Frederik
2006-Oct-17 10:23 UTC
[Samba] winbind: wbinfo -g sees "domain users", getent group does not
I have configured winbind on a Linux file server, connecting to a Samba PDC. When I run wbinfo -g, I can see the group "domain users". On the other hand, when I run getent group, I do not see this group. Apart from a few other groups, all groups are visibile in both wbinfo -g and getent group. When running for the first time wbinfo -u, getent passwd and wbinfo -g, I got the results almost instantaneous, but getent group is very slow, and the first time seems to time out (actually the first and second time take 1m10s, and none of the domain groups are shown. After the third try, the groups are shown, but a few are missing). Concerning the missing groups, this is in winbind logs: [2006/10/17 14:08:48, 4] nsswitch/winbindd_group.c:get_sam_group_entries(562) get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well [2006/10/17 14:08:48, 4] nsswitch/winbindd_group.c:get_sam_group_entries(571) get_sam_group_entries: Returned 9 local groups [2006/10/17 14:08:48, 4] nsswitch/winbindd_group.c:get_sam_group_entries(562) get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well [2006/10/17 14:08:48, 4] nsswitch/winbindd_group.c:get_sam_group_entries(571) get_sam_group_entries: Returned 0 local groups [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532) write failed on sock 21, pid 10925: Broken pipe [2006/10/17 14:08:48, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [10925]: request interface version [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532) write failed on sock 22, pid 10925: Broken pipe [2006/10/17 14:08:48, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [10926]: request interface version [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532) write failed on sock 21, pid 10926: Broken pipe [2006/10/17 14:08:48, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [10926]: request interface version [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532) write failed on sock 23, pid 10926: Broken pipe [2006/10/17 14:08:48, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [10927]: request interface version [2006/10/17 14:08:48, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [10927]: request location of privileged pipe [2006/10/17 14:08:48, 3] nsswitch/winbindd_group.c:winbindd_setgrent(431) [10927]: setgrent [2006/10/17 14:08:48, 3] nsswitch/winbindd_group.c:winbindd_getgrent(619) [10927]: getgrent [2006/10/17 14:08:48, 1] nsswitch/winbindd_group.c:fill_grent_mem(134) could not lookup membership for group rid S-1-5-21-2127695773-367946666-646806464-513 in domain SECGEN (error: NT_STATUS_UNSUCCESSFUL) [2006/10/17 14:08:48, 0] nsswitch/winbindd_group.c:winbindd_getgrent(790) could not lookup domain group domain users Another problem which happens fairly often, adn probably is the cause of the slowness: [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) cli_pipe: return critical error. Error was Call timed out: server did not respond after 10000 milliseconds [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) cli_pipe: return critical error. Error was Call timed out: server did not respond after 10000 milliseconds [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) cli_pipe: return critical error. Error was Call timed out: server did not respond after 10000 milliseconds [2006/10/17 14:06:44, 1] nsswitch/winbindd_group.c:fill_grent_mem(134) could not lookup membership for group rid S-1-5-21-2127695773-367946666-646806464-1185 in domain SECGEN (error: NT_STATUS_UNSUCCESSFUL) What could make that wbinfo -g sees all groups, while getent groups misses a few of them? What makes getent group so slow? I guess I should not need to install nscd on the file server? there are about 400 users and 200 groups. So the PDC is also Samba with OpenLDAP as database back-end. The version of Samba used (on both PDC and ont the file server with winbind) is 3.0.14a from Debian Sarge. -- Frederik
Stefan Schmitz
2006-Oct-17 17:30 UTC
[Samba] winbind: wbinfo -g sees "domain users", getent group does not
Hi Frederik,
I thik its the winbind separator parameter in smb.conf.
Did you define it as backslash in smb.conf so the samba server
interprets this as linefeed like this:
ERROR: the 'winbind separator' parameter must be a single character.
winbind separator = security = user
If you want the backslash to be your winbind separator just leave the
parameter out of your smb.conf. so samba will use the default.
Loaded services file OK.
winbind separator = \
Kind regards
Stefan
Frederik schrieb:> I have configured winbind on a Linux file server, connecting to a
> Samba PDC. When I run wbinfo -g, I can see the group "domain
users".
