gpoupdate failing on DC / winbind

David Mulder dmulder at
Mon Mar 4 22:15:07 UTC 2019

The getpwuid is happening here:

#0  add_local_groups (result=0x555555c1bf90, is_guest=false) at
#1  0x00007ffff01b403d in create_local_nt_token (mem_ctx=0x555556324830,
user_sid=0x7fffffffd9e0, is_guest=false, num_groupsids=2,
groupsids=0x555555785170) at ../source3/auth/token_util.c:480
#2  0x00007ffff032a36c in ads_get_sid_token (ads=0x555556699210,
mem_ctx=0x555556324830, dn=0x555555f23760 "CN=DMM-TUMBLEWEED,OU=Domain
Controllers,DC=froggy,DC=suse,DC=de", token=0x7fffffffdad0) at
#3  0x00007ffff0327a9c in gp_get_machine_token (ads=0x555556699210,
mem_ctx=0x555556324830, dn=0x555555f23760 "CN=DMM-TUMBLEWEED,OU=Domain
Controllers,DC=froggy,DC=suse,DC=de", token=0x7fffffffdb40) at
#4  0x00007ffff033a3fe in py_ads_get_gpo_list (self=0x7ffff7f6f5d0,
args=0x7fffee399e10, kwds=0x0) at ../libgpo/pygpo.c:421

On 2/27/19 3:09 AM, Kristján Valur Jónsson via samba-technical wrote:
> Hello there.
> After a discussion on the main samba list, Rowland suggested that I mention
> this here.
> I recently updated from 4.7 to 4.8.9 on my three DCs and decided to give
> the new samba_gpoupdate a whirl.
> Well, it failed with an inexplicaple error.  Looking at the source, I found
> that the python bindings require some work regarding error handling, and
> that's something I'm undertaking in the tracker.
> However, the real problem was that a low level call to getpwuid(uid) to get
> the password entry for my DCs uid was failing.  (again, the reporting of
> this failure and handling in the source3/auth library is not nice and
> subject to another bug/change)
> I fixed this issue by adding winbind directives into /etc/nsswitch.conf, as
> recommended here:
> (
> and subsequently
> However, Rowland states:  " it is my understanding that it is actually
> recommended to not
> set up the libnss-winbind links on a DC, yet you now seem to be saying
> it is required."
> And indeed, our three DCs had been running fine for three years with
> various generations of samba 4 without having this set up.  I also don't
> recall having come across instructions to do so.
> In fact, this text is in the generic AD-DC set up page: "If you only have a
> small domain (small office, home network) and do not want to follow the
> Samba team's recommendation and use the DC additionally as a file server,
> configure Winbindd before you start setting up shares. For details,
> see Configuring
> Winbindd on a Samba AD DC
> <>."
> In fact, I have left out any idmap directives from smb.conf as
> recommentded, but still find that this nss bindings are required for the
> GPO update thingie.
> So, I wanted to draw attention to this.  What is the recommended practice,
> then?
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at
SUSE Linux GmbH
1800 Novell Place
(P)+1 801.861.6571

More information about the samba-technical mailing list