Re: [Samba] winbind sometimes does not resolve sid to a name
On Thu, Dec 2, 2010 at 3:13 PM, Shirish Pargaonkar wrote: > On Tue, Nov 16, 2010 at 10:19 AM, Shirish Pargaonkar > wrote: >> On Sat, Nov 13, 2010 at 5:34 PM, Michael Wood wrote: >>> On 14 November 2010 01:16, Shirish Pargaonkar >>> wrote: On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam wrote: > Hi Shirish, > > Shirish Pargaonkar wrote: >> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison wrote: >> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >> >> Sometimes a group sid does not get resolved to its name. >> >> >> >> Is this a settings problem? Looks like winbind deamon >> >> went dormant for a while and then woke up? >> >> I am using interface wbcLookupSid provided by the >> >> library libwbclient.so for resolving sids to names. >> >> >> >> These are the winbind related parameters in >> >> /etc/samba/smb.conf >> > >> > Not enough information for useful debugging. What >> > do the winbindd logs say ? >> > >> >> ps -eaf | grep winbind >> root 20085 1 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >> root 20086 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >> root 20089 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >> >> Cleared /var/log/samba/winbindd.log just before issueing >> command getcifsacl which could not resolve the group SID >> >> winbindd.log attached. > > not really. :-) > > Cheers - Michael Michael, not sure what is implied. The log is not sufficient? >>> >>> No, the mailing list (sometimes) strips attachments. There was no log >>> file attached to your e-mail when I received it. >>> I see two error messages in the log. [2010/11/08 14:32:56, 5] winbindd/winbindd_async.c:lookupsid_recv2(138) lookupsid (forest root) returned an error [2010/11/08 14:32:56, 5] winbindd/winbindd_sid.c:lookupsid_recv(61) lookupsid returned an error >>> >>> -- >>> Michael Wood >>> >> >> Hope this attachment sticks. >> >> Regards, >> >> Shirish >> > > I see one more type error while using winbind, > wbcSidToUid returns error 7 but wbcSidToGid succeeds. > > /tmp/getcifsacl /mnt/smb_d/Makefile > REVISION:0x1 > CONTROL:0x9404 > OWNER:BUILTIN\Administrators > GROUP:CIFSTESTDOM\Domain Users > ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x1 > ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 > ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE > ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL > > # cat /var/log/messages > > cifs.upcall: Owner wbcStringToSid: S-1-5-32-544, rc: 0 > cifs.upcall: Owner wbcSidToUid: S-1-5-32-544, uid: 0, rc: 7 > cifs.upcall: Group wbcStringToSid: > S-1-5-21-2849063682-2007077719-983662776-513, rc: 0 > cifs.upcall: Group wbcSidToGid: > S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0 > > Error winbindd.log file is as follows: > sid2uid_lookupsid_recv: Sid S-1-5-32-544 is not a user or a computer. > > > I changed Owner of the file on the server to > OWNER:CIFSTESTDOM\Domain Users > but the same error during wbcSidToUid > > [2010/12/02 14:36:20, 5] winbindd/winbindd_sid.c:sid2uid_lookupsid_recv(192) > sid2uid_lookupsid_recv: Sid > S-1-5-21-2849063682-2007077719-983662776-513 is not a user or a > computer. > > [[2010/12/02 14:36:20, 7] > winbindd/winbindd_idmap.c:winbindd_sid2gid_async(363) > winbindd_sid2gid_async: Resolving > S-1-5-21-2849063682-2007077719-983662776-513 to a gid > > If I change Owner to OWNER:CIFSTESTDOM\Administrator, then it works > > /tmp/getcifsacl /mnt/smb_d/Makefile > REVISION:0x1 > CONTROL:0x9404 > OWNER:CIFSTESTDOM\Administrator > GROUP:CIFSTESTDOM\Domain Users > ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x1 > ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 > ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE > ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL > cifstest6:/usr/src/linux.ssp.cifs.09092010.l/cifs-2.6 # cat /var/log/messages > > cifs.upcall: Owner wbcStringToSid: > S-1-5-21-2849063682-2007077719-983662776-500, rc: 0 > cifs.upcall: Owner wbcSidToUid: > S-1-5-21-2849063682-2007077719-983662776-500, uid: 1, rc: 0 > cifs.upcall: Group wbcStringToSid: > S-1-5-21-2849063682-2007077719-983662776-513, rc: 0 > cifs.upcall: Group wbcSidToGid: > S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0 > > Is this the expected behaviour, some sids can_not/will_not be mapped > such as this > Owner BUILTIN\Administrators. > > Regads, > > Shirish > One more observation. winbind, for some IDs, can't/doesn't look up names, for some it does. # wbinfo -s S-1-5-21-2849063682-2007077719-983662776-513 Could not lookup sid S-1-5-21-2849063682-2007077719-983662776-513 # wbinfo -s S-1-5-21-2849063682-2007077719-983662776-513 CIFSTESTDOM#Domain Users 2 # /tmp/getcifsacl /mnt/smb_f/Makefile2 REVISION:0x1 CONTROL:0x9004 OWNER:BUILTIN\Administrators GROUP:CIFSTESTDOM\Domain Users ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/D
