[Samba] Winbindd can't convert between SIDs and uid/gid

Kai Lanz lanz at stanford.edu
Fri May 13 14:40:04 MDT 2011 

Samba 3.5.8 on OpenSolaris (SunOS 5.11) Intel platform; gcc 4.2.3;
built with "configure --with-winbind --with-krb5 --with-ldap --with-ads"

Samba is joined to our Windows-2008 AD domain. Pretty much everything  
works,
except that winbindd can't convert between SIDs and uid/gid:

1. wbinfo -r WIN\\lanz
(Returns nothing -- no output)

First I obtain my SID from "wbinfo -n WIN\\lanz", then:

2. wbinfo -S <my_SID>
Could not convert <my_SID> to uid

3. wbinfo -U 2104     <-- That's my correct Unix numerical uid
Could not convert uid 2104 to sid

4. wbinfo -G 37       <-- That's my correct Unix numerical gid
Could not convert gid 37 to sid

First I obtain my group SID on another machine, then:

5. wbinfo -Y <my_group_SID>
Could not convert sid <my_group_SID> to gid

These tests were all done with caching disabled on winbindd (-n option).
Note that nscd is NOT running (no daemon, service is disabled).

Here's the stuff I've tried that works:

Forward/reverse DNS
kinit/klist
getent
nslookup -query=SRV _ldap._tcp.dc._msdcs.su.win.stanford.edu
nmblookup
smbclient -L sestestns1 (from another machine, with anonymous login)
net ads testjoin
wbinfo -t
wbinfo -g
wbinfo -u
wbinfo --all-domains
wbinfo --user-sids
wbinfo -n WIN\\lanz
wbinfo -s <my_SID>
wbinfo --name-to-sid <group_name>
wbinfo -D SU
Mounting a directory shared by Samba using Kerberos authentication  
(had to
    increase NGROUPS_MAX before this would work)

I'm hoping someone can suggest where the problem is likely to be,  
given these
examples of what works and what doesn't.

I ran "wbinfo -G 37" with winbindd debug level set to 10; here's the  
end of
the log entries I got:

[2011/05/12 11:11:49.492068, 10] winbindd/winbindd.c: 
593(process_request)
   process_request: Handling async request 22838:GID_TO_SID
[2011/05/12 11:11:49.492094,  3] winbindd/winbindd_gid_to_sid.c: 
46(winbindd_gid_to_sid_send)
   gid_to_sid 37
[2011/05/12 11:11:49.492136, 10] winbindd/winbindd_dual.c: 
1309(fork_domain_child)
   fork_domain_child called without domain.
[2011/05/12 11:11:49.493161, 10] winbindd/winbindd_dual.c: 
1342(fork_domain_child)
   Child process 22839
[2011/05/12 11:11:49.495592,  5] winbindd/winbindd_gid_to_sid.c: 
82(winbindd_gid_to_sid_recv)
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2011/05/12 11:11:49.495627, 10] winbindd/winbindd.c: 
655(wb_request_done)
   wb_request_done[22838:GID_TO_SID]: NT_STATUS_NONE_MAPPED

I'm suspicious of the "fork_domain_child called without domain." Also,  
where
did it get the idea to convert S-0-0?

Excerpt from our smb.conf [global] section:

    workgroup = SU
    realm = SU.WIN.STANFORD.EDU
    client ntlmv2 auth = yes
    allow trusted domains = yes
    lanman auth = Yes
    client lanman auth = Yes
    client plaintext auth = Yes
    preferred master = Auto
    password server = sudc0.su.win.stanford.edu
    netbios name = sestestns1
    wins server = 171.64.7.155 171.64.7.177
    winbind enum groups = yes
    winbind enum users = yes
    winbind nested groups = no
    local master = no
    dns proxy = Yes
    name resolve order = lmhosts wins bcast host
    interfaces = e1000g0
    client schannel = No
    security = ads
    passdb backend = smbpasswd
    domain master = auto
    idmap backend =
    idmap uid = 65001-65500
    idmap gid = 210000-310000

-- 
Kai Lanz    Stanford University    School of Earth Sciences

More information about the samba mailing list