failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Daniele Dario
d.dario76 at gmail.com
Mon Jan 16 13:10:52 UTC 2017
On lun, 2017-01-16 at 11:22 +0000, Rowland Penny wrote:
> On Mon, 16 Jan 2017 11:50:12 +0100
> Daniele Dario <d.dario76 at gmail.com> wrote:
>
> > Hi list,
> > I'm sorry to bother you with a request that probably is not for
> > developers but I'm not able to find anywhere a real example of id
> > mapping on a domain member and it's almost one week I'm
> > googling and trying to figure out how to get things working :-(
> >
> > I have two samba AD DC in my domain and one of them is acting also as
> > file server. I'd like to move the file server to a domain member and
> > before to mess up things decided to create a test environment to find
> > out how to proceed so I created 2 VMs with ubuntu 16.04 amd64 servers
> > (named addc and addm1) and downloaded samba 4.5.3.
> >
> > Following the wiki I built/installed samba (just ./configure+make+make
> > install) than provisioned test domain on addc as follow:
> >
> > [root at addc:~]# samba-tool domain provision --use-rfc2307 --interactive
> > Realm [SAMDOM.LOC]: SAMDOM.LOC
> > Domain [SAMDOM]: SAMDOM
> > Server Role (dc, member, standalone) [dc]: dc
> > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
> > [SAMBA_INTERNAL]: SAMBA_INTERNAL
> > DNS forwarder IP address (write 'none' to disable forwarding)
> > [8.8.8.8]: 8.8.8.8
> > Administrator password: ...
> >
> > than followed the other steps of the wiki to complete DC setup.
> >
> > This is the smb.conf on addc:
> >
> > [root at addc:~]# cat /usr/local/samba/etc/smb.conf
> > # Global parameters
> > [global]
> > netbios name = ADDC
> > realm = SAMDOM.LOC
> > workgroup = SAMDOM
> > dns forwarder = 8.8.8.8
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> >
> > template shell = /bin/bash
> > template homedir = /home/SAMDOM/%U
> >
> > [netlogon]
> > path = /usr/local/samba/var/locks/sysvol/samdom.loc/scripts
> > read only = No
> >
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = No
> >
> > I created the reverse lookup DNS zone
> >
> > [root at addc:~]# samba-tool dns zonecreate 192.168.12.204
> > 12.168.192.in-addr.arpa -U administrator
> > [root at addc:~]# samba-tool dns add 192.168.12.204
> > 12.168.192.in-addr.arpa 204 PTR addc.samdom.loc -U administrator
> >
> > two test groups
> >
> > [root at addc:~]# samba-tool group add group1 --nis-domain=samdom
> > --gid-number=4000100
> > [root at addc:~]# samba-tool group add group2 --nis-domain=samdom
> > --gid-number=4000101
> >
> > two test users
> >
> > [root at addc:~]# samba-tool user create user1 P4ssw0rd
> > --nis-domain=samdom --unix-home=/home/SAMDOM/user1
> > --uid-number=4001001 --login-shell=/bin/bash --gid-number=4000001
> > [root at addc:~]# samba-tool user create user2 P4ssw0rd
> > --nis-domain=samdom --unix-home=/home/SAMDOM/user2
> > --uid-number=4001002 --login-shell=/bin/bash --gid-number=4000002
> >
> > and added users to groups
> >
> > [root at addc:~]# samba-tool group addmembers group1 user1
> > [root at addc:~]# samba-tool group addmembers group2 user1
> > [root at addc:~]# samba-tool group addmembers group1 user2
> >
> > Than tested if winbindd was working
> >
> > [root at addc:~]# getent passwd administrator
> > SAMDOM\administrator:*:0:100::/home/SAMDOM/administrator:/bin/bash
> >
> > [root at addc:~]# getent passwd user1
> > SAMDOM\user1:*:4001001:100::/home/SAMDOM/user1:/bin/bash
> >
> > [root at addc:~]# getent group 'domain users'
> > SAMDOM\domain users:x:100:
> >
> > [root at addc:~]# getent group group1
> > SAMDOM\group1:x:4000100:
> >
> > [root at addc:~]# id administrator
> > uid=0(root) gid=0(root) groups=0(root)
> >
> > [root at addc:~]# id user1
> > uid=4001001(SAMDOM\user1) gid=100(users)
> > groups=100(users),4000100(SAMDOM\group1),4000101(SAMDOM
> > \group2),3000009(BUILTIN\users)
> >
> > On the second VM: built/installed samba (just ./configure+make+make
> > install) following instructions on wiki page "Setting Up Samba as a
> > Domain Member".
