Kevin Wilson
2005-Aug-24 21:56 UTC
[Samba] wbinfo can not convert User names and Group name to S ID
Yep. We are dealing with once perfectly fine working 3.0.9 servers to erratic and weird behaved ones. We believe this is due to changes made my MS in http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx but thus far have not been able to confirm. Commands like: net rpc join -S PDC -U <Admin> now return "no suitable server found" even though that is the same command used when we setup the darn thing and it worked then. Bottom line is our samba member machines didn't change but "security updates" to our PDC, master browser, etc. were done last week and that is when the problems started. Use of wbinfo is very erratic, most of the time the users and groups list won't pull down. The -m option doesn't report the primary domain we belong to, etc. After a service restart or a machine reboot nobody can access the shares then after some magical period of time (an hour) you check and then you can access them but sometimes you can't. Usually I restart winbind and wait then I can sometimes get into the shares after the second attempt. -----Original Message----- From: Todor Genov [mailto:tgenov@gmail.com] Sent: Wednesday, August 24, 2005 11:21 AM To: samba@lists.samba.org Subject: [Samba] wbinfo can not convert User names and Group name to SID Hi there, I've been fighting with winbind for over 4 hours now and read every related article I found on google to no avail. A server of mine rebooted due to power outage today and a perfectly running winbind + AD setup, wbinfo can now no longer convert user names or group names to SID or vica versa. The weird part is that the built-in groups work just fine. [root@ncmfw samba]# wbinfo -n "BUILTIN/System Operators" S-1-5-32-549 Well-known Group (5) [root@ncmfw samba]# wbinfo -n Engineers Could not lookup name Engineers [root@ncmfw samba]# getent group |grep Engineers Engineers:x:10018: [root@ncmfw samba]# wbinfo -G 10018 S-1-5-21-3139104342-3182081393-1008461833-2114 [root@ncmfw samba]# wbinfo -s S-1-5-21-3139104342-3182081393-1008461833-2114 Could not lookup sid S-1-5-21-3139104342-3182081393-1008461833-2114 After I upgraded samba to 3.0.10 everything seemed to work for a while, however after I restarted winbind - the problems started again. Now user-to-SID and vica versa works fine, but group-to-SID still does not. Has anybody experience a similar problem ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Gerald (Jerry) Carter
2005-Aug-25 13:32 UTC
[Samba] wbinfo can not convert User names and Group name to S ID
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Wilson wrote:> Yep. We are dealing with once perfectly fine working 3.0.9 > servers to erratic and weird behaved ones. We believe this > is due to changes made my MS > in http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx > but thus far have not been able to confirm. > > Commands like: net rpc join -S PDC -U <Admin> > > now return "no suitable server found" even though that is > the same command used when we setup the darn thing and it > worked then.You you test 3.0.20 just for kicks? There have been several hotfix compatibility issues we've had to work around already. I'm downloading these hotfixes now and will try to test things out tomorrow. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDDcgsIR7qMdg1EfYRAl+zAKCPdJtnDatrtIszgohDy32nqeOdBACgqtBH JhJlb3WftN5VuFYMlDNKv6g=MmXy -----END PGP SIGNATURE-----
Kevin Wilson
2005-Aug-25 16:05 UTC
[Samba] wbinfo can not convert User names and Group name to S ID
Nah, we haven't updated our samba installations because they are production servers and we have no confirmation that the latest and greatest will fix the problem. In a nutshell we get the following: a power down or service restart doesn't automatically reacquire the domain membership. you cannot use the join syntax using PDC I outlined before, you must specify the DC to use. wbinfo -u & -g will immediately following joining the domain. getent passwd & group usually works if the above does but I have a working server with lists that were updated when the getent commands didn't pull the lists properly...go figure? wbinfo -m doesn't report the primary domain even though you just joined it. wbinfo -t fails intermittently. initially you can't access the shares then sometimes (after a 1/2 hour or so) you can but not always. -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Thursday, August 25, 2005 8:31 AM To: Kevin Wilson Cc: samba@lists.samba.org Subject: Re: [Samba] wbinfo can not convert User names and Group name to S ID -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Wilson wrote:> Yep. We are dealing with once perfectly fine working 3.0.9 > servers to erratic and weird behaved ones. We believe this > is due to changes made my MS > in http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx > but thus far have not been able to confirm. > > Commands like: net rpc join -S PDC -U <Admin> > > now return "no suitable server found" even though that is > the same command used when we setup the darn thing and it > worked then.You you test 3.0.20 just for kicks? There have been several hotfix compatibility issues we've had to work around already. I'm downloading these hotfixes now and will try to test things out tomorrow. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDDcgsIR7qMdg1EfYRAl+zAKCPdJtnDatrtIszgohDy32nqeOdBACgqtBH JhJlb3WftN5VuFYMlDNKv6g=MmXy -----END PGP SIGNATURE-----