[Samba] AD-DC samba_gpoupdate failing
Kristján Valur Jónsson
kristjan at rvx.is
Fri Mar 1 13:30:57 UTC 2019
So, I did, subject " gpoupdate failing on DC / winbind", but so far no
On Tue, 26 Feb 2019 at 13:48, Rowland Penny via samba <samba at lists.samba.org>
> On Tue, 26 Feb 2019 13:34:32 +0000
> Kristján Valur Jónsson <kristjan at rvx.is> wrote:
> > Ok, I've analyzed this and found that the cause is a call to
> > getpwuid(uid) with the uid being that of the domain controller.
> > "wbinfo --uid-info=3000074" works and returns information, but this
> > library function fails.
> > This is then propagated upwards as a memory error, because it is being
> > called from getpwuid_alloc() which is a talloc variant. the api
> > doesn't allow us to distinguish either form of error.
> > Later, there is this code (in libgpo)
> > new_token = create_local_nt_token(mem_ctx, &object_sid, false,
> > num_token_sids, token_sids);
> > ADS_ERROR_HAVE_NO_MEMORY(new_token);
> > where the failure of create_local_nt_token() is simply assumed to be a
> > memory failure. This pretty much destroys any finess in lower level
> > error handling...
> > Now, the reason getpwuid was failing was that the nsswitch.conf
> > wasn't set up on the DCs. I fixed it and it works. But I"ve been
> > running these DCs for three years without it. There is also no
> > indication anywhere that it is not correctly set up.
> > I wonder if it is possible to enhance such diagnosis.
> > 1) ouput a warning (failur of getpwuid is currently a DEBUG macro)
> > 2) fix error handling. Will do some tests.
> Kristjan, it is my understanding that it is actually recommended to not
> set up the libnss-winbind links on a DC, yet you now seem to be saying
> it is required.
> I think this would be better discussed on the samba-technical mailing
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Kristján Valur Jónsson, RVX
More information about the samba