> >
> > I wrote an smb.conf based on the one on wiki:
> >
> > [root at addm1:~]# cat /usr/local/samba/etc/smb.conf
> > # Global parameters
> > [global]
> > security = ADS
> > workgroup = SAMDOM
> > realm = SAMDOM.LOC
> >
> > log file = /usr/local/samba/var/%m.log
> > log level = 1
> >
> > winbind nss info = rfc2307
> > winbind use default domain = yes
> >
> > # Default ID mapping configuration for local BUILTIN accounts
> > # and groups on a domain member. The default (*) domain:
> > # - must not overlap with any domain ID mapping configuration!
> > # - must use an read-write-enabled back end, such as tdb.
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> >
> > # ID mapping configuration for SAMDOM accounts
> > idmap config SAMDOM:backend = ad
> > idmap config SAMDOM:schema_mode = rfc2307
> > idmap config SAMDOM:range = 10000-4999999
> >
> > # Map the domain administrator to the local root account
> > username map = /usr/local/samba/etc/user.map
> >
> > Domain join succeeded and than modified nsswitch.conf as wiki says
> > than started winbindd. Not having yet configured any share nor
> > printer I didn't start smbd nor nmbd.
> >
> > Testing winbindd connectivity succeeded
> >
> > [root at addm1:~]# wbinfo --ping-dc
> > checking the NETLOGON for domain[SAMDOM] dc connection to
> > "DC.SAMDOM.LOC" succeeded
> >
> > so I linked libnss_winbind.so, restarted winbindd and tried lookup of
> > user1 but had no output. So tried with wbinfo and increased debug
> > level to 10.
> >
> > [root at addm1:~]# wbinfo -i user1
> > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not get info for user user1
> >
> > [2017/01/12 09:40:43.825777, 6, pid=1506, effective(0, 0), real(0,
> > 0), class=winbind] ../source3/winbindd/winbindd.c:918(new_connection)
> > accepted socket 29
> > [2017/01/12 09:40:43.826709, 10, pid=1506, effective(0, 0), real(0,
> > 0), class=winbind] ../source3/winbindd/winbindd.c:760(process_request)
> > process_request: request fn INTERFACE_VERSION
> > [2017/01/12 09:40:43.826770, 3, pid=1506, effective(0, 0), real(0,
> > 0),
> > class=winbind] ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
> > [ 1584]: request interface version (version = 28) [2017/01/12
> > 09:40:43.826837, 10, pid=1506, effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> > winbind_client_response_written[1584:INTERFACE_VERSION]: delivered
> > response to client [2017/01/12 09:40:43.827471, 10, pid=1506,
> > effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:760(process_request)
> > process_request: request fn WINBINDD_PRIV_PIPE_DIR [2017/01/12
> > 09:40:43.827522, 3, pid=1506, effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
> > [ 1584]: request location of privileged pipe [2017/01/12
> > 09:40:43.827597, 10, pid=1506, effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> > winbind_client_response_written[1584:WINBINDD_PRIV_PIPE_DIR]:
> > delivered response to client [2017/01/12 09:40:43.828157, 6,
> > pid=1506, effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:918(new_connection)
> > accepted socket 33 [2017/01/12 09:40:43.828585, 6, pid=1506,
> > effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> > closing socket 29, client exited [2017/01/12 09:40:43.829039, 10,
> > pid=1506, effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:733(process_request)
> > process_request: Handling async request 1584:GETPWNAM [2017/01/12
> > 09:40:43.829090, 3, pid=1506, effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> > getpwnam user1 [2017/01/12 09:40:43.829150, 1, pid=1506,
> > effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName
> > domain : *
> > domain : 'SAMDOM'
> > name : *
> > name : 'USER1'
> > flags : 0x00000008 (8)
> > [2017/01/12 09:40:43.829311, 1, pid=1506, effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_LookupName: struct wbint_LookupName
> > out: struct wbint_LookupName
> > type : *
> > type : SID_NAME_USER (1)
> > sid : *
> > sid :
> > S-1-5-21-2829196831-3808893492-1696772578-1105
> > result : NT_STATUS_OK
> > [2017/01/12 09:40:43.829435, 1, pid=1506, effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_QueryUser: struct wbint_QueryUser
> > in: struct wbint_QueryUser
> > sid : *
> > sid :
> > S-1-5-21-2829196831-3808893492-1696772578-1105
> > [2017/01/12 09:40:43.829619, 1, pid=1506, effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_QueryUser: struct wbint_QueryUser
