[Samba] winbind: wbinfo -g sees "domain users", getent group does not

Tue Oct 17 10:23:22 GMT 2006

I have configured winbind on a Linux file server, connecting to a
Samba PDC. When I run wbinfo -g, I can see the group "domain users".
On the other hand, when I run getent group, I do not see this group.
Apart from a few other groups, all groups are visibile in both wbinfo
-g and getent group.

When running for the first time wbinfo -u, getent passwd and wbinfo
-g, I got the results almost instantaneous, but getent group is very
slow, and the first time seems to time out (actually the first and
second time take 1m10s, and none of the domain groups are shown. After
the third try, the groups are shown, but a few are missing).

Concerning the missing groups, this is in winbind logs:

[2006/10/17 14:08:48, 4] nsswitch/winbindd_group.c:get_sam_group_entries(562)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2006/10/17 14:08:48, 4] nsswitch/winbindd_group.c:get_sam_group_entries(571)
  get_sam_group_entries: Returned 9 local groups
[2006/10/17 14:08:48, 4] nsswitch/winbindd_group.c:get_sam_group_entries(562)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2006/10/17 14:08:48, 4] nsswitch/winbindd_group.c:get_sam_group_entries(571)
  get_sam_group_entries: Returned 0 local groups
[2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532)
  write failed on sock 21, pid 10925: Broken pipe
[2006/10/17 14:08:48, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [10925]: request interface version
[2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532)
  write failed on sock 22, pid 10925: Broken pipe
[2006/10/17 14:08:48, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [10926]: request interface version
[2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532)
  write failed on sock 21, pid 10926: Broken pipe
[2006/10/17 14:08:48, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [10926]: request interface version
[2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532)
  write failed on sock 23, pid 10926: Broken pipe
[2006/10/17 14:08:48, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [10927]: request interface version
[2006/10/17 14:08:48, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [10927]: request location of privileged pipe
[2006/10/17 14:08:48, 3] nsswitch/winbindd_group.c:winbindd_setgrent(431)
  [10927]: setgrent
[2006/10/17 14:08:48, 3] nsswitch/winbindd_group.c:winbindd_getgrent(619)
  [10927]: getgrent
[2006/10/17 14:08:48, 1] nsswitch/winbindd_group.c:fill_grent_mem(134)
  could not lookup membership for group rid
S-1-5-21-2127695773-367946666-646806464-513 in domain SECGEN (error:
NT_STATUS_UNSUCCESSFUL)
[2006/10/17 14:08:48, 0] nsswitch/winbindd_group.c:winbindd_getgrent(790)
  could not lookup domain group domain users

Another problem which happens fairly often, adn probably is the cause
of the slowness:

[2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
  cli_pipe: return critical error. Error was Call timed out: server
did not respond after 10000 milliseconds
[2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
  cli_pipe: return critical error. Error was Call timed out: server
did not respond after 10000 milliseconds
[2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
  cli_pipe: return critical error. Error was Call timed out: server
did not respond after 10000 milliseconds
[2006/10/17 14:06:44, 1] nsswitch/winbindd_group.c:fill_grent_mem(134)
  could not lookup membership for group rid
S-1-5-21-2127695773-367946666-646806464-1185 in domain SECGEN (error:
NT_STATUS_UNSUCCESSFUL)

What could make that wbinfo -g sees all groups, while getent groups
misses a few of them? What makes getent group so slow? I guess I
should not need to install nscd on the file server?

there are about 400 users and 200 groups. So the PDC is also Samba
with OpenLDAP as database back-end. The version of Samba used (on both
PDC and ont the file server with winbind) is 3.0.14a from Debian
Sarge.
-- 
Frederik