samba - Oct 2006 - could not read attribute 'msSFU30UidNumber'

Hi, 

I'm using samba 3.0.23c, and having a bit of trouble getting it to play nice
with my active directory. I'm using Windows Small Business Server 2003 with 
the SFU 3.5 NIS server/schema extensions installed. I have samba configured 
to use ad as the idmap backend, and sfu for nss info. 

When running getent passwd, only a few active directory users show up, and I 
get lots of errors like this in my winbind log: 

[2006/10/20 15:33:49, 1] sam/idmap_ad.c:ad_idmap_get_id_from_sid(309)
 ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 
'msSFU30UidNumber'
[2006/10/20 15:33:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85) 
error getting user id for sid S-1-5-21-1020778807-1917943211-1564386419-1158
[2006/10/20 15:33:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(711)
 could not lookup domain user TestUser 

wbinfo -u prints out all my users
wbinfo -g prints out all my groups
getent group prints out all my groups and their unix IDs
getent -r username seems to get the correct user group unix ids for all the 
users, even the ones that don't see to be able to have their SID converted 
to a UID. 

Anyone have any ideas? 

The most relevant section of my smb.conf is 

encrypt passwords = yes
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  idmap backend = ad
  winbind enum users = yes
  winbind enum groups = yes
  winbind nss info = sfu
  winbind use default domain = yes
  winbind separator = # 

Let me know what other information I can provide if I've left something 
relevant out. 

Thanks, 

Josh

I cranked up the debug level of winbindd, so I have a bit more info on this. 
Should I file a bug on this? I'm pretty sure I'm not doing anything
wrong.
Here's the winbindd log from running wbinfo -S SID with the debug level set 
to 10. 

[2006/10/24 11:37:14, 6] nsswitch/winbindd.c:new_connection(601)
 accepted socket 17
[2006/10/24 11:37:14, 10] nsswitch/winbindd.c:process_request(287)
 process_request: request fn INTERFACE_VERSION
[2006/10/24 11:37:14, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(474)
 [    0]: request interface version
[2006/10/24 11:37:14, 10] nsswitch/winbindd.c:process_request(287)
 process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2006/10/24 11:37:14, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(507)
 [    0]: request location of privileged pipe
[2006/10/24 11:37:14, 6] nsswitch/winbindd.c:new_connection(601)
 accepted socket 18
[2006/10/24 11:37:14, 10] nsswitch/winbindd.c:process_request(287)
 process_request: request fn SID_TO_UID
[2006/10/24 11:37:14, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_uid(153)
 [    0]: sid to uid S-1-5-21-1080779907-1917946211-1564786409-1362
[2006/10/24 11:37:14, 10] sam/idmap_util.c:idmap_sid_to_uid(70)
 idmap_sid_to_uid: sid = [S-1-5-21-1080779907-1917946211-1564786409-1362]
[2006/10/24 11:37:14, 10] sam/idmap_tdb.c:db_get_id_from_sid(277)
 db_get_id_from_sid
[2006/10/24 11:37:14, 10] sam/idmap_tdb.c:internal_get_id_from_sid(183)
 internal_get_id_from_sid: fetching record 
S-1-5-21-1080779907-1917946211-1564786409-1362 of type 0x1
[2006/10/24 11:37:14, 10] sam/idmap_tdb.c:internal_get_id_from_sid(187)
 internal_get_id_from_sid: record 
S-1-5-21-1080779907-1917946211-1564786409-1362 not found
[2006/10/24 11:37:14, 10] sam/idmap_util.c:idmap_sid_to_uid(70)
 idmap_sid_to_uid: sid = [S-1-5-21-1080779907-1917946211-1564786409-1362]
[2006/10/24 11:37:14, 10] sam/idmap_tdb.c:db_get_id_from_sid(277)
 db_get_id_from_sid
[2006/10/24 11:37:14, 10] sam/idmap_tdb.c:internal_get_id_from_sid(183)
 internal_get_id_from_sid: fetching record 
S-1-5-21-1080779907-1917946211-1564786409-1362 of type 0x1
[2006/10/24 11:37:14, 10] sam/idmap_tdb.c:internal_get_id_from_sid(187)
 internal_get_id_from_sid: record 
S-1-5-21-1080779907-1917946211-1564786409-1362 not found
[2006/10/24 11:37:14, 10] 
nsswitch/winbindd_util.c:find_lookup_domain_from_sid(665)
 find_lookup_domain_from_sid(S-1-5-21-1080779907-1917946211-1564786409-1362)
[2006/10/24 11:37:14, 10] 
nsswitch/winbindd_util.c:find_lookup_domain_from_sid(675)
 calling find_our_domain
[2006/10/24 11:37:14, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(1995)
 Retrieving response for pid 29815
[2006/10/24 11:37:14, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(1995)
 Retrieving response for pid 29820
[2006/10/24 11:37:14, 5] nsswitch/winbindd_async.c:idmap_sid2uid_recv(232)
 sid2uid returned an error
[2006/10/24 11:37:14, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(1995)
 Retrieving response for pid 29820
[2006/10/24 11:37:14, 5] nsswitch/winbindd_async.c:idmap_sid2uid_recv(232)
 sid2uid returned an error
[2006/10/24 11:37:14, 5] nsswitch/winbindd_async.c:sid2uid_alloc_recv(1228)
 Could not allocate uid
[2006/10/24 11:37:14, 5] nsswitch/winbindd_sid.c:sid2uid_recv(188)
 Could not convert sid S-1-5-21-1080779907-1917946211-1564786409-1362 