> > out: struct wbint_QueryUser
> > info : *
> > info: struct wbint_userinfo
> > acct_name : *
> > acct_name : 'user1'
> > full_name : *
> > full_name : 'user1'
> > homedir : *
> > homedir : '/home/user1'
> > shell : *
> > shell : '/bin/bash'
> > primary_gid : 0x00000000003d0901
> > (4000001)
> > user_sid :
> > S-1-5-21-2829196831-3808893492-1696772578-1105
> > group_sid :
> > S-1-5-21-2829196831-3808893492-1696772578-513
> > result : NT_STATUS_OK
> > [2017/01/12 09:40:43.829830, 10, pid=1506, effective(0, 0), real(0,
> > 0),
> > class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
> > SID 0: S-1-5-21-2829196831-3808893492-1696772578-1105 [2017/01/12
> > 09:40:43.829911, 10, pid=1506, effective(0, 0), real(0,
> > 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
> > Parsing value for key
> > [IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-1105]:
> > value=[4001001:U] [2017/01/12 09:40:43.829955, 10, pid=1506,
> > effective(0, 0), real(0,
> > 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
> > Parsing value for key
> > [IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-1105]:
> > id=[4001001], endptr=[:U] [2017/01/12 09:40:43.830002, 10, pid=1506,
> > effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd_util.c:1036(find_lookup_domain_from_sid)
> >
> > find_lookup_domain_from_sid(S-1-5-21-2829196831-3808893492-1696772578-513)
> > [2017/01/12 09:40:43.830038, 10, pid=1506, effective(0, 0), real(0,
> > 0),
> > class=winbind] ../source3/winbindd/winbindd_util.c:1046(find_lookup_domain_from_sid)
> > calling find_our_domain [2017/01/12 09:40:43.830071, 1, pid=1506,
> > effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid
> > sid : *
> > sid :
> > S-1-5-21-2829196831-3808893492-1696772578-513
> > [2017/01/12 09:40:43.830182, 1, pid=1506, effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_LookupSid: struct wbint_LookupSid
> > out: struct wbint_LookupSid
> > type : *
> > type : SID_NAME_DOM_GRP (2)
> > domain : *
> > domain : *
> > domain : 'SAMDOM'
> > name : *
> > name : *
> > name : 'Domain Users'
> > result : NT_STATUS_OK
> > [2017/01/12 09:40:43.830404, 10, pid=1506, effective(0, 0), real(0,
> > 0),
> > class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
> > SID 0: S-1-5-21-2829196831-3808893492-1696772578-513 [2017/01/12
> > 09:40:43.830468, 10, pid=1506, effective(0, 0), real(0, 0),
> > class=tdb] ../source3/lib/gencache.c:326(gencache_set_data_blob)
> > Adding cache entry with
> > key=[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-513] and
> > timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1484210443 seconds in the
> > past) [2017/01/12 09:40:43.830548, 10, pid=1506, effective(0, 0),
> > real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd_util.c:1036(find_lookup_domain_from_sid)
> >
> > find_lookup_domain_from_sid(S-1-5-21-2829196831-3808893492-1696772578-513)
> > [2017/01/12 09:40:43.830582, 10, pid=1506, effective(0, 0), real(0,
> > 0),
> > class=winbind] ../source3/winbindd/winbindd_util.c:1046(find_lookup_domain_from_sid)
> > calling find_our_domain [2017/01/12 09:40:43.830615, 1, pid=1506,
> > effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_LookupSids: struct wbint_LookupSids in: struct wbint_LookupSids
> > sids : *
> > sids: struct lsa_SidArray
> > num_sids : 0x00000001 (1)
> > sids : *
> > sids: ARRAY(1)
> > sids: struct lsa_SidPtr
> > sid : *
> > sid :
> > S-1-5-21-2829196831-3808893492-1696772578-513
> > [2017/01/12 09:40:43.830797, 1, pid=1506, effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_LookupSids: struct wbint_LookupSids
> > out: struct wbint_LookupSids
> > domains : *
> > domains: struct lsa_RefDomainList
> > count : 0x00000001 (1)
> > domains : *
> > domains: ARRAY(1)
> > domains: struct lsa_DomainInfo
> > name: struct lsa_StringLarge
> > length :
> > 0x000c (12)
> > size :
> > 0x000e (14)
> > string : *
> > string :
> > 'SAMDOM'
> > sid : *
> > sid :
> > S-1-5-21-2829196831-3808893492-1696772578
> > max_size : 0x00000020 (32)
> > names : *
> > names: struct lsa_TransNameArray
> > count : 0x00000001 (1)
> > names : *
> > names: ARRAY(1)
> > names: struct lsa_TranslatedName
> > sid_type :
> > SID_NAME_DOM_GRP (2)
> > name: struct lsa_String
> > length :
> > 0x0018 (24)
> > size :
> > 0x0018 (24)
> > string : *
> > string :
> > 'Domain Users'