Re: [Samba] winbind sometimes does not resolve sid to a name
On Tue, Nov 16, 2010 at 10:19 AM, Shirish Pargaonkar wrote: > On Sat, Nov 13, 2010 at 5:34 PM, Michael Wood wrote: >> On 14 November 2010 01:16, Shirish Pargaonkar >> wrote: >>> On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam wrote: Hi Shirish, Shirish Pargaonkar wrote: > On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison wrote: > > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: > >> Sometimes a group sid does not get resolved to its name. > >> > >> Is this a settings problem? Looks like winbind deamon > >> went dormant for a while and then woke up? > >> I am using interface wbcLookupSid provided by the > >> library libwbclient.so for resolving sids to names. > >> > >> These are the winbind related parameters in > >> /etc/samba/smb.conf > > > > Not enough information for useful debugging. What > > do the winbindd logs say ? > > > > ps -eaf | grep winbind > root 20085 1 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D > root 20086 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D > root 20089 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D > > Cleared /var/log/samba/winbindd.log just before issueing > command getcifsacl which could not resolve the group SID > > winbindd.log attached. not really. :-) Cheers - Michael >>> >>> Michael, not sure what is implied. The log is not sufficient? >> >> No, the mailing list (sometimes) strips attachments. There was no log >> file attached to your e-mail when I received it. >> >>> I see two error messages in the log. >>> >>> [2010/11/08 14:32:56, 5] winbindd/winbindd_async.c:lookupsid_recv2(138) >>> lookupsid (forest root) returned an error >>> [2010/11/08 14:32:56, 5] winbindd/winbindd_sid.c:lookupsid_recv(61) >>> lookupsid returned an error >> >> -- >> Michael Wood >> > > Hope this attachment sticks. > > Regards, > > Shirish > I see one more type error while using winbind, wbcSidToUid returns error 7 but wbcSidToGid succeeds. /tmp/getcifsacl /mnt/smb_d/Makefile REVISION:0x1 CONTROL:0x9404 OWNER:BUILTIN\Administrators GROUP:CIFSTESTDOM\Domain Users ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x1 ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL # cat /var/log/messages cifs.upcall: Owner wbcStringToSid: S-1-5-32-544, rc: 0 cifs.upcall: Owner wbcSidToUid: S-1-5-32-544, uid: 0, rc: 7 cifs.upcall: Group wbcStringToSid: S-1-5-21-2849063682-2007077719-983662776-513, rc: 0 cifs.upcall: Group wbcSidToGid: S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0 Error winbindd.log file is as follows: sid2uid_lookupsid_recv: Sid S-1-5-32-544 is not a user or a computer. I changed Owner of the file on the server to OWNER:CIFSTESTDOM\Domain Users but the same error during wbcSidToUid [2010/12/02 14:36:20, 5] winbindd/winbindd_sid.c:sid2uid_lookupsid_recv(192) sid2uid_lookupsid_recv: Sid S-1-5-21-2849063682-2007077719-983662776-513 is not a user or a computer. [[2010/12/02 14:36:20, 7] winbindd/winbindd_idmap.c:winbindd_sid2gid_async(363) winbindd_sid2gid_async: Resolving S-1-5-21-2849063682-2007077719-983662776-513 to a gid If I change Owner to OWNER:CIFSTESTDOM\Administrator, then it works /tmp/getcifsacl /mnt/smb_d/Makefile REVISION:0x1 CONTROL:0x9404 OWNER:CIFSTESTDOM\Administrator GROUP:CIFSTESTDOM\Domain Users ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x1 ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL cifstest6:/usr/src/linux.ssp.cifs.09092010.l/cifs-2.6 # cat /var/log/messages cifs.upcall: Owner wbcStringToSid: S-1-5-21-2849063682-2007077719-983662776-500, rc: 0 cifs.upcall: Owner wbcSidToUid: S-1-5-21-2849063682-2007077719-983662776-500, uid: 1, rc: 0 cifs.upcall: Group wbcStringToSid: S-1-5-21-2849063682-2007077719-983662776-513, rc: 0 cifs.upcall: Group wbcSidToGid: S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0 Is this the expected behaviour, some sids can_not/will_not be mapped such as this Owner BUILTIN\Administrators. Regads, Shirish -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind sometimes does not resolve sid to a name
