[Samba] wbinfo -u error

Kacper Wirski kacper.wirski at gmail.com
Wed Jan 10 12:35:50 UTC 2018


After update to 4.7.4 on my DC's I see some strange, non-critical (I think)
though behaviour.

I've noticed that:

sometimes running command

wbinfo -u

doesn't list any of the users, in log i see this:

*../source3/rpc_client/cli_pipe.c:568: RPC fault code
DCERPC_NCA_S_PROTO_ERROR received from host dc3!*
*rids_to_names: failed to lookup sids: NT_STATUS_RPC_PROTOCOL_ERROR*

runnign wbinfo -g works fine

samba-tool user list works fine

converting via wbinfo sid to uid,  or uid to sid,  or sid to name works
fine even when error as above occurs.

after restarting samba, wbinfo -u works fine for random period of time.

When error as above occurs AD DC works fine (i think), that is: users are
able to authenticate, and I see in logs, that "sid-to-name" are resolved


*        netbios name = DC3*
*        realm = MYDOMAIN.COM <http://MYDOMAIN.COM>*
*        server services = -nbt -dns*
*        workgroup = SAMDOM*
*        server role = active directory domain controller*
*        comment =*
*        allow dns updates = secure*
*        idmap_ldb:use rfc2307 = yes*

*        log level = 1 auth_audit:3 auth_json_audit:3 winbind:4 smb:3*
*        log file = /var/log/samba.log.%m*
*        logging = syslog at 3*
*        max log size = 500*
*#below is used because of freeradius which uses ntlm_auth*
*        lanman auth = no*
*        ntlm auth = yes*
*        raw NTLMv2 auth = yes*

*        template homedir = /home/%U@%D*
*        template shell = /bin/bash*

*        load printers = no*
*        printing = bsd*
*        printcap name = /dev/null*
*        disable spoolss = yes*

*        tls enabled = yes*
*        tls keyfile = /usr/local/samba/private/tls/dc3.key.pem*
*        tls certfile = /usr/local/samba/private/tls/dc3.cert.pem*
*        tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem*

*        path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts
*        read only = No*

*        path = /usr/local/samba/var/locks/sysvol*
*        read only = No*

One thing that slightly bothers me is that sometimes users take seemingly
longer to authenticate and there are problems with GPO processing, for
example when I run on windows client "gpudpate" i get random errors that
policy XYZ couldn't be processed. When i run "getfacl" on said policy, and
check ACL form windows perspective I see absolutely nothing out of order
(no difference between other policies that are processed without issue) I
have no idea if this is at all connected, or is it connected with my
different question.
Comments/help appreciated

More information about the samba mailing list