Bug 13814 - idmap range lookup failure not logged
Summary: idmap range lookup failure not logged
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.8.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-28 09:19 UTC by Kristján Jónsson (dead mail address)
Modified: 2019-02-28 09:19 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristján Jónsson (dead mail address) 2019-02-28 09:19:34 UTC 
I just spent half the afternoon debugging problems with the ad idemapping.
I had imported the uid range from our IPA server but was having failure mapping user names.
"getent passwd SAMDOM\\user1" would fail silently.
"wbinfo -n SAMDOM\\user1" would return the sid,
"wbinfo -i SAMDOM\\user1" would return failure:  
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user RVX\user1

I tried increasing the log level for samba, restarting winbind a number of times, "net cache flush", "net cache list", and so on.  Nothing useful appeard in any of the samba log.winbind* or log.wb-* files.

In the end, I discovered that the range I had put for the SAMDOM domain in smb.com was wrong, and some uids were falling outside this range.  But there was _nothing_ in the logs, or the net cache, or otherwise, that pointed me in this direction.  the net cache was filled with -1 entries where lookup had failed.

So, the bug here, is that it should be _at least_ a warning log when during ID mapping, having gotten a successful SID, that an uid is not found because a corresponding range is not found.  After all, the domain has already been determined, and so the correct range should be found, but an uid falls outside the range and nothing is logged.