On Sat, Nov 13, 2010 at 5:34 PM, Michael Wood wrote: > On 14 November 2010 01:16, Shirish Pargaonkar > wrote: >> On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam wrote: >>> Hi Shirish, >>> >>> Shirish Pargaonkar wrote: On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison wrote: > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >> Sometimes a group sid does not get resolved to its name. >> >> Is this a settings problem? Looks like winbind deamon >> went dormant for a while and then woke up? >> I am using interface wbcLookupSid provided by the >> library libwbclient.so for resolving sids to names. >> >> These are the winbind related parameters in >> /etc/samba/smb.conf > > Not enough information for useful debugging. What > do the winbindd logs say ? > ps -eaf | grep winbind root 20085 1 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D root 20086 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D root 20089 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D Cleared /var/log/samba/winbindd.log just before issueing command getcifsacl which could not resolve the group SID winbindd.log attached. >>> >>> not really. :-) >>> >>> Cheers - Michael >> >> Michael, not sure what is implied. The log is not sufficient? > > No, the mailing list (sometimes) strips attachments. There was no log > file attached to your e-mail when I received it. > >> I see two error messages in the log. >> >> [2010/11/08 14:32:56, 5] winbindd/winbindd_async.c:lookupsid_recv2(138) >> lookupsid (forest root) returned an error >> [2010/11/08 14:32:56, 5] winbindd/winbindd_sid.c:lookupsid_recv(61) >> lookupsid returned an error > > -- > Michael Wood > Hope this attachment sticks. Regards, Shirish -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind sometimes does not resolve sid to a name
On 14 November 2010 01:16, Shirish Pargaonkar wrote: > On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam wrote: >> Hi Shirish, >> >> Shirish Pargaonkar wrote: >>> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison wrote: >>> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >>> >> Sometimes a group sid does not get resolved to its name. >>> >> >>> >> Is this a settings problem? Looks like winbind deamon >>> >> went dormant for a while and then woke up? >>> >> I am using interface wbcLookupSid provided by the >>> >> library libwbclient.so for resolving sids to names. >>> >> >>> >> These are the winbind related parameters in >>> >> /etc/samba/smb.conf >>> > >>> > Not enough information for useful debugging. What >>> > do the winbindd logs say ? >>> > >>> >>> ps -eaf | grep winbind >>> root 20085 1 0 14:03 ?00:00:00 /usr/sbin/winbindd -D >>> root 20086 20085 0 14:03 ?00:00:00 /usr/sbin/winbindd -D >>> root 20089 20085 0 14:03 ?00:00:00 /usr/sbin/winbindd -D >>> >>> Cleared /var/log/samba/winbindd.log just before issueing >>> command getcifsacl which could not resolve the group SID >>> >>> winbindd.log attached. >> >> not really. :-) >> >> Cheers - Michael > > Michael, not sure what is implied. The log is not sufficient? No, the mailing list (sometimes) strips attachments. There was no log file attached to your e-mail when I received it. > I see two error messages in the log. > > [2010/11/08 14:32:56, 5] winbindd/winbindd_async.c:lookupsid_recv2(138) > lookupsid (forest root) returned an error > [2010/11/08 14:32:56, 5] winbindd/winbindd_sid.c:lookupsid_recv(61) > lookupsid returned an error -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind sometimes does not resolve sid to a name
On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam wrote: > Hi Shirish, > > Shirish Pargaonkar wrote: >> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison wrote: >> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >> >> Sometimes a group sid does not get resolved to its name. >> >> >> >> Is this a settings problem? Looks like winbind deamon >> >> went dormant for a while and then woke up? >> >> I am using interface wbcLookupSid provided by the >> >> library libwbclient.so for resolving sids to names. >> >> >> >> These are the winbind related parameters in >> >> /etc/samba/smb.conf >> > >> > Not enough information for useful debugging. What >> > do the winbindd logs say ? >> > >> >> ps -eaf | grep winbind >> root 20085 1 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >> root 20086 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >> root 20089 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >> >> Cleared /var/log/samba/winbindd.log just before issueing >> command getcifsacl which could not resolve the group SID >> >> winbindd.log attached. > > not really. :-) > > Cheers - Michael Michael, not sure what is implied. The log is not sufficient? I see two error messages in the log. [2010/11/08 14:32:56, 5] winbindd/winbindd_async.c:lookupsid_recv2(138) lookupsid (forest root) returned an error [2010/11/08 14:32:56, 5] winbindd/winbindd_sid.c:lookupsid_recv(61) lookupsid returned an error -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind sometimes does not resolve sid to a name
