Bug 7406 - Winbind cannot seem to retreive trusted domain SIDs
Summary: Winbind cannot seem to retreive trusted domain SIDs
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.5.2
Hardware: Sparc Solaris
: P3 major
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2010-05-04 03:45 UTC by Philip Drapeau
Modified: 2013-02-18 13:29 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Philip Drapeau 2010-05-04 03:45:48 UTC
Samba 3.5.2 was built under Solaris 10 sparc.  I compiled using gcc and the latest libs for ldap/kerberos/etc from blastwave (stuff got horribly broken when I tried using Sun Studio to compile even though the compile succeeded).

Either way, here is some excerpts from the winbind log. Any help with figuring out what is going on would be appreciated.  This stuff is *NOT* broken under 3.4.7. 

[2010/05/04 02:34:44.540298,  2] winbindd/winbindd_util.c:221(add_trusted_domain)
  Added domain BUILTIN  S-1-5-32
[2010/05/04 02:34:44.541323,  2] winbindd/winbindd_util.c:221(add_trusted_domain)
  Added domain CNS3  S-1-5-21-3477661738-17456881-3314112931
[2010/05/04 02:34:44.542353,  2] winbindd/winbindd_util.c:221(add_trusted_domain)
  Added domain ENVMASTER ENV.GOV.AB.CA S-1-5-21-2022982267-965564276-250757269

Winbind has no problems adding these domains to the trusted domain list. However I notice later on in the log it gets the following:

[2010/05/04 02:34:44.846255,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid (NULL SID) does not start with 'S-'.
[2010/05/04 02:34:44.846465,  0] winbindd/winbindd_util.c:325(trustdom_recv)
  Got invalid trustdom response

and than proceeds to loop and tries to list the trusted domains again (it does this several times). It seems to me like the directory is returning a null SID in attempts to resolve any of the trusted domains, however it did not do this before under 3.4.7. Any input into this issue would be appreciated, thanks!
Comment 1 Philip Drapeau 2010-05-04 22:38:35 UTC
I can also add that when I set winbind rpc only = yes it *DOES* get the SIDs of the trusted domains and properly enumerate them.  However when attempting to retrieve groups/users from a trusted domain which is not running in mixed mode, it fails to do so via RPC.  

The domain the samba server is on, is however running in mixed mode.
Comment 2 Philip Drapeau 2010-05-05 10:30:43 UTC
I suppose I should further clarify, when I cranked up the debug level from 9 to 10, I noticed it is getting the SIDs for trusted domains, its just not attempting to contact the domain controllers (so group/user resolution does not work in trusted domains).
Comment 3 Karolin Seeger 2010-05-27 05:39:36 UTC
Could you provide all winbind log files (level 10), please?

Comment 4 Björn Jacke 2012-04-20 19:20:58 UTC
no reply since two years, so close this for now. please reopen with level 10 log files if you still have the problem with the latest release. Thanks!