> > sid_index :
> > 0x00000000 (0)
> > result : NT_STATUS_OK
> > [2017/01/12 09:40:43.831155, 1, pid=1506, effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> > in: struct wbint_Sids2UnixIDs
> > domains : *
> > domains: struct lsa_RefDomainList
> > count : 0x00000001 (1)
> > domains : *
> > domains: ARRAY(1)
> > domains: struct lsa_DomainInfo
> > name: struct lsa_StringLarge
> > length :
> > 0x000c (12)
> > size :
> > 0x000e (14)
> > string : *
> > string :
> > 'SAMDOM'
> > sid : *
> > sid :
> > S-1-5-21-2829196831-3808893492-1696772578
> > max_size : 0x00000001 (1)
> > ids : *
> > ids: struct wbint_TransIDArray
> > num_ids : 0x00000001 (1)
> > ids: ARRAY(1)
> > ids: struct wbint_TransID
> > type : ID_TYPE_GID
> > (2) domain_index : 0x00000000 (0)
> > rid : 0x00000201
> > (513)
> > xid: struct unixid
> > id :
> > 0xffffffff (4294967295)
> > type :
> > ID_TYPE_GID (2)
> > [2017/01/12 09:40:43.833824, 1, pid=1506, effective(0, 0), real(0,
> > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> > out: struct wbint_Sids2UnixIDs
> > ids : *
> > ids: struct wbint_TransIDArray
> > num_ids : 0x00000001 (1)
> > ids: ARRAY(1)
> > ids: struct wbint_TransID
> > type : ID_TYPE_GID
> > (2) domain_index : 0x00000000 (0)
> > rid : 0x00000201
> > (513)
> > xid: struct unixid
> > id :
> > 0xffffffff (4294967295)
> > type :
> > ID_TYPE_NOT_SPECIFIED (0)
> > result : NT_STATUS_OK
> > [2017/01/12 09:40:43.833902, 10, pid=1506, effective(0, 0), real(0,
> > 0), class=tdb] ../source3/lib/gencache.c:326(gencache_set_data_blob)
> > Adding cache entry with
> > key=[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-513] and
> > timeout=[Thu Jan 12 09:42:43 AM 2017 CET] (120 seconds ahead)
> > [2017/01/12 09:40:43.833937, 5, pid=1506, effective(0, 0), real(0,
> > 0),
> > class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> > Could not convert sid S-1-5-21-2829196831-3808893492-1696772578-1105:
> > NT_STATUS_NONE_MAPPED [2017/01/12 09:40:43.833949, 10, pid=1506,
> > effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:795(wb_request_done)
> > wb_request_done[1584:GETPWNAM]: NT_STATUS_NONE_MAPPED [2017/01/12
> > 09:40:43.833975, 10, pid=1506, effective(0, 0), real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> > winbind_client_response_written[1584:GETPWNAM]: delivered response to
> > client [2017/01/12 09:40:43.835011, 6, pid=1506, effective(0, 0),
> > real(0, 0),
> > class=winbind] ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> > closing socket 33, client exited
> >
> > As far as I can see from logs, the problem is not that "user1" is not
> > found but that it failed to convert SID to UID and googling I found
> > some posts that point to wrong id mapping ranges. Could it be my
> > problem or am I doing something else wrong?
> >
> > Best regards,
> > Daniele.
> >
> >
>
> Did you miss this on the 'Idmap config ad' wiki page:
>
> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
>
> I am referring to the big fat warning ;-)
>
> This:
>
> [root at addc:~]# getent passwd user1
> SAMDOM\user1:*:4001001:100::/home/SAMDOM/user1:/bin/bash
>
> Specifically '100' tells me you haven't given Domain Users a gidNumber
> attribute, you need to add a gidNumber and it needs to be between
> '10000-4999999' and not already in use as a gidNumber.
>
> Also you are quite correct, this isn't the right place to ask this
> type of question, can you please use the Samba mailing list in
> future ;-)
>
> Rowland
>
In fact I read it but later on I totally forgot about it :-(
Just to be sure, which users/groups must have uidNumber/gidNumber set?
All those that I can retrieve using wbinfo -u/-g that are part of the
domain?
[root at addc:~]# wbinfo -g
SAMDOM\cert publishers
SAMDOM\ras and ias servers
SAMDOM\allowed rodc password replication group
SAMDOM\denied rodc password replication group
SAMDOM\dnsadmins
SAMDOM\enterprise read-only domain controllers
SAMDOM\domain admins
SAMDOM\domain users
SAMDOM\domain guests
SAMDOM\domain computers
SAMDOM\domain controllers
SAMDOM\schema admins
SAMDOM\enterprise admins
SAMDOM\group policy creator owners
SAMDOM\read-only domain controllers
SAMDOM\dnsupdateproxy
SAMDOM\group1
SAMDOM\group2
[root at addc:~]# wbinfo -u
SAMDOM\administrator
SAMDOM\krbtgt
SAMDOM\guest
SAMDOM\user1
SAMDOM\user2
A huge thanks,
Daniele.
More information about the samba-technical
mailing list