Bug 8896 - Problem resolving GID to name
Problem resolving GID to name
Status: RESOLVED WORKSFORME
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.4
All Linux
: P5 major
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-25 20:54 UTC by Michael Letzgus
Modified: 2014-07-23 12:40 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Letzgus 2012-04-25 20:54:43 UTC
Group defines by the domain controller:

SID: S-1-5-21-283016044-3387516373-1648638545-513
Name: domänen-benutzer


OK:
>wbinfo -s S-1-5-21-283016044-3387516373-1648638545-513
AD\domänen-benutzer 2

OK:
>wbinfo -Y S-1-5-21-283016044-3387516373-1648638545-513
100513

not OK:
>wbinfo -G 100513
S-1-5-21-1492033937-915934465-2153502558-513

Should be (at least I think so):
S-1-5-21-283016044-3387516373-1648638545-513


But:
>wbinfo -Y S-1-5-21-1492033937-915934465-2153502558-513
100513


not OK:
>wbinfo --gid-info 100513
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 100513


and consequently not OK:

>ls -la
drwx------ 2 mletzgus2 100513 4096 Apr 25 22:30 mletzgus2

(should resolve to group name...)


smb.conf:
[global]
    netbios name = uche-pc1-ml
    server string = uche-pc1-ml

    interfaces = lo eth0
    socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
    hosts allow = 129.70.70.0/24 129.70.172.0/23 127.0.0.1/8

    realm = ad.uni-bielefeld.de
    workgroup = ad
    security = ads
    template shell = /bin/bash
    template homedir = /home/%D/%U

    winbind use default domain = yes
    winbind refresh tickets = yes

    winbind offline logon = true

    winbind enum users = no
    winbind enum groups = no

    allow trusted domains = No

    idmap config *: backend = rid
    idmap config *: range = 100000-1000000

    wins server = 129.70.4.79 129.70.4.80 129.70.4.106

    time server = yes
    unix charset = utf8

    load printers = no

    syslog only = yes

    min protocol = NT1

    create mask = 0600
    directory mask = 0700


[homes]
    Valid Users = @AD\uche-pc1
    read only = no
    browseable = Yes



What's wrong here? Is it a kind of numeric problem because of my high RID-offset?
Comment 1 Michael Letzgus 2012-04-26 10:56:55 UTC
Maybe this is related to Bug 6605?
Comment 2 Björn Jacke 2014-07-23 12:40:57 UTC
two things:

1) "idmap config *: backend = rid" is not valid. default backend has to be allocatable. current man page also mentions that.

2) the group information retrieval of samba includes group memberships, which is not always allowed for winbind. only authenticated users can get that information for themselves. You might be lucky to get the ID resolution if you set "winbind expand groups = 0" and/or if you use "net setauthuser ...". The authuser one has to be considred more as a hack and should not be required. For Client machines everything should be okay anyways...