[Samba] AD-DC samba_gpoupdate failing
rpenny at samba.org
Tue Feb 26 13:47:16 UTC 2019
On Tue, 26 Feb 2019 13:34:32 +0000
Kristján Valur Jónsson <kristjan at rvx.is> wrote:
> Ok, I've analyzed this and found that the cause is a call to
> getpwuid(uid) with the uid being that of the domain controller.
> "wbinfo --uid-info=3000074" works and returns information, but this
> library function fails.
> This is then propagated upwards as a memory error, because it is being
> called from getpwuid_alloc() which is a talloc variant. the api
> doesn't allow us to distinguish either form of error.
> Later, there is this code (in libgpo)
> new_token = create_local_nt_token(mem_ctx, &object_sid, false,
> num_token_sids, token_sids);
> where the failure of create_local_nt_token() is simply assumed to be a
> memory failure. This pretty much destroys any finess in lower level
> error handling...
> Now, the reason getpwuid was failing was that the nsswitch.conf
> wasn't set up on the DCs. I fixed it and it works. But I"ve been
> running these DCs for three years without it. There is also no
> indication anywhere that it is not correctly set up.
> I wonder if it is possible to enhance such diagnosis.
> 1) ouput a warning (failur of getpwuid is currently a DEBUG macro)
> 2) fix error handling. Will do some tests.
Kristjan, it is my understanding that it is actually recommended to not
set up the libnss-winbind links on a DC, yet you now seem to be saying
it is required.
I think this would be better discussed on the samba-technical mailing
More information about the samba