On Thu, Dec 2, 2010 at 3:13 PM, Shirish Pargaonkar <[email protected]> wrote: > On Tue, Nov 16, 2010 at 10:19 AM, Shirish Pargaonkar > <[email protected]> wrote: >> On Sat, Nov 13, 2010 at 5:34 PM, Michael Wood <[email protected]> wrote: >>> On 14 November 2010 01:16, Shirish Pargaonkar >>> <[email protected]> wrote: >>>> On Sat, Nov 13, 2010 at 4:52 PM, Michael Adam <[email protected]> wrote: >>>>> Hi Shirish, >>>>> >>>>> Shirish Pargaonkar wrote: >>>>>> On Mon, Nov 8, 2010 at 1:47 PM, Jeremy Allison <[email protected]> wrote: >>>>>> > On Mon, Nov 08, 2010 at 01:21:30PM -0600, Shirish Pargaonkar wrote: >>>>>> >> Sometimes a group sid does not get resolved to its name. >>>>>> >> >>>>>> >> Is this a settings problem? Looks like winbind deamon >>>>>> >> went dormant for a while and then woke up? >>>>>> >> I am using interface wbcLookupSid provided by the >>>>>> >> library libwbclient.so for resolving sids to names. >>>>>> >> >>>>>> >> These are the winbind related parameters in >>>>>> >> /etc/samba/smb.conf >>>>>> > >>>>>> > Not enough information for useful debugging. What >>>>>> > do the winbindd logs say ? >>>>>> > >>>>>> >>>>>> ps -eaf | grep winbind >>>>>> root 20085 1 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >>>>>> root 20086 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >>>>>> root 20089 20085 0 14:03 ? 00:00:00 /usr/sbin/winbindd -D >>>>>> >>>>>> Cleared /var/log/samba/winbindd.log just before issueing >>>>>> command getcifsacl which could not resolve the group SID >>>>>> >>>>>> winbindd.log attached. >>>>> >>>>> not really. :-) >>>>> >>>>> Cheers - Michael >>>> >>>> Michael, not sure what is implied. The log is not sufficient? >>> >>> No, the mailing list (sometimes) strips attachments. There was no log >>> file attached to your e-mail when I received it. >>> >>>> I see two error messages in the log. >>>> >>>> [2010/11/08 14:32:56, 5] winbindd/winbindd_async.c:lookupsid_recv2(138) >>>> lookupsid (forest root) returned an error >>>> [2010/11/08 14:32:56, 5] winbindd/winbindd_sid.c:lookupsid_recv(61) >>>> lookupsid returned an error >>> >>> -- >>> Michael Wood <[email protected]> >>> >> >> Hope this attachment sticks. >> >> Regards, >> >> Shirish >> > > I see one more type error while using winbind, > wbcSidToUid returns error 7 but wbcSidToGid succeeds. > > /tmp/getcifsacl /mnt/smb_d/Makefile > REVISION:0x1 > CONTROL:0x9404 > OWNER:BUILTIN\Administrators > GROUP:CIFSTESTDOM\Domain Users > ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x10000 > ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 > ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE > ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL > > # cat /var/log/messages > > cifs.upcall: Owner wbcStringToSid: S-1-5-32-544, rc: 0 > cifs.upcall: Owner wbcSidToUid: S-1-5-32-544, uid: 0, rc: 7 > cifs.upcall: Group wbcStringToSid: > S-1-5-21-2849063682-2007077719-983662776-513, rc: 0 > cifs.upcall: Group wbcSidToGid: > S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0 > > Error winbindd.log file is as follows: > sid2uid_lookupsid_recv: Sid S-1-5-32-544 is not a user or a computer. > > > I changed Owner of the file on the server to > OWNER:CIFSTESTDOM\Domain Users > but the same error during wbcSidToUid > > [2010/12/02 14:36:20, 5] winbindd/winbindd_sid.c:sid2uid_lookupsid_recv(192) > sid2uid_lookupsid_recv: Sid > S-1-5-21-2849063682-2007077719-983662776-513 is not a user or a > computer. > > [[2010/12/02 14:36:20, 7] > winbindd/winbindd_idmap.c:winbindd_sid2gid_async(363) > winbindd_sid2gid_async: Resolving > S-1-5-21-2849063682-2007077719-983662776-513 to a gid > > If I change Owner to OWNER:CIFSTESTDOM\Administrator, then it works > > /tmp/getcifsacl /mnt/smb_d/Makefile > REVISION:0x1 > CONTROL:0x9404 > OWNER:CIFSTESTDOM\Administrator > GROUP:CIFSTESTDOM\Domain Users > ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/0x10000 > ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 > ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE > ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL > cifstest6:/usr/src/linux.ssp.cifs.09092010.l/cifs-2.6 # cat /var/log/messages > > cifs.upcall: Owner wbcStringToSid: > S-1-5-21-2849063682-2007077719-983662776-500, rc: 0 > cifs.upcall: Owner wbcSidToUid: > S-1-5-21-2849063682-2007077719-983662776-500, uid: 10000, rc: 0 > cifs.upcall: Group wbcStringToSid: > S-1-5-21-2849063682-2007077719-983662776-513, rc: 0 > cifs.upcall: Group wbcSidToGid: > S-1-5-21-2849063682-2007077719-983662776-513, gid: 10010, rc: 0 > > Is this the expected behaviour, some sids can_not/will_not be mapped > such as this > Owner BUILTIN\Administrators. > > Regads, > > Shirish >
One more observation. winbind, for some IDs, can't/doesn't look up names, for some it does. # wbinfo -s S-1-5-21-2849063682-2007077719-983662776-513 Could not lookup sid S-1-5-21-2849063682-2007077719-983662776-513 # wbinfo -s S-1-5-21-2849063682-2007077719-983662776-513 CIFSTESTDOM#Domain Users 2 # /tmp/getcifsacl /mnt/smb_f/Makefile2 REVISION:0x1 CONTROL:0x9004 OWNER:BUILTIN\Administrators GROUP:CIFSTESTDOM\Domain Users ACL:CIFSTESTDOM\Domain Users:DENIED/0x0/D ACL:CIFSTESTDOM\Administrator:ALLOWED/0x0/0x1700a1 ACL:BUILTIN\Performance Log Users:ALLOWED/0x0/CHANGE ACL:CIFSTESTDOM\stevef:ALLOWED/0x0/FULL # ls -ln /mnt/smb_f/Makefile2 ---------- 1 0 10010 0 Nov 13 13:55 /mnt/smb_f/Makefile2 # wbinfo -s S-1-5-32-544 BUILTIN#Administrators 4 So here, the library libwbclient.so and winbind do_not/can_not lookup SID S-1-5-32-544. They can/do lookup SID S-1-5-21-2849063682-2007077719-983662776-513 but do_not/can_not lookup a name of that SID. They can and do map it though (gid 10010). Both are BUILTIN accounts at the server. wbinfo -s command does eventually resolve SIDs to names but it can take few tries. wbcLookupSid() seems to work always but wbcSidToUid() and wbcSidToGid() do not work for some SIDs and for some SID, work partially. I will open a bug against winbind and log in that bug, all that I posted here. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