> On the other hand, when I run getent group, I do not see this group.
> Apart from a few other groups, all groups are visibile in both wbinfo
> -g and getent group.
>
> When running for the first time wbinfo -u, getent passwd and wbinfo
> -g, I got the results almost instantaneous, but getent group is very
> slow, and the first time seems to time out (actually the first and
> second time take 1m10s, and none of the domain groups are shown. After
> the third try, the groups are shown, but a few are missing).
>
> Concerning the missing groups, this is in winbind logs:
>
> [2006/10/17 14:08:48, 4]
> nsswitch/winbindd_group.c:get_sam_group_entries(562)
> get_sam_group_entries: Native Mode 2k domain; enumerating local groups
> as well
> [2006/10/17 14:08:48, 4]
> nsswitch/winbindd_group.c:get_sam_group_entries(571)
> get_sam_group_entries: Returned 9 local groups
> [2006/10/17 14:08:48, 4]
> nsswitch/winbindd_group.c:get_sam_group_entries(562)
> get_sam_group_entries: Native Mode 2k domain; enumerating local groups
> as well
> [2006/10/17 14:08:48, 4]
> nsswitch/winbindd_group.c:get_sam_group_entries(571)
> get_sam_group_entries: Returned 0 local groups
> [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532)
> write failed on sock 21, pid 10925: Broken pipe
> [2006/10/17 14:08:48, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(261)
> [10925]: request interface version
> [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532)
> write failed on sock 22, pid 10925: Broken pipe
> [2006/10/17 14:08:48, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(261)
> [10926]: request interface version
> [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532)
> write failed on sock 21, pid 10926: Broken pipe
> [2006/10/17 14:08:48, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(261)
> [10926]: request interface version
> [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532)
> write failed on sock 23, pid 10926: Broken pipe
> [2006/10/17 14:08:48, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(261)
> [10927]: request interface version
> [2006/10/17 14:08:48, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
> [10927]: request location of privileged pipe
> [2006/10/17 14:08:48, 3] nsswitch/winbindd_group.c:winbindd_setgrent(431)
> [10927]: setgrent
> [2006/10/17 14:08:48, 3] nsswitch/winbindd_group.c:winbindd_getgrent(619)
> [10927]: getgrent
> [2006/10/17 14:08:48, 1] nsswitch/winbindd_group.c:fill_grent_mem(134)
> could not lookup membership for group rid
> S-1-5-21-2127695773-367946666-646806464-513 in domain SECGEN (error:
> NT_STATUS_UNSUCCESSFUL)
> [2006/10/17 14:08:48, 0] nsswitch/winbindd_group.c:winbindd_getgrent(790)
> could not lookup domain group domain users
>
> Another problem which happens fairly often, adn probably is the cause
> of the slowness:
>
> [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
> cli_pipe: return critical error. Error was Call timed out: server
> did not respond after 10000 milliseconds
> [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
> cli_pipe: return critical error. Error was Call timed out: server
> did not respond after 10000 milliseconds
> [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
> cli_pipe: return critical error. Error was Call timed out: server
> did not respond after 10000 milliseconds
> [2006/10/17 14:06:44, 1] nsswitch/winbindd_group.c:fill_grent_mem(134)
> could not lookup membership for group rid
> S-1-5-21-2127695773-367946666-646806464-1185 in domain SECGEN (error:
> NT_STATUS_UNSUCCESSFUL)
>
> What could make that wbinfo -g sees all groups, while getent groups
> misses a few of them? What makes getent group so slow? I guess I
> should not need to install nscd on the file server?
>
> there are about 400 users and 200 groups. So the PDC is also Samba
> with OpenLDAP as database back-end. The version of Samba used (on both
> PDC and ont the file server with winbind) is 3.0.14a from Debian
> Sarge.
Apparently Analagous Threads
- wbinfo -g and -u problems ? no answer at my first post ?
- Winbindd startup kerberos fail
- winbind error - Conversion error: Illegal multibyte sequence(æ~S^\^H)
- wbinfo problems and documentation questions
- Winbind in Win2003 ADS: wbinfo -u works, wbinfo -g does not