[Samba] Winbindd can't convert between SIDs and uid/gid
Kai Lanz
lanz at stanford.edu
Fri May 13 14:40:04 MDT 2011
Samba 3.5.8 on OpenSolaris (SunOS 5.11) Intel platform; gcc 4.2.3;
built with "configure --with-winbind --with-krb5 --with-ldap --with-ads"
Samba is joined to our Windows-2008 AD domain. Pretty much everything
works,
except that winbindd can't convert between SIDs and uid/gid:
1. wbinfo -r WIN\\lanz
(Returns nothing -- no output)
First I obtain my SID from "wbinfo -n WIN\\lanz", then:
2. wbinfo -S <my_SID>
Could not convert <my_SID> to uid
3. wbinfo -U 2104 <-- That's my correct Unix numerical uid
Could not convert uid 2104 to sid
4. wbinfo -G 37 <-- That's my correct Unix numerical gid
Could not convert gid 37 to sid
First I obtain my group SID on another machine, then:
5. wbinfo -Y <my_group_SID>
Could not convert sid <my_group_SID> to gid
These tests were all done with caching disabled on winbindd (-n option).
Note that nscd is NOT running (no daemon, service is disabled).
Here's the stuff I've tried that works:
Forward/reverse DNS
kinit/klist
getent
nslookup -query=SRV _ldap._tcp.dc._msdcs.su.win.stanford.edu
nmblookup
smbclient -L sestestns1 (from another machine, with anonymous login)
net ads testjoin
wbinfo -t
wbinfo -g
wbinfo -u
wbinfo --all-domains
wbinfo --user-sids
wbinfo -n WIN\\lanz
wbinfo -s <my_SID>
wbinfo --name-to-sid <group_name>
wbinfo -D SU
Mounting a directory shared by Samba using Kerberos authentication
(had to
increase NGROUPS_MAX before this would work)
I'm hoping someone can suggest where the problem is likely to be,
given these
examples of what works and what doesn't.
I ran "wbinfo -G 37" with winbindd debug level set to 10; here's the
end of
the log entries I got:
[2011/05/12 11:11:49.492068, 10] winbindd/winbindd.c:
593(process_request)
process_request: Handling async request 22838:GID_TO_SID
[2011/05/12 11:11:49.492094, 3] winbindd/winbindd_gid_to_sid.c:
46(winbindd_gid_to_sid_send)
gid_to_sid 37
[2011/05/12 11:11:49.492136, 10] winbindd/winbindd_dual.c:
1309(fork_domain_child)
fork_domain_child called without domain.
[2011/05/12 11:11:49.493161, 10] winbindd/winbindd_dual.c:
1342(fork_domain_child)
Child process 22839
[2011/05/12 11:11:49.495592, 5] winbindd/winbindd_gid_to_sid.c:
82(winbindd_gid_to_sid_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2011/05/12 11:11:49.495627, 10] winbindd/winbindd.c:
655(wb_request_done)
wb_request_done[22838:GID_TO_SID]: NT_STATUS_NONE_MAPPED
I'm suspicious of the "fork_domain_child called without domain." Also,
where
did it get the idea to convert S-0-0?
Excerpt from our smb.conf [global] section:
workgroup = SU
realm = SU.WIN.STANFORD.EDU
client ntlmv2 auth = yes
allow trusted domains = yes
lanman auth = Yes
client lanman auth = Yes
client plaintext auth = Yes
preferred master = Auto
password server = sudc0.su.win.stanford.edu
netbios name = sestestns1
wins server = 171.64.7.155 171.64.7.177
winbind enum groups = yes
winbind enum users = yes
winbind nested groups = no
local master = no
dns proxy = Yes
name resolve order = lmhosts wins bcast host
interfaces = e1000g0
client schannel = No
security = ads
passdb backend = smbpasswd
domain master = auto
idmap backend =
idmap uid = 65001-65500
idmap gid = 210000-310000
--
Kai Lanz Stanford University School of Earth Sciences
More information about the samba
mailing list