Bug 15225 - Failed to get sid token when winbind calls samba-gpupdate
Summary: Failed to get sid token when winbind calls samba-gpupdate
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-05 20:07 UTC by Peter Carlson
Modified: 2022-11-20 21:55 UTC (History)
0 users

See Also:


Attachments
configs from file server (1.50 KB, text/plain)
2022-11-05 20:07 UTC, Peter Carlson
no flags Details
config from addc (446 bytes, text/plain)
2022-11-05 20:07 UTC, Peter Carlson
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Carlson 2022-11-05 20:07:15 UTC
Created attachment 17628 [details]
configs from file server

tested on ubuntu 22.04 using samba built from master branch
setting a user gpo

winbindd_gpupdate.c:136(gpupdate_user_init), calls samba-gpupdate
this generates the below error:
/usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-33300784-995546578-3414580312-1107 -> getpwuid(2001107) failed, is nsswitch configured?
[2022/10/31 17:19:19.762025,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: Traceback (most recent call last):
[2022/10/31 17:19:19.762088,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:   File "/usr/sbin/samba-gpupdate", line 136, in <module>
[2022/10/31 17:19:19.762107,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:     apply_gp(lp, creds, store, gp_extensions, username,
[2022/10/31 17:19:19.762113,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:   File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 437, in apply_gp
[2022/10/31 17:19:19.762172,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:     gpos = get_gpo_list(dc_hostname, creds, lp, username)
[2022/10/31 17:19:19.762187,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:   File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 373, in get_gpo_list
[2022/10/31 17:19:19.762246,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:     gpos = ads.get_gpo_list(username.split('\\')[-1])
[2022/10/31 17:19:19.762267,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: RuntimeError: Failed to get sid token for 'peter'(CN=Peter Carlson,CN=Users,DC=carlson,DC=lab): The specified account does not exist.
[2022/10/31 17:19:19.811877,  0] ../../source3/winbindd/winbindd_gpupdate.c:187(gpupdate_cmd_done)
  gpupdate_cmd_done: gpupdate failed with exit status 1

However the user can login using ssh, and running samba-gpupdate --target=User -U peter does not generate the error

CARLSON\peter@fs1:~$ id
uid=2001107(CARLSON\peter) gid=2000513(CARLSON\domain users) groups=2000513(CARLSON\domain users),10000(BUILTIN\administrators),10001(BUILTIN\users),2000512(CARLSON\domain admins),2000572(CARLSON\denied rodc password replication group),2001107(CARLSON\peter),2001108(CARLSON\linux admins)

the error is happening in libgpo/pygpo.c on line 457

The ADDC is running on ubuntu 22.04 git branch master
the fileserver is running the same

config files are attached
Comment 1 Peter Carlson 2022-11-05 20:07:38 UTC
Created attachment 17629 [details]
config from addc
Comment 2 Peter Carlson 2022-11-20 20:55:08 UTC
digging a bit deeper, the actual error occurs here:

gpo_ldap.c : 693 at this:

        status = ADS_ERROR_NT(create_local_nt_token(mem_ctx,
                                          &object_sid, false,
                                          num_token_sids, token_sids, &new_token));
Comment 3 Peter Carlson 2022-11-20 21:55:22 UTC
some further digging:

source3/auth/token_util.c:562

                pass = getpwuid_alloc(tmp_ctx, uid);
and pass is null

This is the error in the log:
  /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-33300784-995546578-3414580312-1107 -> getpwuid(2001107) failed, is nsswitch configured?

root@fs1:~/samba.git# wbinfo -s S-1-5-21-33300784-995546578-3414580312-1107
CARLSON\peter 1

Here is my nsswitch:

    root@fs1:~/samba.git# cat /etc/nsswitch.conf
    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.

    passwd:         files systemd winbind
    group:          files systemd winbind
    shadow:         files
    gshadow:        files

    hosts:          files dns
    networks:       files

    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files

    netgroup:       nis