Bug 7891 - SID->GID resolution broken on Samba member server
SID->GID resolution broken on Samba member server
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
x86 Linux
: P4 critical
: ---
Assigned To: Michael Adam
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2010-12-27 15:15 UTC by Dmitri Zoubkov
Modified: 2014-07-24 21:33 UTC (History)
0 users

See Also:

Original (Samba 3.4.x) config (392 bytes, text/plain)
2010-12-27 15:16 UTC, Dmitri Zoubkov
no flags Details
Current (Samba 3.5.6) config (291 bytes, text/plain)
2010-12-27 15:17 UTC, Dmitri Zoubkov
no flags Details
idmap Log (47.53 KB, text/plain)
2010-12-27 15:23 UTC, Dmitri Zoubkov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitri Zoubkov 2010-12-27 15:15:36 UTC
After Samba upgrade from 3.4.x (exact version unknown unfortunately) to 3.5.6 winbind fails to resolve domain SIDs properly.

The Setup
PDC: samba-3.5.6-13.1.i586 (Suse Linux) with LDAP backend
Member: samba-3.5.6-71.fc14.i686 (Fedora), firewall stopped, nscd stopped

Steps performed on PDC:
1) previous machine account was deleted

Steps performed on member:
1) nsswitch configured as
passwd:     files [success=return] ldap
shadow:     files [success=return] ldap
group:      files [success=return] ldap
2) smb.conf copied from original (working) 3.4.x setup (s. attachment smb-orig.conf)
3) net rpc join MYDOMAIN
4) net setauthuser xxx
5) started smbd, nmbd, winbindd daemons

In this setup, although "wbinfo -u", "wbinfo -g", "wbinfo -n" was working, "wbinfo -S", resp. "wbinfo -Y" refused to return any GIDs/SIDs. In addition, when connecting from a member workstation (Win XP) to a share on this server all ACL entries was displayed as "Unix User\user" or "Unix Group\group" and modification of those ACLs from the workstation was impossible due to failing SID resolution.

Some research brought up that idmap_nss backend had been introduced as replacement for "winbind trusted domains only = yes", so I made an attempt to turn it on:

1) smb.conf modified to include idmap_nss (s. attachment smb.conf)
2) smbd, nmbd, winbindd stopped
3) all samba caches flushed/deleted
4) smbd, nmbd, winbindd started

After these steps the picture changed: "wbinfo -S" started returning valid UIDs and ACLs on the share showed properly resolved user/group names (but without any domain prefix), however GID resolution was stil broken, i.e. "wbinfo -Y" kept saying "Could not convert" and adding/modifying ACL group entries on the share was still not possible. Winbind logs show that SID lookups for domain groups work but mapping runs into NT_STATUS_MEDIA_WRITE_PROTECTED (I attach idmap log recorded during "wbinfo -Y" and for contrast "wbinfo -S" (that worked).
Comment 1 Dmitri Zoubkov 2010-12-27 15:16:38 UTC
Created attachment 6172 [details]
Original (Samba 3.4.x) config
Comment 2 Dmitri Zoubkov 2010-12-27 15:17:14 UTC
Created attachment 6173 [details]
Current (Samba 3.5.6) config
Comment 3 Dmitri Zoubkov 2010-12-27 15:23:59 UTC
Created attachment 6174 [details]
idmap Log
Comment 4 Dmitri Zoubkov 2011-06-05 21:37:57 UTC
As of samba-3.5.8-76.fc14.i686 (client side, member server) GID resolution in the described environment still doesn't work, the outcome is the same.

Could we expect any action on this issue? All SMB access to Unix domain member machines in our network is on hold because of this.
Comment 5 Dmitri Zoubkov 2011-10-12 19:49:19 UTC
As of release samba-3.5.11-79.fc14.i686 this described setup seems to work.

It would be nice, however, if somebody would have given some feedback on the issue. Also, I couldn't find anything about it in any release notes, though obviously someone have been working on it.
Comment 6 Dmitri Zoubkov 2014-05-06 21:13:28 UTC
In the release samba-3.6.9-168.el6_5.i686 this bug has returned again!

In the very alike setup the behaviour of Samba member server is the same. Only significant difference (except for Samba version) is idmap config (that however should replace the earlier one):

  idmap config * : range = 500-1000000
  idmap config * : backend = nss

wbinfo is still not able resolve SIDs to GIDs, only after previous reverse resolution (GID->SID) it works:

# getent group domain_computers

# wbinfo -Y S-1-5-21-2999139105-897610460-2891332169-515
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2999139105-897610460-2891332169-515 to gid

# wbinfo -G 519

# wbinfo -Y S-1-5-21-2999139105-897610460-2891332169-515
Comment 7 Björn Jacke 2014-07-23 17:34:05 UTC
in your configuration you have a non-writable default backend, which is not supported. if you wanna use nss backend, the define that explicitly for a domain.
Comment 8 Dmitri Zoubkov 2014-07-24 21:33:43 UTC
Björn sorry, what does your comment to do with the actual problem?

I've changed my smb.conf:

idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN : range = 500-999999

As expected the behavior is still exact like described in my comment #6: no resolution SID->GID unless GID->SID for the same group has been done before.

I tested this in MYDOMAIN on fresh clean installation of CentOS under VMWare with samba-3.6.9-169.el6_5.i686 and reproduced the error every time when winbind cache was cleared.