failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Daniele Dario d.dario76 at gmail.com
Wed Jan 25 10:16:15 UTC 2017 

On mar, 2017-01-24 at 17:05 +0000, Rowland Penny wrote:
> On Tue, 24 Jan 2017 17:06:10 +0100
> Daniele Dario <d.dario76 at gmail.com> wrote:
> 
> > 
> > Sorry for being back here.
> > 
> > Do also SAMDOM\Domain Admins need a gidNumber because if I have to set
> > permissions on some folders on member servers. If you look at 
> > 
> > https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients
> > 
> > it is stated to do this 
> > 
> > chgrp -R "SAMDOM\Domain Admins" /srv/samba/Printer_drivers/
> > 
> > and it won't work if domain admins don't have a gidNumber.
> 
> You can give Domain Admins a gidNumber, but another problem will pop up.
> If you do give Domain Admins a gidNumber, it will be used instead of
> the xidNumber you will find in idmap.ldb and if you examine that
> record, you will find something like this:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-512
> cn: S-1-5-21-1768301897-3342589593-1064908849-512
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-512
> type: ID_TYPE_BOTH
> xidNumber: 3000013
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-512
> 
> This make Domain Admins both a group and a user (type: ID_TYPE_BOTH),
> but if it has a gidNumber, it is only a group (from the Unix point of
> view).
> 
> Why does it have to be both a group and a user ?
> On Windows, groups can own Directories & Files, but on Unix only a
> user can own Directories & Files and Domain Admins needs to own
> Directories & Files in sysvol.
> 
> So you either give Domain Admins a gidnumber and follow the wiki, or
> you allow Domain Admins to own Directories.
> 
> You could also try creating a new group, lets say 'Unix Admins' and
> add this group to 'Domain Admins' and then give the new group a
> gidNumber.
>  
> > 
> > Other thing, users I added to AD need just uidNumber or do I have to
> > add also gidNumber of Domain Users?
> 
> You only need to add a gidNumber to Domain Users, this will
> automatically be used for the users gidNumber, you do not need to give
> a user a gidNumber.
> 
> > 
> > And somewhere I saw that when adding uidNumber/gidNumber using
> > ldbmodify there was this in the ldif
> > 
> > add: objectClass
> > objectClass: posixAccount/posixGroup
> > 
> > Is it needed or not? Is there a way to know if I have it or not?
> 
> You most definitely should not have these objectclasses in AD, they are
> both auxiliary classes of 'user' & 'group' and NO windows tools will
> add them, any Unix tools that rely on these objectclasses are either
> incorrectly set up or broken.
> 
> Rowland
> 

Woh, now things start getting clear.

Many thanks for the explanations.

Just a side note, wouldn't be better to add to the wiki this explanation
so people just don't get confused? Or is just me that didn't know it?

Daniele.

More information about the samba-technical mailing list