[Samba] AD-DC samba_gpoupdate failing

Rowland Penny rpenny at samba.org
Tue Feb 26 13:47:16 UTC 2019

On Tue, 26 Feb 2019 13:34:32 +0000
Kristján Valur Jónsson <kristjan at rvx.is> wrote:

> Ok, I've analyzed this and found that the cause is a call to
> getpwuid(uid) with the uid being that of the domain controller.
> "wbinfo --uid-info=3000074" works and returns information, but this
> library function fails.
> This is then propagated upwards as a memory error, because it is being
> called from getpwuid_alloc() which is a talloc variant. the api
> doesn't allow us to distinguish either form of error.
> Later, there is this code (in libgpo)
> new_token = create_local_nt_token(mem_ctx, &object_sid, false,
>   num_token_sids, token_sids);
> where the failure of create_local_nt_token() is simply assumed to be a
> memory failure.  This pretty much destroys any finess in lower level
> error handling...
> Now, the reason getpwuid was failing was that the nsswitch.conf
> wasn't set up on the DCs.  I fixed it and it works.  But I"ve been
> running these DCs for three years without it.  There is also no
> indication anywhere that it is not correctly set up.
> I wonder if it is possible to enhance such diagnosis.
> 1) ouput a warning (failur of getpwuid is currently a DEBUG macro)
> 2) fix error handling.  Will do some tests.

Kristjan, it is my understanding that it is actually recommended to not
set up the libnss-winbind links on a DC, yet you now seem to be saying
it is required.

I think this would be better discussed on the samba-technical mailing


More information about the samba mailing list