[Samba] Samba 4.2.10 AD DC not resolving user groups anymore

Sébastien Le Ray sebastien-samba at orniz.org
Sat Apr 16 14:00:50 UTC 2016 

Hi list,

I just upgraded an AD DC from 4.1.17 to 4.2.10 (using jessie package), 
wbinfo -r someuser now fails randomly (well not THAT randomly I guess it 
depends on group membership)

$ wbinfo -r oneuser
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user oneuser

$ wbinfo -r anotheruser
[list of GIDs]

wbinfo -u & wbinfo -g returns no error
wbinfo -i oneuser & wbinfo -i anotheruser work fine

I suspect that there is a relation with the switch to regular winbind to 
do resolution, maybe some built in groups are mismapped but I don't know 
how to reset these

I raised loglevel for winbind. For wbinfo -r oneuser I get

[2016/04/16 15:58:12.516222,  3] 
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
   [28825]: request interface version (version = 27)
[2016/04/16 15:58:12.516290,  3] 
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
   [28825]: request location of privileged pipe
[2016/04/16 15:58:12.516354,  3] 
../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
   getgroups oneuser
[2016/04/16 15:58:12.518716,  3] 
../source3/winbindd/winbindd_util.c:1119(lookup_usergroups_cached)
   : lookup_usergroups_cached
[2016/04/16 15:58:12.540592,  5] 
../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
   Could not convert sid S-1-5-21-1602783663-1404646826-877247859-1055: 
NT_STATUS_INTERNAL_DB_CORRUPTION

wbinfo -r anotheruser got

[2016/04/16 15:59:13.261262,  3] 
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
   [28832]: request interface version (version = 27)
[2016/04/16 15:59:13.261330,  3] 
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
   [28832]: request location of privileged pipe
[2016/04/16 15:59:13.261401,  3] 
../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
   getgroups anotheruser
[2016/04/16 15:59:13.263659,  3] 
../source3/winbindd/winbindd_util.c:1119(lookup_usergroups_cached)
   : lookup_usergroups_cached


Is there a way to force winbind to rebuild its internal database?

For reference here is the smb.conf

[global]
         workgroup = SOMEDOMAIN.LAN
         realm = ad.somedomain.lan
         netbios name = SECOND-DC
         server role = active directory domain controller

         idmap config *:backend = tdb
         idmap config *:range = 3000000-3001000
         idmap config SOMEDOMAIN.LAN:backend = ad
         idmap config SOMEDOMAINLAN:schema_mode = rfc2307
         idmap config SOMEDOMAIN.LAN:range = 100-40000

         idmap_ldb:use rfc2307 = yes

         log level = 5

         # Avoid complaints about CUPS refusing connection
         printing = bsd
         printcap name = /dev/null

         max log size = 102400


[netlogon]
         path = /var/lib/samba/sysvol/ad.somedomain.lan/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
# Make sysvolreset happy
         inherit acls = true
         dos filemode = true
         force unknown acl user = true
         acl_xattr:ignore system acls = yes



Regards

More information about the samba mailing list