15225 – Failed to get sid token when winbind calls samba-gpupdate

Bug 15225 - Failed to get sid token when winbind calls samba-gpupdate

Summary: Failed to get sid token when winbind calls samba-gpupdate

Status:	NEEDINFO

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-05 20:07 UTC by Peter Carlson
Modified:	2023-04-28 13:21 UTC (History)
CC List:	0 users

See Also:

Attachments
configs from file server (1.50 KB, text/plain) 2022-11-05 20:07 UTC, Peter Carlson	no flags	Details
config from addc (446 bytes, text/plain) 2022-11-05 20:07 UTC, Peter Carlson	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Carlson 2022-11-05 20:07:15 UTC

Created attachment 17628 [details]
configs from file server

tested on ubuntu 22.04 using samba built from master branch
setting a user gpo

winbindd_gpupdate.c:136(gpupdate_user_init), calls samba-gpupdate
this generates the below error:
/usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-33300784-995546578-3414580312-1107 -> getpwuid(2001107) failed, is nsswitch configured?
[2022/10/31 17:19:19.762025,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: Traceback (most recent call last):
[2022/10/31 17:19:19.762088,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:   File "/usr/sbin/samba-gpupdate", line 136, in <module>
[2022/10/31 17:19:19.762107,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:     apply_gp(lp, creds, store, gp_extensions, username,
[2022/10/31 17:19:19.762113,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:   File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 437, in apply_gp
[2022/10/31 17:19:19.762172,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:     gpos = get_gpo_list(dc_hostname, creds, lp, username)
[2022/10/31 17:19:19.762187,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:   File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 373, in get_gpo_list
[2022/10/31 17:19:19.762246,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate:     gpos = ads.get_gpo_list(username.split('\\')[-1])
[2022/10/31 17:19:19.762267,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: RuntimeError: Failed to get sid token for 'peter'(CN=Peter Carlson,CN=Users,DC=carlson,DC=lab): The specified account does not exist.
[2022/10/31 17:19:19.811877,  0] ../../source3/winbindd/winbindd_gpupdate.c:187(gpupdate_cmd_done)
  gpupdate_cmd_done: gpupdate failed with exit status 1

However the user can login using ssh, and running samba-gpupdate --target=User -U peter does not generate the error

CARLSON\peter@fs1:~$ id
uid=2001107(CARLSON\peter) gid=2000513(CARLSON\domain users) groups=2000513(CARLSON\domain users),10000(BUILTIN\administrators),10001(BUILTIN\users),2000512(CARLSON\domain admins),2000572(CARLSON\denied rodc password replication group),2001107(CARLSON\peter),2001108(CARLSON\linux admins)

the error is happening in libgpo/pygpo.c on line 457

The ADDC is running on ubuntu 22.04 git branch master
the fileserver is running the same

config files are attached

Comment 1 Peter Carlson 2022-11-05 20:07:38 UTC

Created attachment 17629 [details]
config from addc

Comment 2 Peter Carlson 2022-11-20 20:55:08 UTC

digging a bit deeper, the actual error occurs here:

gpo_ldap.c : 693 at this:

        status = ADS_ERROR_NT(create_local_nt_token(mem_ctx,
                                          &object_sid, false,
                                          num_token_sids, token_sids, &new_token));

Comment 3 Peter Carlson 2022-11-20 21:55:22 UTC

some further digging:

source3/auth/token_util.c:562

                pass = getpwuid_alloc(tmp_ctx, uid);
and pass is null

This is the error in the log:
  /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-33300784-995546578-3414580312-1107 -> getpwuid(2001107) failed, is nsswitch configured?

root@fs1:~/samba.git# wbinfo -s S-1-5-21-33300784-995546578-3414580312-1107
CARLSON\peter 1

Here is my nsswitch:

    root@fs1:~/samba.git# cat /etc/nsswitch.conf
    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.

    passwd:         files systemd winbind
    group:          files systemd winbind
    shadow:         files
    gshadow:        files

    hosts:          files dns
    networks:       files

    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files

    netgroup:       nis

Comment 4 Samba QA Contact 2023-04-28 03:15:05 UTC

This bug was referenced in samba master:

a8bad5d5b859a2a76ce18919fbe2bf42f8ef7562
ac4726106c6d99794f03591fc0b526d91b947fad
ee04bafc25c7b09e53fe2036c5188531b58526a8
c80affe0f192db9f851b5ed0617586783a02a82d

Comment 5 David Mulder 2023-04-28 13:21:23 UTC

The fix for this bug has landed in master. Peter, could you try this out (either build master, or wait for the release)>