Shirish Pargaonkar
2010-Nov-08 19:21 UTC
[Samba] winbind sometimes does not resolve sid to a name
Sometimes a group sid does not get resolved to its name. Is this a settings problem? Looks like winbind deamon went dormant for a while and then woke up? I am using interface wbcLookupSid provided by the library libwbclient.so for resolving sids to names. These are the winbind related parameters in /etc/samba/smb.conf [global] # separate domain and username with '\', like DOMAIN\username winbind separator = \ # # use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 11:03:43 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 11:08:59 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 11:09:08 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 11:23:38 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 12:59:07 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: S-1-5-21-2849063682-2007077719-983662776-513 <------------- ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 13:06:43 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL
Jeremy Allison
2010-Nov-08 19:47 UTC
[Samba] winbind sometimes does not resolve sid to a name
On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote:> Sometimes a group sid does not get resolved to its name. > > Is this a settings problem? Looks like winbind deamon > went dormant for a while and then woke up? > I am using interface wbcLookupSid provided by the > library libwbclient.so for resolving sids to names. > > These are the winbind related parameters in > /etc/samba/smb.confNot enough information for useful debugging. What do the winbindd logs say ?
Shirish Pargaonkar
2010-Nov-08 20:59 UTC
[Samba] winbind sometimes does not resolve sid to a name
On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison <jra at samba.org> wrote:> On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >> Sometimes a group sid does not get resolved to its name. >> >> Is this a settings problem? ?Looks like winbind deamon >> went dormant for a while and then woke up? >> I am using interface wbcLookupSid provided by the >> library libwbclient.so for resolving sids to names. >> >> These are the winbind related parameters in >> /etc/samba/smb.conf > > Not enough information for useful debugging. What > do the winbindd logs say ? >ps -eaf | grep winbind root 20085 1 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D root 20086 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D root 20089 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D Cleared /var/log/samba/winbindd.log just before issueing command getcifsacl which could not resolve the group SID winbindd.log attached.
Michael Adam
2010-Nov-13 22:52 UTC
[Samba] winbind sometimes does not resolve sid to a name
Hi Shirish, Shirish Pargaonkar wrote:> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison <jra at samba.org> wrote: > > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: > >> Sometimes a group sid does not get resolved to its name. > >> > >> Is this a settings problem? ?Looks like winbind deamon > >> went dormant for a while and then woke up? > >> I am using interface wbcLookupSid provided by the > >> library libwbclient.so for resolving sids to names. > >> > >> These are the winbind related parameters in > >> /etc/samba/smb.conf > > > > Not enough information for useful debugging. What > > do the winbindd logs say ? > > > > ps -eaf | grep winbind > root 20085 1 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D > root 20086 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D > root 20089 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D > > Cleared /var/log/samba/winbindd.log just before issueing > command getcifsacl which could not resolve the group SID > > winbindd.log attached.not really. :-) Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20101113/967da2ae/attachment.pgp>
Shirish Pargaonkar
2010-Nov-13 23:16 UTC
[Samba] winbind sometimes does not resolve sid to a name
