Bug 7003 - winbindd does not resolve trusted domain users
Summary: winbindd does not resolve trusted domain users
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.4.3
Hardware: x86 Linux
: P3 major
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2009-12-21 04:44 UTC by Tom Patzig (mail address dead)
Modified: 2018-12-09 19:00 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Tom Patzig (mail address dead) 2009-12-21 04:44:13 UTC
All users from the joined domain are resolved and mapped fine.

Requesting/resolving a user from a trusted domain fails with this log message:

[2009/12/21 11:34:14,  5] winbindd/winbindd_async.c:296(lookupname_recv2)
  lookup_name returned an error
[2009/12/21 11:34:14,  5] winbindd/winbindd_user.c:497(getpwnam_name2sid_recv)
  Could not lookup name for user EXT\nue.ftpuser.svc

The strange thing is, that all users from the trusted domain EXT are listed fine with `wbinfo --domain EXT -u`, but the request for single users fails with the above msg.

BTW, the trusted domain EXT is always marked as "offline" with `wbinfo --online-status`. After `wbinfo --domain EXT -u` this domain is set to "online", but still no success in resolving users.

Dont know if that matters, I'm using "idmap backend = hash" to map uid and guid.
Comment 1 Michael Adam 2009-12-22 18:08:45 UTC
could you please post your complete smb.conf?
Thanks - Michael
Comment 2 Tom Patzig (mail address dead) 2010-01-04 09:52:09 UTC
The global section of my smb.conf (all other sections default):

        workgroup = GFK
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        realm = GFK.COM
        preferred master = no
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        allow trusted domains = yes
        winbind refresh tickets = yes
        winbind nss info = hash
        idmap backend = hash
        idmap uid = 1000-4000000000
        idmap gid = 1000-4000000000
        log level = auth:10 winbind:10

        wins support = no
        invalid users = root
Comment 3 Michael Adam 2010-01-07 16:03:00 UTC
Could you please add the output of the command "net rpc trustdom list" here?
Comment 4 Tom Patzig (mail address dead) 2010-01-11 02:24:37 UTC
Just calling "net rpc trustdom list" tries to find the next DC of one of the trusted domains, therefore the netlogon always fails.

Calling "net -S windc1.gfk.com -U nue.ftpuser.svc rpc trustdom list" works:
Enter nue.ftpuser.svc's password:

Trusted domains list:

IHAGF              S-1-5-21-1942423493-1059656558-1998214792
INTOMAR            S-1-5-21-823518204-1659004503-725345543
CRW                S-1-5-21-3031078713-886512649-1698080345
GFKA               S-1-5-21-343818398-1482476501-682003330
UK                 S-1-5-21-1680198136-2588557851-305613390

Trusting domains list:

EXT                S-1-5-21-1328376081-1279679187-339368940
IHAGF              S-1-5-21-1328376081-1279679187-339368940
INTOMAR            S-1-5-21-1328376081-1279679187-339368940
CRW                S-1-5-21-1328376081-1279679187-339368940
GFKA               S-1-5-21-1328376081-1279679187-339368940
UK                 S-1-5-21-1328376081-1279679187-339368940
Comment 5 Tom Patzig (mail address dead) 2010-01-21 10:51:43 UTC
I'm wondering why this EXT domain is only listed in "trusting domains list" and not like the other domains in both sections.
But `wbinfo --trusted-domains` also lists the domain EXT.
Any ideas?
Comment 6 Björn Jacke 2018-12-09 19:00:26 UTC
that idmap config is invalid and especially bad with a trusted domain szenario. I've seen that  current releases with a correct idmap config work fine.