 

> Hi,  
> 
> I'm using samba 3.0.23c, and having a bit of trouble getting it to play
> nice with my active directory. I'm using Windows Small Business Server 
> 2003 with the SFU 3.5 NIS server/schema extensions installed. I have samba 
> configured to use ad as the idmap backend, and sfu for nss info.  
> 
> When running getent passwd, only a few active directory users show up, and 
> I get lots of errors like this in my winbind log:  
> 
> [2006/10/20 15:33:49, 1] sam/idmap_ad.c:ad_idmap_get_id_from_sid(309)
> ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 
> 'msSFU30UidNumber'
> [2006/10/20 15:33:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85) 
> error getting user id for sid 
> S-1-5-21-1020778807-1917943211-1564386419-1158
> [2006/10/20 15:33:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(711)
> could not lookup domain user TestUser  
> 
> wbinfo -u prints out all my users
> wbinfo -g prints out all my groups
> getent group prints out all my groups and their unix IDs
> getent -r username seems to get the correct user group unix ids for all 
> the users, even the ones that don't see to be able to have their SID 
> converted to a UID.  
> 
> Anyone have any ideas?  
> 
> The most relevant section of my smb.conf is  
> 
> encrypt passwords = yes
>  idmap uid = 10000-20000
>  idmap gid = 10000-20000
>  idmap backend = ad
>  winbind enum users = yes
>  winbind enum groups = yes
>  winbind nss info = sfu
>  winbind use default domain = yes
>  winbind separator = #  
>

> 
> wbinfo -u prints out all my users
> wbinfo -g prints out all my groups
> getent group prints out all my groups and their unix IDs
> getent -r username seems to get the correct user group unix ids for all 
> the users, even the ones that don't see to be able to have their SID 
> converted to a UID.  
> 
In case anyone is interested, I finally figured out what was wrong. It 
wasn't samba, but some active directory permissions. I guess when you 
install SFU on small business server, the SFU attributes of users in the 
SBSUsers OU are not readable to authenticated users. The other attributes 
were, which is why i was able to get some user info, but not do the SID to 
user id conversion. Also the main top level users container (cn=Users) did 
have the SFU attributes as readable--these were the users that were showing 
up for me when running "getent passwd".