On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam <obnox at samba.org> wrote:> Hi Shirish, > > Shirish Pargaonkar wrote: >> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison <jra at samba.org> wrote: >> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >> >> Sometimes a group sid does not get resolved to its name. >> >> >> >> Is this a settings problem? ?Looks like winbind deamon >> >> went dormant for a while and then woke up? >> >> I am using interface wbcLookupSid provided by the >> >> library libwbclient.so for resolving sids to names. >> >> >> >> These are the winbind related parameters in >> >> /etc/samba/smb.conf >> > >> > Not enough information for useful debugging. What >> > do the winbindd logs say ? >> > >> >> ps -eaf | grep winbind >> root ? ? 20085 ? ? 1 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >> root ? ? 20086 20085 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >> root ? ? 20089 20085 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >> >> Cleared /var/log/samba/winbindd.log just before issueing >> command getcifsacl which could not resolve the group SID >> >> winbindd.log attached. > > not really. :-) > > Cheers - MichaelMichael, not sure what is implied. The log is not sufficient? I see two error messages in the log. [2010/11/08 14:32:56, 5] winbindd/winbindd_async.c:lookupsid_recv2(138) lookupsid (forest root) returned an error [2010/11/08 14:32:56, 5] winbindd/winbindd_sid.c:lookupsid_recv(61) lookupsid returned an error
Michael Wood
2010-Nov-13 23:34 UTC
[Samba] winbind sometimes does not resolve sid to a name
On 14 November 2010 01:16, Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:> On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam <obnox at samba.org> wrote: >> Hi Shirish, >> >> Shirish Pargaonkar wrote: >>> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison <jra at samba.org> wrote: >>> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >>> >> Sometimes a group sid does not get resolved to its name. >>> >> >>> >> Is this a settings problem? Looks like winbind deamon >>> >> went dormant for a while and then woke up? >>> >> I am using interface wbcLookupSid provided by the >>> >> library libwbclient.so for resolving sids to names. >>> >> >>> >> These are the winbind related parameters in >>> >> /etc/samba/smb.conf >>> > >>> > Not enough information for useful debugging. What >>> > do the winbindd logs say ? >>> > >>> >>> ps -eaf | grep winbind >>> root 20085 1 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >>> root 20086 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >>> root 20089 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >>> >>> Cleared /var/log/samba/winbindd.log just before issueing >>> command getcifsacl which could not resolve the group SID >>> >>> winbindd.log attached. >> >> not really. :-) >> >> Cheers - Michael > > Michael, not sure what is implied. The log is not sufficient?No, the mailing list (sometimes) strips attachments. There was no log file attached to your e-mail when I received it.> I see two error messages in the log. > > [2010/11/08 14:32:56, 5] winbindd/winbindd_async.c:lookupsid_recv2(138) > lookupsid (forest root) returned an error > [2010/11/08 14:32:56, 5] winbindd/winbindd_sid.c:lookupsid_recv(61) > lookupsid returned an error-- Michael Wood <esiotrot at gmail.com>
Shirish Pargaonkar
2010-Nov-16 16:19 UTC
[Samba] winbind sometimes does not resolve sid to a name
On Sat, Nov 13, 2010 at 5:34 PM, Michael Wood <esiotrot at gmail.com> wrote:> On 14 November 2010 01:16, Shirish Pargaonkar > <shirishpargaonkar at gmail.com> wrote: >> On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam <obnox at samba.org> wrote: >>> Hi Shirish, >>> >>> Shirish Pargaonkar wrote: >>>> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison <jra at samba.org> wrote: >>>> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >>>> >> Sometimes a group sid does not get resolved to its name. >>>> >> >>>> >> Is this a settings problem? ?Looks like winbind deamon >>>> >> went dormant for a while and then woke up? >>>> >> I am using interface wbcLookupSid provided by the >>>> >> library libwbclient.so for resolving sids to names. >>>> >> >>>> >> These are the winbind related parameters in >>>> >> /etc/samba/smb.conf >>>> > >>>> > Not enough information for useful debugging. What >>>> > do the winbindd logs say ? >>>> > >>>> >>>> ps -eaf | grep winbind >>>> root ? ? 20085 ? ? 1 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >>>> root ? ? 20086 20085 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >>>> root ? ? 20089 20085 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >>>> >>>> Cleared /var/log/samba/winbindd.log just before issueing >>>> command getcifsacl which could not resolve the group SID >>>> >>>> winbindd.log attached. >>> >>> not really. :-) >>> >>> Cheers - Michael >> >> Michael, not sure what is implied. ?The log is not sufficient? > > No, the mailing list (sometimes) strips attachments. ?There was no log > file attached to your e-mail when I received it. > >> I see two error messages in the log. >> >> [2010/11/08 14:32:56, ?5] winbindd/winbindd_async.c:lookupsid_recv2(138) >> ?lookupsid (forest root) returned an error >> [2010/11/08 14:32:56, ?5] winbindd/winbindd_sid.c:lookupsid_recv(61) >> ?lookupsid returned an error > > -- > Michael Wood <esiotrot at gmail.com> >Hope this attachment sticks. Regards, Shirish
