gpoupdate failing on DC / winbind
dmulder at suse.com
Mon Mar 4 21:57:28 UTC 2019
I assume you're seeing this error?
SID S-1-5-21-1626400996-3162595019-4279514073-1108 -> getpwuid(3000007)
Traceback (most recent call last):
File "/usr/sbin/samba_gpoupdate", line 177, in <module>
apply_gp(lp, creds, test_ldb, logger, store, gp_extensions)
File "/usr/sbin/samba_gpoupdate", line 70, in apply_gp
for gpo_obj in gpos:
TypeError: 'NoneType' object is not iterable
On 2/27/19 3:09 AM, Kristján Valur Jónsson via samba-technical wrote:
> Hello there.
> After a discussion on the main samba list, Rowland suggested that I mention
> this here.
> I recently updated from 4.7 to 4.8.9 on my three DCs and decided to give
> the new samba_gpoupdate a whirl.
> Well, it failed with an inexplicaple error. Looking at the source, I found
> that the python bindings require some work regarding error handling, and
> that's something I'm undertaking in the tracker.
> However, the real problem was that a low level call to getpwuid(uid) to get
> the password entry for my DCs uid was failing. (again, the reporting of
> this failure and handling in the source3/auth library is not nice and
> subject to another bug/change)
> I fixed this issue by adding winbind directives into /etc/nsswitch.conf, as
> recommended here:
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC (
> and subsequently https://wiki.samba.org/index.php/Libnss_winbind_Links)
> However, Rowland states: " it is my understanding that it is actually
> recommended to not
> set up the libnss-winbind links on a DC, yet you now seem to be saying
> it is required."
> And indeed, our three DCs had been running fine for three years with
> various generations of samba 4 without having this set up. I also don't
> recall having come across instructions to do so.
> In fact, this text is in the generic AD-DC set up page: "If you only have a
> small domain (small office, home network) and do not want to follow the
> Samba team's recommendation and use the DC additionally as a file server,
> configure Winbindd before you start setting up shares. For details,
> see Configuring
> Winbindd on a Samba AD DC
> In fact, I have left out any idmap directives from smb.conf as
> recommentded, but still find that this nss bindings are required for the
> GPO update thingie.
> So, I wanted to draw attention to this. What is the recommended practice,
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH
1800 Novell Place
More information about the samba-technical