Hi Shirish, Shirish Pargaonkar wrote: > On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison wrote: > > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: > >> Sometimes a group sid does not get resolved to its name. > >> > >> Is this a settings problem? Looks like winbind deamon > >> went dormant for a while and then woke up? > >> I am using interface wbcLookupSid provided by the > >> library libwbclient.so for resolving sids to names. > >> > >> These are the winbind related parameters in > >> /etc/samba/smb.conf > > > > Not enough information for useful debugging. What > > do the winbindd logs say ? > > > > ps -eaf | grep winbind > root 20085 1 0 14:03 ?00:00:00 /usr/sbin/winbindd -D > root 20086 20085 0 14:03 ?00:00:00 /usr/sbin/winbindd -D > root 20089 20085 0 14:03 ?00:00:00 /usr/sbin/winbindd -D > > Cleared /var/log/samba/winbindd.log just before issueing > command getcifsacl which could not resolve the group SID > > winbindd.log attached. not really. :-) Cheers - Michael pgpmiRUIOzSAA.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind sometimes does not resolve sid to a name
On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison wrote: > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >> Sometimes a group sid does not get resolved to its name. >> >> Is this a settings problem? Looks like winbind deamon >> went dormant for a while and then woke up? >> I am using interface wbcLookupSid provided by the >> library libwbclient.so for resolving sids to names. >> >> These are the winbind related parameters in >> /etc/samba/smb.conf > > Not enough information for useful debugging. What > do the winbindd logs say ? > ps -eaf | grep winbind root 20085 1 0 14:03 ?00:00:00 /usr/sbin/winbindd -D root 20086 20085 0 14:03 ?00:00:00 /usr/sbin/winbindd -D root 20089 20085 0 14:03 ?00:00:00 /usr/sbin/winbindd -D Cleared /var/log/samba/winbindd.log just before issueing command getcifsacl which could not resolve the group SID winbindd.log attached. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind sometimes does not resolve sid to a name
On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: > Sometimes a group sid does not get resolved to its name. > > Is this a settings problem? Looks like winbind deamon > went dormant for a while and then woke up? > I am using interface wbcLookupSid provided by the > library libwbclient.so for resolving sids to names. > > These are the winbind related parameters in > /etc/samba/smb.conf Not enough information for useful debugging. What do the winbindd logs say ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind sometimes does not resolve sid to a name
Sometimes a group sid does not get resolved to its name. Is this a settings problem? Looks like winbind deamon went dormant for a while and then woke up? I am using interface wbcLookupSid provided by the library libwbclient.so for resolving sids to names. These are the winbind related parameters in /etc/samba/smb.conf [global] # separate domain and username with '\', like DOMAIN\username winbind separator = \ # # use uids from 1 to 2 for domain users idmap uid = 1-2 # use gids from 1 to 2 for domain groups idmap gid = 1-2 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 11:03:43 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 11:08:59 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 11:09:08 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 11:23:38 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 12:59:07 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: S-1-5-21-2849063682-2007077719-983662776-513 <- ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL cifstest6:/tmp # date;/tmp/getcifsacl /mnt/smb_c/Makefile Mon Nov 8 13:06:43 CST 2010 Revision: 0x1 Type: 0x9404 Owner: BUILTIN\Administrators Group: CIFSTESTDOM\Domain Users ACE: CIFSTESTDOM\Administrator: Allowed/ 0x0/ 0x1700a1 ACE: BUILTIN\Performance Log Users: Allowed/ 0x0/ CHANGE ACE: CIFSTESTDOM\stevef: Allowed/ 0x0/ FULL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba