failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Rowland Penny repenny241155 at gmail.com
Tue Jan 24 17:05:51 UTC 2017 

On Tue, 24 Jan 2017 17:06:10 +0100
Daniele Dario <d.dario76 at gmail.com> wrote:

> 
> Sorry for being back here.
> 
> Do also SAMDOM\Domain Admins need a gidNumber because if I have to set
> permissions on some folders on member servers. If you look at 
> 
> https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients
> 
> it is stated to do this 
> 
> chgrp -R "SAMDOM\Domain Admins" /srv/samba/Printer_drivers/
> 
> and it won't work if domain admins don't have a gidNumber.

You can give Domain Admins a gidNumber, but another problem will pop up.
If you do give Domain Admins a gidNumber, it will be used instead of
the xidNumber you will find in idmap.ldb and if you examine that
record, you will find something like this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-512
cn: S-1-5-21-1768301897-3342589593-1064908849-512
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-512
type: ID_TYPE_BOTH
xidNumber: 3000013
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-512

This make Domain Admins both a group and a user (type: ID_TYPE_BOTH),
but if it has a gidNumber, it is only a group (from the Unix point of
view).

Why does it have to be both a group and a user ?
On Windows, groups can own Directories & Files, but on Unix only a
user can own Directories & Files and Domain Admins needs to own
Directories & Files in sysvol.

So you either give Domain Admins a gidnumber and follow the wiki, or
you allow Domain Admins to own Directories.

You could also try creating a new group, lets say 'Unix Admins' and
add this group to 'Domain Admins' and then give the new group a
gidNumber.
 
> 
> Other thing, users I added to AD need just uidNumber or do I have to
> add also gidNumber of Domain Users?

You only need to add a gidNumber to Domain Users, this will
automatically be used for the users gidNumber, you do not need to give
a user a gidNumber.

> 
> And somewhere I saw that when adding uidNumber/gidNumber using
> ldbmodify there was this in the ldif
> 
> add: objectClass
> objectClass: posixAccount/posixGroup
> 
> Is it needed or not? Is there a way to know if I have it or not?

You most definitely should not have these objectclasses in AD, they are
both auxiliary classes of 'user' & 'group' and NO windows tools will
add them, any Unix tools that rely on these objectclasses are either
incorrectly set up or broken.

Rowland

More information about the samba-technical mailing list