Bug 8896 - Problem resolving GID to name
Summary: Problem resolving GID to name
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.4
Hardware: All Linux
: P5 major
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-25 20:54 UTC by Michael Letzgus-Koppmann
Modified: 2014-07-23 12:40 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Letzgus-Koppmann 2012-04-25 20:54:43 UTC 
Group defines by the domain controller:

SID: S-1-5-21-283016044-3387516373-1648638545-513
Name: domänen-benutzer


OK:
>wbinfo -s S-1-5-21-283016044-3387516373-1648638545-513
AD\domänen-benutzer 2

OK:
>wbinfo -Y S-1-5-21-283016044-3387516373-1648638545-513
100513

not OK:
>wbinfo -G 100513
S-1-5-21-1492033937-915934465-2153502558-513

Should be (at least I think so):
S-1-5-21-283016044-3387516373-1648638545-513


But:
>wbinfo -Y S-1-5-21-1492033937-915934465-2153502558-513
100513


not OK:
>wbinfo --gid-info 100513
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 100513


and consequently not OK:

>ls -la
drwx------ 2 mletzgus2 100513 4096 Apr 25 22:30 mletzgus2

(should resolve to group name...)


smb.conf:
[global]
    netbios name = uche-pc1-ml
    server string = uche-pc1-ml

    interfaces = lo eth0
    socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
    hosts allow = 129.70.70.0/24 129.70.172.0/23 127.0.0.1/8

    realm = ad.uni-bielefeld.de
    workgroup = ad
    security = ads
    template shell = /bin/bash
    template homedir = /home/%D/%U

    winbind use default domain = yes
    winbind refresh tickets = yes

    winbind offline logon = true

    winbind enum users = no
    winbind enum groups = no

    allow trusted domains = No

    idmap config *: backend = rid
    idmap config *: range = 100000-1000000

    wins server = 129.70.4.79 129.70.4.80 129.70.4.106

    time server = yes
    unix charset = utf8

    load printers = no

    syslog only = yes

    min protocol = NT1

    create mask = 0600
    directory mask = 0700


[homes]
    Valid Users = @AD\uche-pc1
    read only = no
    browseable = Yes



What's wrong here? Is it a kind of numeric problem because of my high RID-offset?
Comment 1 Michael Letzgus-Koppmann 2012-04-26 10:56:55 UTC 
Maybe this is related to Bug 6605?
Comment 2 Björn Jacke 2014-07-23 12:40:57 UTC 
two things:

1) "idmap config *: backend = rid" is not valid. default backend has to be allocatable. current man page also mentions that.

2) the group information retrieval of samba includes group memberships, which is not always allowed for winbind. only authenticated users can get that information for themselves. You might be lucky to get the ID resolution if you set "winbind expand groups = 0" and/or if you use "net setauthuser ...". The authuser one has to be considred more as a hack and should not be required. For Client machines everything should be okay anyways...