Bug 7003 - winbindd does not resolve trusted domain users
Summary: winbindd does not resolve trusted domain users
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.4.3
Hardware: x86 Linux
: P3 major
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-21 04:44 UTC by Tom Patzig (mail address dead)
Modified: 2018-12-09 19:00 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Patzig (mail address dead) 2009-12-21 04:44:13 UTC 
All users from the joined domain are resolved and mapped fine.

Requesting/resolving a user from a trusted domain fails with this log message:

[2009/12/21 11:34:14,  5] winbindd/winbindd_async.c:296(lookupname_recv2)
  lookup_name returned an error
[2009/12/21 11:34:14,  5] winbindd/winbindd_user.c:497(getpwnam_name2sid_recv)
  Could not lookup name for user EXT\nue.ftpuser.svc

The strange thing is, that all users from the trusted domain EXT are listed fine with `wbinfo --domain EXT -u`, but the request for single users fails with the above msg.

BTW, the trusted domain EXT is always marked as "offline" with `wbinfo --online-status`. After `wbinfo --domain EXT -u` this domain is set to "online", but still no success in resolving users.

Dont know if that matters, I'm using "idmap backend = hash" to map uid and guid.
Comment 1 Michael Adam 2009-12-22 18:08:45 UTC 
Hi,
could you please post your complete smb.conf?
Thanks - Michael
Comment 2 Tom Patzig (mail address dead) 2010-01-04 09:52:09 UTC 
The global section of my smb.conf (all other sections default):

[global]
        workgroup = GFK
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        realm = GFK.COM
        preferred master = no
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        allow trusted domains = yes
        winbind refresh tickets = yes
        winbind nss info = hash
        
        idmap backend = hash
        idmap uid = 1000-4000000000
        idmap gid = 1000-4000000000
        log level = auth:10 winbind:10

        wins support = no
        invalid users = root
Comment 3 Michael Adam 2010-01-07 16:03:00 UTC 
Could you please add the output of the command "net rpc trustdom list" here?
Comment 4 Tom Patzig (mail address dead) 2010-01-11 02:24:37 UTC 
Just calling "net rpc trustdom list" tries to find the next DC of one of the trusted domains, therefore the netlogon always fails.

Calling "net -S windc1.gfk.com -U nue.ftpuser.svc rpc trustdom list" works:
Enter nue.ftpuser.svc's password:

Trusted domains list:

IHAGF              S-1-5-21-1942423493-1059656558-1998214792
INTOMAR            S-1-5-21-823518204-1659004503-725345543
CRW                S-1-5-21-3031078713-886512649-1698080345
GFKA               S-1-5-21-343818398-1482476501-682003330
UK                 S-1-5-21-1680198136-2588557851-305613390

Trusting domains list:

EXT                S-1-5-21-1328376081-1279679187-339368940
IHAGF              S-1-5-21-1328376081-1279679187-339368940
INTOMAR            S-1-5-21-1328376081-1279679187-339368940
CRW                S-1-5-21-1328376081-1279679187-339368940
GFKA               S-1-5-21-1328376081-1279679187-339368940
UK                 S-1-5-21-1328376081-1279679187-339368940
Comment 5 Tom Patzig (mail address dead) 2010-01-21 10:51:43 UTC 
I'm wondering why this EXT domain is only listed in "trusting domains list" and not like the other domains in both sections.
But `wbinfo --trusted-domains` also lists the domain EXT.
Any ideas?
Comment 6 Björn Jacke 2018-12-09 19:00:26 UTC 
that idmap config is invalid and especially bad with a trusted domain szenario. I've seen that  current releases with a correct idmap config work fine.