Shirish Pargaonkar
2010-Dec-02 21:13 UTC
[Samba] winbind sometimes does not resolve sid to a name
On Tue, Nov 16, 2010 at 10:19 AM, Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:> On Sat, Nov 13, 2010 at 5:34 PM, Michael Wood <esiotrot at gmail.com> wrote: >> On 14 November 2010 01:16, Shirish Pargaonkar >> <shirishpargaonkar at gmail.com> wrote: >>> On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam <obnox at samba.org> wrote: >>>> Hi Shirish, >>>> >>>> Shirish Pargaonkar wrote: >>>>> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison <jra at samba.org> wrote: >>>>> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >>>>> >> Sometimes a group sid does not get resolved to its name. >>>>> >> >>>>> >> Is this a settings problem? ?Looks like winbind deamon >>>>> >> went dormant for a while and then woke up? >>>>> >> I am using interface wbcLookupSid provided by the >>>>> >> library libwbclient.so for resolving sids to names. >>>>> >> >>>>> >> These are the winbind related parameters in >>>>> >> /etc/samba/smb.conf >>>>> > >>>>> > Not enough information for useful debugging. What >>>>> > do the winbindd logs say ? >>>>> > >>>>> >>>>> ps -eaf | grep winbind >>>>> root ? ? 20085 ? ? 1 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >>>>> root ? ? 20086 20085 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >>>>> root ? ? 20089 20085 ?0 14:03 ? ? ? ? ?00:00:00 /usr/sbin/winbindd -D >>>>> >>>>> Cleared /var/log/samba/winbindd.log just before issueing >>>>> command getcifsacl which could not resolve the group SID >>>>> >>>>> winbindd.log attached. >>>> >>>> not really. :-) >>>> >>>> Cheers - Michael >>> >>> Michael, not sure what is implied. ?The log is not sufficient? >> >> No, the mailing list (sometimes) strips attachments. ?There was no log >> file attached to your e-mail when I received it. >> >>> I see two error messages in the log. >>> >>> [2010/11/08 14:32:56, ?5] winbindd/winbindd_async.c:lookupsid_recv2(138) >>> ?lookupsid (forest root) returned an error >>> [2010/11/08 14:32:56, ?5] winbindd/winbindd_sid.c:lookupsid_recv(61) >>> ?lookupsid returned an error >> >> -- >> Michael Wood <esiotrot at gmail.com> >> > > Hope this attachment sticks. > > Regards, > > Shirish >I see one more type error while using winbind, wbcSidToUid returns error 7 but wbcSidToGid succeeds. /tmp/getcifsacl /mnt/smb_d/Makefile REVISION:0x1 CONTROL:0x9404 OWNER:BUILTIN\Administrators GROUP:CIFSTESTDOM\Domain Users ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x10000 ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL # cat /var/log/messages cifs.upcall: Owner wbcStringToSid: S-1-5-32-544, rc: 0 cifs.upcall: Owner wbcSidToUid: S-1-5-32-544, uid: 0, rc: 7 cifs.upcall: Group wbcStringToSid: S-1-5-21-2849063682-2007077719-983662776-513, rc: 0 cifs.upcall: Group wbcSidToGid: S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0 Error winbindd.log file is as follows: sid2uid_lookupsid_recv: Sid S-1-5-32-544 is not a user or a computer. I changed Owner of the file on the server to OWNER:CIFSTESTDOM\Domain Users but the same error during wbcSidToUid [2010/12/02 14:36:20, 5] winbindd/winbindd_sid.c:sid2uid_lookupsid_recv(192) sid2uid_lookupsid_recv: Sid S-1-5-21-2849063682-2007077719-983662776-513 is not a user or a computer. [[2010/12/02 14:36:20, 7] winbindd/winbindd_idmap.c:winbindd_sid2gid_async(363) winbindd_sid2gid_async: Resolving S-1-5-21-2849063682-2007077719-983662776-513 to a gid If I change Owner to OWNER:CIFSTESTDOM\Administrator, then it works /tmp/getcifsacl /mnt/smb_d/Makefile REVISION:0x1 CONTROL:0x9404 OWNER:CIFSTESTDOM\Administrator GROUP:CIFSTESTDOM\Domain Users ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x10000 ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL cifstest6:/usr/src/linux.ssp.cifs.09092010.l/cifs-2.6 # cat /var/log/messages cifs.upcall: Owner wbcStringToSid: S-1-5-21-2849063682-2007077719-983662776-500, rc: 0 cifs.upcall: Owner wbcSidToUid: S-1-5-21-2849063682-2007077719-983662776-500, uid: 10000, rc: 0 cifs.upcall: Group wbcStringToSid: S-1-5-21-2849063682-2007077719-983662776-513, rc: 0 cifs.upcall: Group wbcSidToGid: S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0 Is this the expected behaviour, some sids can_not/will_not be mapped such as this Owner BUILTIN\Administrators. Regads, Shirish