"wbinfo -i" search returns an error with a two domain Samba configuration

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • samba3x-winbind
  • samba-winbind-3.6

Issue

  • Attempting to get user info using wbinfo fails with the following error.
[root@server ~]# wbinfo --verbose -i DOMAIN+username
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DOMAIN+username
  • Also, "getent -s winbind passwd" returns nothing.

Resolution

  • Add the following lines to the [global] section of the /etc/samba/smb.conf file
idmap config * : backend = tdb
idmap config * : range = 1000-9999
  • Restart the winbind service.
# service winbind restart

Root Cause

There are BUILTIN domains on an AD server and the default "*" 'tdb' backend and range are needed to map the users not included in the other mapped domains. Not having this backend still causes a mapping error even if the user being mapped is not included in that range.

Diagnostic Steps

  • The following two commands successfully return a list of users.
# wbinfo -u
# wbinfo -g
  • The user-info option for wbinfo returns an error even though user "DOMAIN+username" was listed with the "-u" option.
# wbinfo -i DOMAIN+username
"failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DOMAIN+username"

  • From the sosreport review the '/etc/krb5.conf', '/etc/samba/smb.conf', /sos_commands/samba/testparm_-s_-v and '/sos_commands/samba/wbinfo_-u' files.

  • Turn on debugging for winbindd and samba, attempt "wbinfo -i username" again and look at the '/var/log/samba/log.winbindd-idmap' file for errors such as the following.

[<date> <time>,  1, pid=<pid>] winbindd/idmap.c:201(idmap_init_domain)
  idmap range not specified for domain *
[<date> <time>, 10, pid=<pid>] winbindd/idmap_util.c:187(idmap_sid_to_uid)
  idmap_backends_sid_to_unixid failed: NT_STATUS_NONE_MAPPED
  • The /etc/samba/smb.conf file shows that the "rid" backend is being used for the id mapping of a two domain trust and enumeration is enabled.
/etc/samba/smb.conf
   workgroup = DOMAIN
   realm = REALM.COM
   security = ads
   template shell = /bin/false
   winbind use default domain = false
   winbind offline logon = true
   winbind separator = +
   idmap backend = tdb
   #idmap uid = 1000-9999
   #idmap gid = 1000-9999 
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = no

   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:range = 10000-199999
   idmap config TRUSTED:backend = rid
   idmap config TRUSTED:range = 210000-299999
  • We didn't see a default backend in the smb.conf file but checkthe testparm file to see if a default range ('*') exists, in this case it does not.
$ less sos_commands/samba/testparm_-s_-v | grep idmap
WARNING: The "idmap backend" option is deprecated
    ldap idmap suffix = 
    idmap backend = tdb
    idmap cache time = 604800
    idmap negative cache time = 120
    idmap uid = 
    idmap gid = 
    idmap config DOMAIN:range = 210000-299999
    idmap config DOMAIN:backend = rid
    idmap config TRUSTED:range = 10000-199999
    idmap config TRUSTED:backend = rid
    idmap config * : backend = tdb
  • Consult the 'idmap_rid' manpages for the correct format of the "idmap config * : backend = tdb" range.
$ man idmap_rid

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments