Lupe
2012-Jul-25 23:34 UTC
[Samba] Active Directory on OpenIndiana: cannot set group permission
Hello Samba team,
On our Solaris 10u8 system with the exact config, I'm able to set
both Active Directory user and group permissions. On our OpenIndiana
system I'm able to set Active Directory *user* permissions but when I
try to set Active Directory group permission it fails. Here is the
command along with the error:
/usr/bin/chmod
A=everyone@:rxaRc:d:allow,everyone@:raRc:fi:allow,group:DOMAIN_NAME\\testers:rwxpdDaARWcCos:fd:allow
/zvue/datapool/group_testers/fs
Invalid group DOMAIN_NAME\testers specified
System info:
I'm on working "OpenIndiana Development oi_151.1.5 X86" with Samba
Version 3.6.0 and Active Directory Version: 5.2.3790.3959 running on
Windows server 2003. As an experiment I tried the latest Samba version
3.6.6 but got the same results.
From our OpenIndiana system I can see all Active Directory users and
groups,
wbinfo -u output:
DOMAIN_NAME\bob
DOMAIN_NAME\bull
DOMAIN_NAME\frank
(showing a few lines of output)
wbinfo -g output:
DOMAIN_NAME\testers
DOMAIN_NAME\domain users
DOMAIN_NAME\domain guests
(showing a few lines of output)
net getdomainsid output:
SID for local machine <host_name> is:
S-1-5-21-3938218248-254906258-2580095957
SID for domain <domain_name> is: S-1-5-21-714375242-3402532539-2503969851
klist output:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <domain_admin_user>@<DOMAIN_NAME>.COM
Valid starting Expires Service principal
24/07/2012 16:59 25/07/2012 02:59
krbtgt/<DOMAIN_NAME>.COM@<DOMAIN_NAME>.COM
renew until 31/07/2012 16:59
24/07/2012 17:30 25/07/2012 02:59
ldap/<system_id>.<domain_name>.com@<DOMAIN_NAME>.COM
renew until 31/07/2012 16:59
(showing a few lines of output)
testparm output:
Load smb config files from /etc/sfw/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[user_bull]"
WARNING: The optional ':port' in password server = 192.168.1.151:389 is
deprecated
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the
'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = DOMAIN_NAME
realm = DOMAIN_NAME.COM
server string = Storage Server
security = ADS
password server = 192.168.1.151:389
log file = /var/samba/log/log.%m
max log size = 10000
max protocol = SMB2
socket options = SO_KEEPALIVE
load printers = No
printcap cache time = 0
dns proxy = No
wins server = 192.168.1.151
idmap config * : range = 10000-20000
idmap config * : backend = tdb
[user_bull]
comment = user_bull Files
path = "/zvue/datapool/user_bull/fs"
valid users = DOMAIN_NAME\bull
read only = No
acl check permissions = No
acl map full control = No
inherit acls = Yes
ea support = Yes
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = shadow_copy_zfs, dirsort, zfsacl
nfs4: mode = simple
shadow: exclude = "replication_*",
"zpool_backup_auto"
shadow: filesystem = datapool/user_bull/fs
We set the debug level to 10 in /etc/sfw/smb.conf, I'm attaching the
relevant section of /var/samba/log/log.winbindd from both systems
showing group permissions successful(Solaris10u8_nt_status_ok) and
failure (OpenIndiana_nt_status_unsuccessful). I'm also attaching our
/etc/pam.conf, /etc/sfw/smb.conf, /etc/nsswitch.conf, and
/etc/krb5/krb5.conf.
The only difference between the Solaris10u8 and OpenIndiana config files
was in /etc/pam.conf.
OpenIndiana has these additional lines:
# GDM Autologin (explicit because of pam_allow). These need to be
# here as there is no mechanism for packages to amend pam.conf as
# they are installed.
#
gdm-autologin auth required pam_unix_cred.so.1
gdm-autologin auth sufficient pam_allow.so.1
#
# cups service (explicit because of non-usage of pam_roles.so.1)
#
cups account required pam_unix_account.so.1
#
# GDM Autologin (explicit because of pam_allow) This needs to be here
# as there is no mechanism for packages to amend pam.conf as they are
# installed.
#
gdm-autologin account sufficient pam_allow.so.1
#
Solaris10u8 has "force check" at end of this line but OpenIndiana does
not.:
other password requisite pam_authtok_check.so.1 force_check
Any pointers would be appreciated. If you need additional info (command
output or file info), please let me know.
Thank for your time,
Lupe
-------------- next part --------------
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#
# /etc/nsswitch.conf:
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of
"inet" transports.
passwd: files winbind
group: files winbind
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system
will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
-------------- next part --------------
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 2010 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# GDM Autologin (explicit because of pam_allow). These need to be
# here as there is no mechanism for packages to amend pam.conf as
# they are installed.
#
gdm-autologin auth required pam_unix_cred.so.1
gdm-autologin auth sufficient pam_allow.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# cups service (explicit because of non-usage of pam_roles.so.1)
#
cups account required pam_unix_account.so.1
#
# GDM Autologin (explicit because of pam_allow) This needs to be here
# as there is no mechanism for packages to amend pam.conf as they are
# installed.
#
gdm-autologin account sufficient pam_allow.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
-------------- next part --------------
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings
====================================[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = DOMAIN_NAME
# server string is the equivalent of the NT Description field
server string = Storage Server
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = ads
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = no
# you may wish to override the location of the printcap file
; printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat
# disable reloading of printcap, as we don't support printing anyway
printcap cache time = 0
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
; printing = cups
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/samba/log/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 10000
log level = 1
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
password server = 192.168.1.151:389
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
realm = domain_name.com
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
passdb backend = tdbsam
# winbind
idmap config * : range = 10000-20000
;winbind enum users = yes
;winbind enum groups = yes
winbind nested groups = yes
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/sfw/lib/smb.conf.%m
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 192.168.1.151
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null
-s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
socket options = SO_KEEPALIVE
;use kerberos keytab = yes
max protocol = SMB2
#============================ Share Definitions
=============================;[homes]
; comment = Home Directories
; browseable = no
; writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/sfw/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
;[printers]
; comment = All Printers
; path = /var/spool/samba
; browseable = no
;# Set public = yes to allow user 'guest account' to print
; guest ok = no
; writable = no
; printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in
fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
[user_bull]
comment = user_bull Files
path = "/zvue/datapool/user_bull/fs"
vfs objects = shadow_copy_zfs dirsort zfsacl
shadow: filesystem = datapool/user_bull/fs
shadow: exclude = "replication_*", "zpool_backup_auto"
nfs4: mode = simple
acl check permissions = no
nt acl support = yes
inherit acls = yes
acl map full control = no
ea support = yes
store dos attributes = yes
map archive = no
map readonly = no
map system = no
writable = yes
follow symlinks = yes
printable = no
valid users = "DOMAIN_NAME\bull"
admin users =
-------------- next part --------------
[libdefaults]
default_realm = DOMAIN_NAME.COM
dns_lookup_kdc = true
dns_lookup_realm = true
verify_ap_req_nofail = false
[realms]
DOMAIN_NAME.COM = {
kdc = 192.168.1.151:88
admin_server = 192.168.1.151:88
default_domain = domain_name.com
}
[domain_realm]
.domain_name.com = DOMAIN_NAME.COM
domain_name.com = DOMAIN_NAME.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
-------------- next part --------------
[2012/07/25 14:06:25.511415, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryGroupList: struct wbint_QueryGroupList
out: struct wbint_QueryGroupList
groups : *
groups: struct wbint_Principals
num_principals : 0
principals: ARRAY(0)
result : NT_STATUS_OK
[2012/07/25 14:06:25.511657, 10]
winbindd/winbindd_list_groups.c:128(winbindd_list_groups_
done)
Domain BUILTIN returned 0 groups
[2012/07/25 14:06:25.519500, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryGroupList: struct wbint_QueryGroupList
out: struct wbint_QueryGroupList
groups : *
groups: struct wbint_Principals
num_principals : 20
principals: ARRAY(20)
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1000
type : SID_NAME_DOM_GRP (2)
name : *
name : 'IIS_WPG'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1003
type : SID_NAME_DOM_GRP (2)
name : *
name : 'WINS
Users'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-515
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Computers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-516
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Controllers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-518
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Schema
Admins'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-519
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Enterprise
Admins'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-517
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Cert
Publishers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-512
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Admins'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-513
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Users'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-514
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Guests'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-520
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Group Policy
Creator Owners'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-553
type : SID_NAME_DOM_GRP (2)
name : *
name : 'RAS and IAS
Servers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1105
type : SID_NAME_DOM_GRP (2)
name : *
name : 'DnsAdmins'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1106
type : SID_NAME_DOM_GRP (2)
name : *
name :
'DnsUpdateProxy'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1135
type : SID_NAME_DOM_GRP (2)
name : *
name : 'testers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1165
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Var Users'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1167
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Var
Administrators'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1171
type : SID_NAME_DOM_GRP (2)
name : *
name :
'VA_APPLICATION'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1194
type : SID_NAME_DOM_GRP (2)
name : *
name : 'bsmith'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1197
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Var
Applications'
result : NT_STATUS_OK
[2012/07/25 14:06:25.523256, 10]
winbindd/winbindd_list_groups.c:128(winbindd_list_groups_
done)
Domain DOMAIN_NAME returned 20 groups
[2012/07/25 14:06:25.523446, 10] winbindd/winbindd.c:677(wb_request_done)
wb_request_done[19519:LIST_GROUPS]: NT_STATUS_OK
[2012/07/25 14:06:25.523616, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[19519:LIST_GROUPS]: delivered response to
client
[2012/07/25 14:06:25.524075, 6]
winbindd/winbindd.c:840(winbind_client_request_read)
closing socket 28, client exited
[2012/07/25 14:06:36.609102, 6] winbindd/winbindd.c:792(new_connection)
accepted socket 28
[2012/07/25 14:06:36.609349, 10] winbindd/winbindd.c:642(process_request)
process_request: request fn INTERFACE_VERSION
[2012/07/25 14:06:36.609421, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[19592]: request interface version
[2012/07/25 14:06:36.609523, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[19592:INTERFACE_VERSION]: delivered response
to client
[2012/07/25 14:06:36.609662, 10] winbindd/winbindd.c:642(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/07/25 14:06:36.609716, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[19592]: request location of privileged pipe
[2012/07/25 14:06:36.609820, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[19592:WINBINDD_PRIV_PIPE_DIR]: delivered
response to cli
ent
[2012/07/25 14:06:36.609963, 10] winbindd/winbindd.c:615(process_request)
process_request: Handling async request 19592:LIST_USERS
[2012/07/25 14:06:36.610021, 3]
winbindd/winbindd_list_users.c:58(winbindd_list_users_sen
d)
list_users
[2012/07/25 14:06:36.610075, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUserList: struct wbint_QueryUserList
in: struct wbint_QueryUserList
[2012/07/25 14:06:36.610167, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUserList: struct wbint_QueryUserList
in: struct wbint_QueryUserList
[2012/07/25 14:06:36.610251, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUserList: struct wbint_QueryUserList
in: struct wbint_QueryUserList
[2012/07/25 14:06:36.610351, 10]
winbindd/winbindd_cache.c:4807(wcache_fetch_ndr)
Entry has timed out
[snip]
[2012/07/25 14:06:55.415407, 10] winbindd/winbindd.c:615(process_request)
process_request: Handling async request 19778:GETGRNAM
[2012/07/25 14:06:55.415494, 3]
winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
getgrnam DOMAIN_NAME\testers
[2012/07/25 14:06:55.415593, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'DOMAIN_NAME'
name : *
name : 'TESTERS'
flags : 0x00000000 (0)
[2012/07/25 14:06:55.472159, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_DOM_GRP (2)
sid : *
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
result : NT_STATUS_OK
[2012/07/25 14:06:55.472498, 10]
winbindd/winbindd_util.c:795(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-1-5-21-714375242-3402532539-2503969851-1135)
[2012/07/25 14:06:55.472575, 10]
winbindd/winbindd_util.c:805(find_lookup_domain_from_sid)
calling find_our_domain
[2012/07/25 14:06:55.472642, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
in: struct wbint_LookupSid
sid : *
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
[2012/07/25 14:06:55.474197, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
out: struct wbint_LookupSid
type : *
type : SID_NAME_DOM_GRP (2)
domain : *
domain : *
domain : 'DOMAIN_NAME'
name : *
name : *
name : 'testers'
result : NT_STATUS_OK
[2012/07/25 14:06:55.474492, 10]
winbindd/winbindd_util.c:795(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-1-5-21-714375242-3402532539-2503969851-1135)
[2012/07/25 14:06:55.474548, 10]
winbindd/winbindd_util.c:805(find_lookup_domain_from_sid)
calling find_our_domain
[2012/07/25 14:06:55.474592, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
in: struct wbint_LookupSid
sid : *
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
[2012/07/25 14:06:55.474727, 10]
winbindd/winbindd_cache.c:4807(wcache_fetch_ndr)
Entry has timed out
[2012/07/25 14:06:55.475932, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
out: struct wbint_LookupSid
type : *
type : SID_NAME_DOM_GRP (2)
domain : *
domain : *
domain : 'DOMAIN_NAME'
name : *
name : *
name : 'testers'
result : NT_STATUS_OK
[2012/07/25 14:06:55.476205, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_Sid2Gid: struct wbint_Sid2Gid
in: struct wbint_Sid2Gid
dom_name : NULL
sid : *
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
[2012/07/25 14:06:55.487968, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_Sid2Gid: struct wbint_Sid2Gid
out: struct wbint_Sid2Gid
gid : *
gid : 0x0000000000002717 (10007)
result : NT_STATUS_OK
[2012/07/25 14:06:55.488153, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupGroupMembers: struct wbint_LookupGroupMembers
in: struct wbint_LookupGroupMembers
sid : *
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
type : SID_NAME_DOM_GRP (2)
[2012/07/25 14:06:55.492298, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupGroupMembers: struct wbint_LookupGroupMembers
out: struct wbint_LookupGroupMembers
members : *
members: struct wbint_Principals
num_principals : 1
principals: ARRAY(1)
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1123
type : SID_NAME_USER (1)
name : *
name :
'DOMAIN_NAME\venus'
result : NT_STATUS_OK
[2012/07/25 14:06:55.492808, 10] winbindd/winbindd.c:677(wb_request_done)
wb_request_done[19778:GETGRNAM]: NT_STATUS_OK
[2012/07/25 14:06:55.492934, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[19778:GETGRNAM]: delivered response to client
[2012/07/25 14:06:55.566024, 6]
winbindd/winbindd.c:840(winbind_client_request_read)
closing socket 31, client exited
-------------- next part --------------
[2012/07/25 14:00:25.866573, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryGroupList: struct wbint_QueryGroupList
out: struct wbint_QueryGroupList
groups : *
groups: struct wbint_Principals
num_principals : 0
principals: ARRAY(0)
result : NT_STATUS_OK
[2012/07/25 14:00:25.866704, 10]
winbindd/winbindd_list_groups.c:128(winbindd_list_groups_done)
Domain BUILTIN returned 0 groups
[2012/07/25 14:00:25.868616, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryGroupList: struct wbint_QueryGroupList
out: struct wbint_QueryGroupList
groups : *
groups: struct wbint_Principals
num_principals : 20
principals: ARRAY(20)
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1000
type : SID_NAME_DOM_GRP (2)
name : *
name : 'IIS_WPG'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1003
type : SID_NAME_DOM_GRP (2)
name : *
name : 'WINS
Users'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-515
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Computers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-516
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Controllers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-518
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Schema
Admins'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-519
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Enterprise
Admins'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-517
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Cert
Publishers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-512
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Admins'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-513
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Users'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-514
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Domain
Guests'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-520
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Group Policy
Creator Owners'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-553
type : SID_NAME_DOM_GRP (2)
name : *
name : 'RAS and IAS
Servers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1105
type : SID_NAME_DOM_GRP (2)
name : *
name : 'DnsAdmins'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1106
type : SID_NAME_DOM_GRP (2)
name : *
name :
'DnsUpdateProxy'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
type : SID_NAME_DOM_GRP (2)
name : *
name : 'testers'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-250
3969851-1165
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Var Users'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1167
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Var
Administrators'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1171
type : SID_NAME_DOM_GRP (2)
name : *
name :
'VA_APPLICATION'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1194
type : SID_NAME_DOM_GRP (2)
name : *
name : 'bsmith'
principals: struct wbint_Principal
sid :
S-1-5-21-714375242-3402532539-2503969851-1197
type : SID_NAME_DOM_GRP (2)
name : *
name : 'Var
Applications'
result : NT_STATUS_OK
[2012/07/25 14:00:25.870383, 10]
winbindd/winbindd_list_groups.c:128(winbindd_list_groups_done)
Domain DOMAIN_NAME returned 20 groups
[2012/07/25 14:00:25.870469, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryGroupList: struct wbint_QueryGroupList
out: struct wbint_QueryGroupList
groups : *
groups: struct wbint_Principals
num_principals : 0
principals: ARRAY(0)
result : NT_STATUS_NO_MEMORY
[2012/07/25 14:00:25.870592, 10]
winbindd/winbindd_list_groups.c:128(winbindd_list_groups_done)
Domain STORAGE returned 0 groups
[2012/07/25 14:00:25.870622, 10]
winbindd/winbindd_list_groups.c:134(winbindd_list_groups_done)
list_groups for domain STORAGE failed
[2012/07/25 14:00:25.870701, 10] winbindd/winbindd.c:677(wb_request_done)
wb_request_done[998:LIST_GROUPS]: NT_STATUS_OK
[2012/07/25 14:00:25.870773, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[998:LIST_GROUPS]: delivered response to client
[2012/07/25 14:00:25.870990, 6]
winbindd/winbindd.c:840(winbind_client_request_read)
closing socket 27, client exited
[2012/07/25 14:00:25.912989, 6] winbindd/winbindd.c:792(new_connection)
accepted socket 27
[2012/07/25 14:00:25.913130, 10] winbindd/winbindd.c:642(process_request)
process_request: request fn INTERFACE_VERSION
[2012/07/25 14:00:25.913165, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 999]: request interface version
[2012/07/25 14:00:25.913226, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[999:INTERFACE_VERSION]: delivered response to
client
[2012/07/25 14:00:25.913291, 10] winbindd/winbindd.c:642(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/07/25 14:00:25.913322, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 999]: request location of privileged pipe
[2012/07/25 14:00:25.913394, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[999:WINBINDD_PRIV_PIPE_DIR]: delivered
response to client
[snip]
[2012/07/25 14:00:37.149706, 10] winbindd/winbindd.c:615(process_request)
process_request: Handling async request 1198:GETGRNAM
[2012/07/25 14:00:37.149744, 3]
winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
getgrnam DOMAIN_NAME\testers
[2012/07/25 14:00:37.149787, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'DOMAIN_NAME'
name : *
name : 'TESTERS'
flags : 0x00000000 (0)
[2012/07/25 14:00:37.155253, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_DOM_GRP (2)
sid : *
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
result : NT_STATUS_OK
[2012/07/25 14:00:37.155413, 10]
winbindd/winbindd_util.c:795(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-1-5-21-714375242-3402532539-2503969851-1135)
[2012/07/25 14:00:37.155452, 10]
winbindd/winbindd_util.c:805(find_lookup_domain_from_sid)
calling find_our_domain
[2012/07/25 14:00:37.155487, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
in: struct wbint_LookupSid
sid : *
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
[2012/07/25 14:00:37.156382, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
out: struct wbint_LookupSid
type : *
type : SID_NAME_DOM_GRP (2)
domain : *
domain : *
domain : 'DOMAIN_NAME'
name : *
name : *
name : 'testers'
result : NT_STATUS_OK
[2012/07/25 14:00:37.156604, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
idmap_cache_find_sid2gid found 10009
[2012/07/25 14:00:37.156662, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupGroupMembers: struct wbint_LookupGroupMembers
in: struct wbint_LookupGroupMembers
sid : *
sid :
S-1-5-21-714375242-3402532539-2503969851-1135
type : SID_NAME_DOM_GRP (2)
[2012/07/25 14:00:37.179647, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupGroupMembers: struct wbint_LookupGroupMembers
out: struct wbint_LookupGroupMembers
members : *
members: struct wbint_Principals
num_principals : 0
principals: ARRAY(0)
result : NT_STATUS_UNSUCCESSFUL
[2012/07/25 14:00:37.179811, 5]
winbindd/winbindd_getgrnam.c:146(winbindd_getgrnam_recv)
Could not convert sid S-1-5-21-714375242-3402532539-2503969851-1135:
NT_STATUS_UNSUCCESSFUL
[2012/07/25 14:00:37.179851, 10] winbindd/winbindd.c:677(wb_request_done)
wb_request_done[1198:GETGRNAM]: NT_STATUS_UNSUCCESSFUL
[2012/07/25 14:00:37.179917, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[1198:GETGRNAM]: delivered response to client
[2012/07/25 14:00:37.180029, 6]
winbindd/winbindd.c:840(winbind_client_request_read)
closing socket 32, client exited
[2012/07/25 14:00:37.181006, 6]
winbindd/winbindd.c:840(winbind_client_request_read)
closing socket 30, client exited
Apparently Analagous Threads
Wisdom of the Ancients
