"wbinfo -i" search returns an error with a two domain Samba configuration
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- samba3x-winbind
- samba-winbind-3.6
Issue
- Attempting to get user info using wbinfo fails with the following error.
[root@server ~]# wbinfo --verbose -i DOMAIN+username
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DOMAIN+username
- Also, "getent -s winbind passwd" returns nothing.
Resolution
- Add the following lines to the [global] section of the /etc/samba/smb.conf file
idmap config * : backend = tdb
idmap config * : range = 1000-9999
- Restart the winbind service.
# service winbind restart
Root Cause
There are BUILTIN domains on an AD server and the default "*" 'tdb' backend and range are needed to map the users not included in the other mapped domains. Not having this backend still causes a mapping error even if the user being mapped is not included in that range.
Diagnostic Steps
- The following two commands successfully return a list of users.
# wbinfo -u
# wbinfo -g
- The user-info option for wbinfo returns an error even though user "DOMAIN+username" was listed with the "-u" option.
# wbinfo -i DOMAIN+username
"failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DOMAIN+username"
-
From the sosreport review the '/etc/krb5.conf', '/etc/samba/smb.conf', /sos_commands/samba/testparm_-s_-v and '/sos_commands/samba/wbinfo_-u' files.
-
Turn on debugging for winbindd and samba, attempt "wbinfo -i username" again and look at the '/var/log/samba/log.winbindd-idmap' file for errors such as the following.
[<date> <time>, 1, pid=<pid>] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[<date> <time>, 10, pid=<pid>] winbindd/idmap_util.c:187(idmap_sid_to_uid)
idmap_backends_sid_to_unixid failed: NT_STATUS_NONE_MAPPED
- The /etc/samba/smb.conf file shows that the "rid" backend is being used for the id mapping of a two domain trust and enumeration is enabled.
/etc/samba/smb.conf
workgroup = DOMAIN
realm = REALM.COM
security = ads
template shell = /bin/false
winbind use default domain = false
winbind offline logon = true
winbind separator = +
idmap backend = tdb
#idmap uid = 1000-9999
#idmap gid = 1000-9999
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = no
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10000-199999
idmap config TRUSTED:backend = rid
idmap config TRUSTED:range = 210000-299999
- We didn't see a default backend in the smb.conf file but checkthe testparm file to see if a default range ('*') exists, in this case it does not.
$ less sos_commands/samba/testparm_-s_-v | grep idmap
WARNING: The "idmap backend" option is deprecated
ldap idmap suffix =
idmap backend = tdb
idmap cache time = 604800
idmap negative cache time = 120
idmap uid =
idmap gid =
idmap config DOMAIN:range = 210000-299999
idmap config DOMAIN:backend = rid
idmap config TRUSTED:range = 10000-199999
idmap config TRUSTED:backend = rid
idmap config * : backend = tdb
- Consult the 'idmap_rid' manpages for the correct format of the "idmap config * : backend = tdb" range.
$ man idmap_rid
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments