[Samba] Problems resolving most users with winbind and AD/SFU

Steve steveb333 at gmail.com
Thu Jun 25 03:01:20 GMT 2009 

Hello all,

I'm having a problem with Winbind resolving some users from AD on a W2KSP4 
server running SFU 3.5 [8.0.1969.1].  All users and groups in the AD domain 
have been assigned UIDs and GIDs via SFU.  The Linux fileserver is running 
CentOS 5.3 with Samba 3.0.33-3.7.el5.  The fileserver has been joined to the 
domain using authconfig with proper modifications made to nsswitch and pam.  
My smb.conf is attached below.

wbinfo -u will show all users.  What I'm seeing is that out of the 90 or so 
users, only 6 will respond to id or winbind -i requests.  The rest respond 
with "no such user" or similar.  The following error appears in 
my /var/log/samba/winbindd-idmap.log file when an attempt is made to resolve 
one of these users:

[2009/06/23 13:59:13, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
  [11577]: sid to uid S-1-5-21-1060284298-861567501-682003330-1277
[2009/06/23 13:59:13, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
  Could not get unix ID

An additional symptom is as such, where wbinfo -n works for all users, but 
only a few can be resolved with wbinfo -S:

# wbinfo -n user1
S-1-5-21-1060284298-861567501-682003330-1241 User (1)
# wbinfo -S S-1-5-21-1060284298-861567501-682003330-1241
2241
# wbinfo -n user2
S-1-5-21-1060284298-861567501-682003330-1260 User (1)
# wbinfo -S S-1-5-21-1060284298-861567501-682003330-1260
Could not convert sid S-1-5-21-1060284298-861567501-682003330-1260 to uid

This problem directly affects attempts to 'xcopy /o' files from Windows to the 
Linux file server, or in the following example an attempt to use subinacl to 
set ownership of a file on the fileserver to one of the users who will not 
resolve:

[2009/06/24 16:38:27, 3] smbd/posix_acls.c:unpack_nt_owners(966)
  unpack_nt_owners: unable to validate owner sid for
S-1-5-21-1060284298-861567501-682003330-1260
[2009/06/24 16:38:27, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(2207) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED

This type of error also appears when I use subinacl to set group permissions 
on files owned by a user who does respond to id or wbinfo -i.  I've added the 
BUILTIN groups using net sam createbuiltingroup example_group -w MYDOM:

[2009/06/24 16:51:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
  fetch gid from cache 50000 -> S-1-5-32-544
[2009/06/24 16:51:22, 3] smbd/posix_acls.c:unpack_nt_owners(966)
  unpack_nt_owners: unable to validate owner sid for S-1-5-32-544
[2009/06/24 16:51:22, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(2207) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED

I've searched high and low, and found several also complaining about winbind 
resolving only a subset of users.  None of the suggestions or fixes have 
affected my situation.  I'm not running nscd.  I've stopped winbind, 
deleted /etc/samba/secrets.tdb, deleted /var/cache/samba/*.tdb, rejoined the 
domain and restarted winbind.  I swapped schema_mode from sfu to rfc2307 and 
back.  Nothing helps.  The same 6 users resolve, but the others will not.  
Frankly I'm stumped, but feel I'm so close to the answer.  I'm hoping someone 
can suggest something that might work here.

smb.conf
--------
[global]
   security = ads
   auth methods = winbind guest sam
   realm = MYDOM.DOMAIN.NET
   netbios name = FILESERVE1
   workgroup = MYDOM
   use kerberos keytab = true
   password server = 192.168.1.23
   encrypt passwords = yes
   server string = Samba 3.0.33-3.7.el5

# winbind configuration
   winbind refresh tickets = true
   winbind nested groups = yes
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = yes
   winbind nss info = sfu
   winbind separator = +
   winbind cache time = 0
   idmap domains = MYDOM
   idmap config MYDOM:backend = ad
   idmap config MYDOM:default = yes
   idmap config MYDOM:range = 200-49999
   idmap config MYDOM:schema_mode = sfu
   idmap alloc backend = tdb
   idmap alloc config:range = 50000-99999

   invalid users = root bin daemon lp sys tty

   log file = /var/log/samba/log.%m
   log level = 3 printdrivers: 0 lanman: 0 smb: 1 rpc_parse: 0 rpc_srv: 0
rpc_cli: 0 passdb: 1 sam: 0 auth: 5 winbind: 5 vfs: 0 idmap: 0 quota: 0 acls:
0 locking: 0 msdfs: 0 dmapi: 0
   max log size = 1024

   wins server = 192.168.1.23
   wins support = no

   socket options = TCP_NODELAY

[printers]
   printable = no

[Public]
   path = /data/Public
   comment = Public data
   read only = no
   browseable = yes
   dos filemode = yes
   inherit permissions = Yes
   inherit acls = Yes
   ea support = yes
   map acl inherit = yes
   store dos attributes = yes
   nfs4: mode = simple
   nfs4: acedup = merge


Thanks for bearing with me,
Steve

More information about the samba mailing list