[Samba] Re: Winbind syslog errors and Domain Local Groups

(private) HKS hks.private at gmail.com
Fri Jul 11 19:56:02 GMT 2008 

A few more tidbits...

My winbind logs have this complaint for each of the domain local groups:
[2008/07/11 14:40:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(365)
  could not lookup membership for group sid <munged-sid> in domain
DOMAIN (error: NT_STATUS_NO_SUCH_GROUP)
[2008/07/11 14:40:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110)
  could not lookup domain group dnsadmins

wbinfo doesn't have any difficulty with converting name -> SID -> gid
-> SID, but if I run wbinfo -r on a user that's a member of one of the
groups, that group doesn't show up.

So, at the moment, it appears that winbind just can't grab membership
for these domain local groups. I found this reported a few other
places on the 'net, but it doesn't seem that a resolution has ever
been reached.

-HKS


On Fri, Jul 11, 2008 at 1:13 PM, (private) HKS <hks.private at gmail.com> wrote:
> Any ideas?
> -HKS
>
> On Mon, Jul 7, 2008 at 5:01 PM, (private) HKS <hks.private at gmail.com> wrote:
>> Hello all.
>>
>> I'm relatively new to Samba, and haven't been able to track down a
>> solution to this particular problem.
>>
>> I use Samba/Winbind to authenticate FreeBSD machines against a
>> Windows 2003 Active Directory. That all works fine. The problem is
>> that groups in the AD of type "Security Group - Domain Local" are
>> causing winbindd a lot of grief. Every time the winbindd daemon is
>> accessed, it spews syslog messages like these for every Domain
>> Local group in the AD:
>>
>> --------------------
>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>> group dhcp users
>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>> group dhcp administrators
>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>> group dnsadmins
>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>> group debugger users
>> ---------------------
>>
>> All non-local groups show up just fine in the BSD system. Local
>> groups do not show up in a getent group.
>>
>> All groups, including the local ones, show up when I run wbinfo -g.
>> Running wbinfo -n <localgroup> comes back with a SID:
>> $ wbinfo -n dnsadmins
>> <munged-SID> Local Group (4)
>>
>> This SID is trackable back to a gid:
>> $ sudo wbinfo --sid-to-gid <munged-SID>
>> 11105
>>
>> Why, then, are these groups not actually getting populated? Can anyone
>> shed some light on this?
>>
>> -HKS
>>
>

More information about the samba mailing list