4001001], endptr=[:U] [2017/01/12 09:40:43.830002, 10, pid=1506,
> effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_util.c:1036(find_lookup_domain_from_sid)
>
> find_lookup_domain_from_sid(S-1-5-21-2829196831-3808893492-1696772578-513)
> [2017/01/12 09:40:43.830038, 10, pid=1506, effective(0, 0), real(0,
> 0),
> class=winbind] ../source3/winbindd/winbindd_util.c:1046(find_lookup_domain_from_sid)
> calling find_our_domain [2017/01/12 09:40:43.830071, 1, pid=1506,
> effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid
> sid : *
> sid :
> S-1-5-21-2829196831-3808893492-1696772578-513
> [2017/01/12 09:40:43.830182, 1, pid=1506, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupSid: struct wbint_LookupSid
> out: struct wbint_LookupSid
> type : *
> type : SID_NAME_DOM_GRP (2)
> domain : *
> domain : *
> domain : 'SAMDOM'
> name : *
> name : *
> name : 'Domain Users'
> result : NT_STATUS_OK
> [2017/01/12 09:40:43.830404, 10, pid=1506, effective(0, 0), real(0,
> 0),
> class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
> SID 0: S-1-5-21-2829196831-3808893492-1696772578-513 [2017/01/12
> 09:40:43.830468, 10, pid=1506, effective(0, 0), real(0, 0),
> class=tdb] ../source3/lib/gencache.c:326(gencache_set_data_blob)
> Adding cache entry with
> key=[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-513] and
> timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1484210443 seconds in the
> past) [2017/01/12 09:40:43.830548, 10, pid=1506, effective(0, 0),
> real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_util.c:1036(find_lookup_domain_from_sid)
>
> find_lookup_domain_from_sid(S-1-5-21-2829196831-3808893492-1696772578-513)
> [2017/01/12 09:40:43.830582, 10, pid=1506, effective(0, 0), real(0,
> 0),
> class=winbind] ../source3/winbindd/winbindd_util.c:1046(find_lookup_domain_from_sid)
> calling find_our_domain [2017/01/12 09:40:43.830615, 1, pid=1506,
> effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupSids: struct wbint_LookupSids in: struct wbint_LookupSids
> sids : *
> sids: struct lsa_SidArray
> num_sids : 0x00000001 (1)
> sids : *
> sids: ARRAY(1)
> sids: struct lsa_SidPtr
> sid : *
> sid :
> S-1-5-21-2829196831-3808893492-1696772578-513
> [2017/01/12 09:40:43.830797, 1, pid=1506, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupSids: struct wbint_LookupSids
> out: struct wbint_LookupSids
> domains : *
> domains: struct lsa_RefDomainList
> count : 0x00000001 (1)
> domains : *
> domains: ARRAY(1)
> domains: struct lsa_DomainInfo
> name: struct lsa_StringLarge
> length :
> 0x000c (12)
> size :
> 0x000e (14)
> string : *
> string :
> 'SAMDOM'
> sid : *
> sid :
> S-1-5-21-2829196831-3808893492-1696772578
> max_size : 0x00000020 (32)
> names : *
> names: struct lsa_TransNameArray
> count : 0x00000001 (1)
> names : *
> names: ARRAY(1)
> names: struct lsa_TranslatedName
> sid_type :
> SID_NAME_DOM_GRP (2)
> name: struct lsa_String
> length :
> 0x0018 (24)
> size :
> 0x0018 (24)
> string : *
> string :
> 'Domain Users'
> sid_index :
> 0x00000000 (0)
> result : NT_STATUS_OK
> [2017/01/12 09:40:43.831155, 1, pid=1506, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> in: struct wbint_Sids2UnixIDs
> domains : *
> domains: struct lsa_RefDomainList
> count : 0x00000001 (1)
> domains : *
> domains: ARRAY(1)
> domains: struct lsa_DomainInfo
> name: struct lsa_StringLarge
> length :
> 0x000c (12)
> size :
> 0x000e (14)
> string : *
> string :
> 'SAMDOM'
> sid : *
> sid :
> S-1-5-21-2829196831-3808893492-1696772578
> max_size : 0x00000001 (1)
> ids : *
> ids: struct wbint_TransIDArray
> num_ids : 0x00000001 (1)
> ids: ARRAY(1)
> ids: struct wbint_TransID
> type : ID_TYPE_GID
> (2) domain_index : 0x00000000 (0)
> rid : 0x00000201
> (513)
> xid: struct unixid
> id :
> 0xffffffff (4294967295)
> type :
> ID_TYPE_GID (2)
> [2017/01/12 09:40:43.833824, 1, pid=1506, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> out: struct wbint_Sids2UnixIDs
> ids : *
> ids: struct wbint_TransIDArray
> num_ids : 0x00000001 (1)
> ids: ARRAY(1)
> ids: struct wbint_TransID
> type : ID_TYPE_GID
> (2) domain_index : 0x00000000 (0)
> rid : 0x00000201
> (513)
> xid: struct unixid
> id :
> 0xffffffff (4294967295)
> type :
> ID_TYPE_NOT_SPECIFIED (0)
> result : NT_STATUS_OK
> [2017/01/12 09:40:43.833902, 10, pid=1506, effective(0, 0), real(0,
> 0), class=tdb] ../source3/lib/gencache.c:326(gencache_set_data_blob)
> Adding cache entry with
> key=[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-513] and
> timeout=[Thu Jan 12 09:42:43 AM 2017 CET] (120 seconds ahead)
> [2017/01/12 09:40:43.833937, 5, pid=1506, effective(0, 0), real(0,
> 0),
> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-2829196831-3808893492-1696772578-1105:
> NT_STATUS_NONE_MAPPED [2017/01/12 09:40:43.833949, 10, pid=1506,
> effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:795(wb_request_done)
> wb_request_done[1584:GETPWNAM]: NT_STATUS_NONE_MAPPED [2017/01/12
> 09:40:43.833975, 10, pid=1506, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> winbind_client_response_written[1584:GETPWNAM]: delivered response to
> client [2017/01/12 09:40:43.835011, 6, pid=1506, effective(0, 0),
> real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> closing socket 33, client exited
>
> As far as I can see from logs, the problem is not that "user1" is not
> found but that it failed to convert SID to UID and googling I found
> some posts that point to wrong id mapping ranges. Could it be my
> problem or am I doing something else wrong?
>
> Best regards,
> Daniele.
>
>
Did you miss this on the 'Idmap config ad' wiki page:
https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
I am referring to the big fat warning ;-)
This:
[root at addc:~]# getent passwd user1
SAMDOM\user1:*:4001001:100::/home/SAMDOM/user1:/bin/bash
Specifically '100' tells me you haven't given Domain Users a gidNumber
attribute, you need to add a gidNumber and it needs to be between
'10000-4999999' and not already in use as a gidNumber.
Also you are quite correct, this isn't the right place to ask this
type of question, can you please use the Samba mailing list in
future ;-)
Rowland
More information about the samba-technical
mailing list