gpoupdate failing on DC / winbind

David Mulder dmulder at
Mon Mar 4 21:57:28 UTC 2019

I assume you're seeing this error?

SID S-1-5-21-1626400996-3162595019-4279514073-1108 -> getpwuid(3000007)
Traceback (most recent call last):
  File "/usr/sbin/samba_gpoupdate", line 177, in <module>
    apply_gp(lp, creds, test_ldb, logger, store, gp_extensions)
  File "/usr/sbin/samba_gpoupdate", line 70, in apply_gp
    for gpo_obj in gpos:
TypeError: 'NoneType' object is not iterable

On 2/27/19 3:09 AM, Kristján Valur Jónsson via samba-technical wrote:
> Hello there.
> After a discussion on the main samba list, Rowland suggested that I mention
> this here.
> I recently updated from 4.7 to 4.8.9 on my three DCs and decided to give
> the new samba_gpoupdate a whirl.
> Well, it failed with an inexplicaple error.  Looking at the source, I found
> that the python bindings require some work regarding error handling, and
> that's something I'm undertaking in the tracker.
> However, the real problem was that a low level call to getpwuid(uid) to get
> the password entry for my DCs uid was failing.  (again, the reporting of
> this failure and handling in the source3/auth library is not nice and
> subject to another bug/change)
> I fixed this issue by adding winbind directives into /etc/nsswitch.conf, as
> recommended here:
> (
> and subsequently
> However, Rowland states:  " it is my understanding that it is actually
> recommended to not
> set up the libnss-winbind links on a DC, yet you now seem to be saying
> it is required."
> And indeed, our three DCs had been running fine for three years with
> various generations of samba 4 without having this set up.  I also don't
> recall having come across instructions to do so.
> In fact, this text is in the generic AD-DC set up page: "If you only have a
> small domain (small office, home network) and do not want to follow the
> Samba team's recommendation and use the DC additionally as a file server,
> configure Winbindd before you start setting up shares. For details,
> see Configuring
> Winbindd on a Samba AD DC
> <>."
> In fact, I have left out any idmap directives from smb.conf as
> recommentded, but still find that this nss bindings are required for the
> GPO update thingie.
> So, I wanted to draw attention to this.  What is the recommended practice,
> then?
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at
SUSE Linux GmbH
1800 Novell Place
(P)+1 801.861.6571

More information about the samba-technical mailing list