gpoupdate failing on DC / winbind
Kristján Valur Jónsson
kristjan at rvx.is
Tue Mar 5 09:03:13 UTC 2019
Right, but that error is bogus. I have a pull request that addresses that
and other things (https://gitlab.com/samba-team/samba/merge_requests/271).
But the real problem lies deeper (and isn't even reported properly, I'll be
making anothr PR for that). It's that ultimately the code does a getpwuid
for the DC's uid.
The code is messy to someone not familiar with it, it is unclear to me why
a posix call is needed at this point since all the information has already
been gleaned, or could be gleaned, from AD directly.
On Mon, 4 Mar 2019 at 21:58, David Mulder via samba-technical <
samba-technical at lists.samba.org> wrote:
> I assume you're seeing this error?
>
> SID S-1-5-21-1626400996-3162595019-4279514073-1108 -> getpwuid(3000007)
> failed
> Traceback (most recent call last):
> File "/usr/sbin/samba_gpoupdate", line 177, in <module>
> apply_gp(lp, creds, test_ldb, logger, store, gp_extensions)
> File "/usr/sbin/samba_gpoupdate", line 70, in apply_gp
> for gpo_obj in gpos:
> TypeError: 'NoneType' object is not iterable
>
> On 2/27/19 3:09 AM, Kristján Valur Jónsson via samba-technical wrote:
> > Hello there.
> > After a discussion on the main samba list, Rowland suggested that I
> mention
> > this here.
> >
> > I recently updated from 4.7 to 4.8.9 on my three DCs and decided to give
> > the new samba_gpoupdate a whirl.
> > Well, it failed with an inexplicaple error. Looking at the source, I
> found
> > that the python bindings require some work regarding error handling, and
> > that's something I'm undertaking in the tracker.
> >
> > However, the real problem was that a low level call to getpwuid(uid) to
> get
> > the password entry for my DCs uid was failing. (again, the reporting of
> > this failure and handling in the source3/auth library is not nice and
> > subject to another bug/change)
> >
> > I fixed this issue by adding winbind directives into /etc/nsswitch.conf,
> as
> > recommended here:
> > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC (
> > and subsequently https://wiki.samba.org/index.php/Libnss_winbind_Links)
> >
> > However, Rowland states: " it is my understanding that it is actually
> > recommended to not
> > set up the libnss-winbind links on a DC, yet you now seem to be saying
> > it is required."
> >
> > And indeed, our three DCs had been running fine for three years with
> > various generations of samba 4 without having this set up. I also don't
> > recall having come across instructions to do so.
> > In fact, this text is in the generic AD-DC set up page: "If you only
> have a
> > small domain (small office, home network) and do not want to follow the
> > Samba team's recommendation and use the DC additionally as a file server,
> > configure Winbindd before you start setting up shares. For details,
> > see Configuring
> > Winbindd on a Samba AD DC
> > <https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> >."
> >
> > In fact, I have left out any idmap directives from smb.conf as
> > recommentded, but still find that this nss bindings are required for the
> > GPO update thingie.
> >
> > So, I wanted to draw attention to this. What is the recommended
> practice,
> > then?
> >
> --
> David Mulder
> SUSE Labs Software Engineer - Samba
> dmulder at suse.com
> SUSE Linux GmbH
> 1800 Novell Place
> (P)+1 801.861.6571
>
>
>
>
--
Kv,
Kristján Valur Jónsson, RVX
More information about the samba-technical
mailing list