[Samba] Member server winbind issue

Tue Jun 26 10:33:04 UTC 2018

Hi All,

sorry for reopening this thread.
Since I'm still at the same point - with special circumstances - could
this be Debian-Release-related?

In detail: 
On Debian 8.11, Samba Version 4.5.16 from Louis' repository,  wbinfo
-g, wbinfo -u and getent group AD\\groupname ist working - getent passwd
AD\\username returns noting but 

[2018/06/26 12:26:12.721628,  5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-0-0: NT_STATUS_INVALID_PARAMETER

If I just update the same machine to Debian 9.4, using the same
smb.conf, same samba version from Louis' repository, all is working. 

Had this as only solution on two different machines.

Thanks for reading - Kind regards
Franz

2017-07-23 15:42 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org
( https://lists.samba.org/mailman/listinfo/samba) >: > On Sun, 23 Jul
2017 14:13:52 +0200> mathias dufresne <infractory at gmail.com
( https://lists.samba.org/mailman/listinfo/samba) > wrote:>> > winbind
nss info = rfc2307> > idmap config * : backend = tdb> > idmap config * :
range = 3000-7999> > idmap config AD:backend = ad> > idmap config
AD:schema_mode = rfc2307> > idmap config AD:range = 8000-99999999> >> >
I see two differences: ranges and spaces around ":" but I don't expect>
> these spaces are mandatory.>> No, not mandatory, just easier to read
and Samba will ignore the spaces.>> > Both group and user have uidNumber
and gidNumber declared in AD,> > inside the range defined by "idmap
config AD:range = 8000-99999999"> > dc02:~# ldbsearch -H $sam cn="domain
users" dn objectclass gidNumber> > # record 1> > dn: CN=Domain
Users,CN=Users,DC=ad,DC=domain,DC=tld> > objectClass: top> >
objectClass: group> > gidNumber: 20000002> >> > So, here again, it seems
to to be OK.>> Everything looks okay.>> >> > And I'm still completely
puzzled.>> Just a thought, does the libnss_winbind package match the
rest of the> Samba packages ?>Yes, all the very same: # dpkg -l | egrep
'winbind|samba' ii libnss-winbind:amd64 2:4.5.8+dfsg-2+deb9u1+b1 amd64
Samba nameservice integration plugins ii libpam-winbind:amd64
2:4.5.8+dfsg-2+deb9u1+b1 amd64 Windows domain authentication integration
plugin ii libwbclient0:amd64 2:4.5.8+dfsg-2+deb9u1+b1 amd64 Samba
winbind client library ii python-samba 2:4.5.8+dfsg-2+deb9u1+b1 amd64
Python bindings for Samba ii samba 2:4.5.8+dfsg-2+deb9u1+b1 amd64
SMB/CIFS file, print, and login server for Unix ii samba-common
2:4.5.8+dfsg-2+deb9u1 all common files used by both the Samba server and
client ii samba-common-bin 2:4.5.8+dfsg-2+deb9u1+b1 amd64 Samba common
files used by both the server and the client ii samba-dsdb-modules
2:4.5.8+dfsg-2+deb9u1+b1 amd64 Samba Directory Services Database ii
samba-libs:amd64 2:4.5.8+dfsg-2+deb9u1+b1 amd64 Samba core libraries ii
samba-vfs-modules 2:4.5.8+dfsg-2+deb9u1+b1 amd64 Samba Virtual
FileSystem plugins ii winbind 2:4.5.8+dfsg-2+deb9u1+b1 amd64 service to
resolve user and group information from Windows NT servers This is
unfiltered result, so that should be all packages related to Samba. > >>
> DC are 4.6.5, I'll try to upgrade Samba client to some 4.6 too. I> >
don't really expect this to change anything.>> You will then need to use
the 'new' idmap config settings.>> >> > DC were provisioned without
RFC2307. I set it up yesterday using> >
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#>
Verifying_the_Domain_Controller_and_Active_Directory_Setup> > So I've
added the following line in DCs smb.conf:> > idmap_ldb:use rfc2307 =
yes> >> > after I followed "Installing the NIS Extensions" paragraph
(with> > mainly copy/paste).> >> > After these changes by DC side I was
able to manage Unix attributes> > with ADUC from some Windows client,
which seems to mean the changes> > were correct.>> If everything is
correct, then it should work, what does running> 'pam-auth-update' show
?>Here is a copy from 'pam-auth-update': │ PAM profiles to enable: │ │ │
│ [*] Unix authentication │ │ [*] Winbind NT/Active Directory
authentication │ │ [*] Register user sessions in the systemd control
group hierarchy There are only these 3 options. Could it comes from DC
config? The smb.conf seems to be correct and I tried the same on two
different systems with different versions of Samba so perhaps the issue
is not from client. But as DC's smb.conf is even smaller than the one
for client, except if there was also changes in smb.conf regarding
rfc2307 and 4.6.x, I would not bet on a DC side issue. > Rowland>> -->
To unsubscribe from this list go to the following URL and read the>
instructions: https://lists.samba.org/mailman/options/samba