[Samba] wbinfo -i -> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Rowland Penny rowlandpenny241155 at gmail.com
Sun Nov 22 11:41:00 UTC 2015 

On 22/11/15 10:01, Andrey Repin wrote:
> Greetings, Jeff Dickens!
>
>> Created a new thread because I screwed up and top-posted.
>
>> So I am still stuck.  For reference here is the smb.conf on the member
>> server:
>> root at florence:~# more /etc/samba/smb.conf
>> [global]
>>         netbios name = FLORENCE
>>         security = ADS
>>         workgroup = IOL
>>         realm = IOL.SEAMANPAPER.COM <http://iol.seamanpaper.com/>
>>         log file = /var/log/samba/%m.log
>>         log level = 1
>>         dedicated keytab file = /etc/krb5.keytab
>>         kerberos method = secrets and keytab
>>         winbind refresh tickets = yes
>>         winbind trusted domains only = no
>>         winbind use default domain = yes
>>         winbind enum users  = yes
>>         winbind enum groups = yes
>>         # idmap config used for your domain.
>>         # Choose one of the following backends fitting to your
>>         # requirements and add the corresponding configuration.
>>         # idmap config ad
>>         #  - idmap config rid
>>         #  - idmap config autorid
>>          idmap config *:backend = tdb
>>          idmap config *:range = 2000-9999
>>          idmap config IOL:backend = ad
>>          idmap config IOL:schema_mode = rfc2307
>>          idmap config IOL:range = 1000000-9999999
> Here's the part of the problem. It appears to me the NSS link was first set up
> with range under 3kk. With builtin and local UID/GID's going over 3kk.
> With changing the range post factum, you've threaded on the reserved range.
>
>>          winbind nss info = rfc2307
>
>> [home]
>>          path=/home/
>>          read only = No
>
>> I increased the range because it seems like the DC is using IDs above
>> 1,000,000.
> You should use the same range the domain was provisioned with. Or NSS
> initialized with.
> If you are migrating the domain from Samba3, it may become rather complicated
> to figure out the right range.
>
>> This is on the DC:
>> root at athens:~# wbinfo -u
>> administrator
>> test1
>> krbtgt
>> guest
>> root at athens:~# wbinfo -i administrator
>> administrator:*:0:100::/home/IOL/administrator:/bin/false
>> root at athens:~# wbinfo -i test1
>> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
>> root at athens:~#
> Note the artificially low UID and GID numbers. That doesn't look like the NSS
> is in play.

This is on the DC, unless 'Domain Users' is given a gidNumber this is 
what you get and also winbind will *not* work on a domain member.

>
> Also, to the your previous example of 'wbinfo -i "domain users"'...
>
> # wbinfo --group-info 'domain users'
> domain users:x:513:
>
> (The point being, 'domain users' is not a user, and -i only looking for users.)
>

You need to give 'Domain Users' a gidNumber if you want to use the 
winbind 'ad' backend on a domain member.

Rowland

More information about the samba mailing list