[Samba] SID_TO_UID not working

Victor Mataré matare at lih.rwth-aachen.de
Thu Dec 6 10:48:40 MST 2012 

Hello everyone,

I use winbind against a Samba DC for nsswich, and on one client it works 
perfectly (Samba 3.5.15 on all systems). On another client, everything works 
except SID_TO_UID (i.e. wbinfo -i, -S ... which breaks directory listings, 
too). I've now tried to narrow down the problem in a level 10 log, but I need 
some help interpreting. In log.winbindd, I see the following when running 
wbinfo -S S-1-5-21-555555555-5555555555-5555555555-3032 (SID changed):

===========================================================
[2012/12/06 17:43:12.841393,  3] 
winbindd/winbindd_sid_to_uid.c:47(winbindd_sid_to_uid_send)
  sid to uid S-1-5-21-555555555-5555555555-5555555555-3032
[2012/12/06 17:43:12.841517, 10] lib/gencache.c:334(gencache_get_data_blob)
  Cache entry with key = 
IDMAP/SID2UID/S-1-5-21-555555555-5555555555-5555555555-3032 couldn't be found
[2012/12/06 17:43:12.841564, 10] 
winbindd/winbindd_util.c:843(find_lookup_domain_from_sid)
  find_lookup_domain_from_sid(S-1-5-21-555555555-5555555555-5555555555-3032)
[2012/12/06 17:43:12.841605, 10] 
winbindd/winbindd_util.c:853(find_lookup_domain_from_sid)
  calling find_our_domain
[2012/12/06 17:43:12.841679, 10] 
winbindd/winbindd_cache.c:4805(wcache_fetch_ndr)
  Entry has timed out
[2012/12/06 17:43:12.852143,  5] 
winbindd/winbindd_sid_to_uid.c:90(winbindd_sid_to_uid_recv)
  Could not convert sid S-1-5-21-555555555-5555555555-5555555555-3032: 
NT_STATUS_NONE_MAPPED
[2012/12/06 17:43:12.852201, 10] winbindd/winbindd.c:655(wb_request_done)
  wb_request_done[10630:SID_TO_UID]: NT_STATUS_NONE_MAPPED
===========================================================

wbinfo -S then yields:
Could not convert sid S-1-5-21-555555555-5555555555-5555555555-3032 to uid

Now I'm not sure what "Entry has timed out" means. This occurs even when I do 
"net cache flush" before. In the meantime, /var/log/samba/log.wb-SGI looks 
like the request is correctly answered by the server. The request comes in:

===========================================================
[2012/12/06 17:43:12.841812, 10] 
winbindd/winbindd_dual.c:62(child_read_request)
  Need to read 28 extra bytes
[2012/12/06 17:43:12.841921,  4] 
winbindd/winbindd_dual.c:1528(fork_domain_child)
  child daemon request 63
[2012/12/06 17:43:12.841956, 10] 
winbindd/winbindd_dual.c:485(child_process_request)
  child_process_request: request fn NDRCMD
[2012/12/06 17:43:12.841986, 10] 
winbindd/winbindd_dual_ndr.c:263(winbindd_dual_ndrcmd)
  winbindd_dual_ndrcmd: Running command WBINT_LOOKUPSID (SGI)
[2012/12/06 17:43:12.842034,  1] 
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
       wbint_LookupSid: struct wbint_LookupSid
          in: struct wbint_LookupSid
              sid                      : *
                  sid                      : 
S-1-5-21-555555555-5555555555-5555555555-3032
===========================================================

... Then there's a lot of parsing and other noise, until we return with the 
correct answer:

===========================================================
[2012/12/06 17:43:12.850133, 10] 
rpc_client/cli_lsarpc.c:191(rpccli_lsa_lookup_sids_noalloc)
  LSA_LOOKUPSIDS returned 'NT_STATUS_OK', mapped count = 1'
[2012/12/06 17:43:12.850170,  5] 
winbindd/winbindd_rpc.c:373(msrpc_sid_to_name)
  Mapped sid to [SGI]\[matare]
[2012/12/06 17:43:12.850205, 10] 
winbindd/winbindd_cache.c:555(refresh_sequence_number)
  refresh_sequence_number: SGI time ok
[2012/12/06 17:43:12.850234, 10] 
winbindd/winbindd_cache.c:600(refresh_sequence_number)
  refresh_sequence_number: SGI seq number is now 1354812192
[2012/12/06 17:43:12.850375, 10] 
winbindd/winbindd_cache.c:969(wcache_save_sid_to_name)
  wcache_save_sid_to_name: S-1-5-21-555555555-5555555555-5555555555-3032 -> 
matare (NT_STATUS_OK)
[2012/12/06 17:43:12.850410,  1] 
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
       wbint_LookupSid: struct wbint_LookupSid
          out: struct wbint_LookupSid
              type                     : *
                  type                     : SID_NAME_USER (1)
              domain                   : *
                  domain                   : *
                      domain                   : 'SGI'
              name                     : *
                  name                     : *
                      name                     : 'matare'
              result                   : NT_STATUS_OK
===========================================================

Note the times, which show that the mapping is retrieved from the DC by the 
child process before the parent returns NT_STATUS_NONE_MAPPED. I find this 
really confusing and frankly, I'm out of ideas where to look. Please, if you 
have any idea let me know. Maybe I'm looking entirely in the wrong 
direction...

Thanks,
Victor

More information about the samba mailing list