[Samba] Winbind syslog errors and Domain Local Groups - Samba

This is a discussion on [Samba] Winbind syslog errors and Domain Local Groups - Samba ; Hello all. I'm relatively new to Samba, and haven't been able to track down a solution to this particular problem. I use Samba/Winbind to authenticate FreeBSD machines against a Windows 2003 Active Directory. That all works fine. The problem is ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] Winbind syslog errors and Domain Local Groups

  1. [Samba] Winbind syslog errors and Domain Local Groups

    Hello all.

    I'm relatively new to Samba, and haven't been able to track down a
    solution to this particular problem.

    I use Samba/Winbind to authenticate FreeBSD machines against a
    Windows 2003 Active Directory. That all works fine. The problem is
    that groups in the AD of type "Security Group - Domain Local" are
    causing winbindd a lot of grief. Every time the winbindd daemon is
    accessed, it spews syslog messages like these for every Domain
    Local group in the AD:

    --------------------
    Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    group dhcp users
    Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    group dhcp administrators
    Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    group dnsadmins
    Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    group debugger users
    ---------------------

    All non-local groups show up just fine in the BSD system. Local
    groups do not show up in a getent group.

    All groups, including the local ones, show up when I run wbinfo -g.
    Running wbinfo -n comes back with a SID:
    $ wbinfo -n dnsadmins
    Local Group (4)

    This SID is trackable back to a gid:
    $ sudo wbinfo --sid-to-gid
    11105

    Why, then, are these groups not actually getting populated? Can anyone
    shed some light on this?

    -HKS
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. [Samba] Re: Winbind syslog errors and Domain Local Groups

    Any ideas?
    -HKS

    On Mon, Jul 7, 2008 at 5:01 PM, (private) HKS wrote:
    > Hello all.
    >
    > I'm relatively new to Samba, and haven't been able to track down a
    > solution to this particular problem.
    >
    > I use Samba/Winbind to authenticate FreeBSD machines against a
    > Windows 2003 Active Directory. That all works fine. The problem is
    > that groups in the AD of type "Security Group - Domain Local" are
    > causing winbindd a lot of grief. Every time the winbindd daemon is
    > accessed, it spews syslog messages like these for every Domain
    > Local group in the AD:
    >
    > --------------------
    > Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    > nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    > Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    > group dhcp users
    > Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    > nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    > Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    > group dhcp administrators
    > Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    > nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    > Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    > group dnsadmins
    > Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    > nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    > Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    > group debugger users
    > ---------------------
    >
    > All non-local groups show up just fine in the BSD system. Local
    > groups do not show up in a getent group.
    >
    > All groups, including the local ones, show up when I run wbinfo -g.
    > Running wbinfo -n comes back with a SID:
    > $ wbinfo -n dnsadmins
    > Local Group (4)
    >
    > This SID is trackable back to a gid:
    > $ sudo wbinfo --sid-to-gid
    > 11105
    >
    > Why, then, are these groups not actually getting populated? Can anyone
    > shed some light on this?
    >
    > -HKS
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. [Samba] Re: Winbind syslog errors and Domain Local Groups

    A few more tidbits...

    My winbind logs have this complaint for each of the domain local groups:
    [2008/07/11 14:40:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(365)
    could not lookup membership for group sid in domain
    DOMAIN (error: NT_STATUS_NO_SUCH_GROUP)
    [2008/07/11 14:40:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    could not lookup domain group dnsadmins

    wbinfo doesn't have any difficulty with converting name -> SID -> gid
    -> SID, but if I run wbinfo -r on a user that's a member of one of the
    groups, that group doesn't show up.

    So, at the moment, it appears that winbind just can't grab membership
    for these domain local groups. I found this reported a few other
    places on the 'net, but it doesn't seem that a resolution has ever
    been reached.

    -HKS


    On Fri, Jul 11, 2008 at 1:13 PM, (private) HKS wrote:
    > Any ideas?
    > -HKS
    >
    > On Mon, Jul 7, 2008 at 5:01 PM, (private) HKS wrote:
    >> Hello all.
    >>
    >> I'm relatively new to Samba, and haven't been able to track down a
    >> solution to this particular problem.
    >>
    >> I use Samba/Winbind to authenticate FreeBSD machines against a
    >> Windows 2003 Active Directory. That all works fine. The problem is
    >> that groups in the AD of type "Security Group - Domain Local" are
    >> causing winbindd a lot of grief. Every time the winbindd daemon is
    >> accessed, it spews syslog messages like these for every Domain
    >> Local group in the AD:
    >>
    >> --------------------
    >> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    >> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    >> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    >> group dhcp users
    >> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    >> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    >> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    >> group dhcp administrators
    >> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    >> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    >> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    >> group dnsadmins
    >> Jul 7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
    >> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
    >> Jul 7 16:36:15 testbox winbindd[50492]: could not lookup domain
    >> group debugger users
    >> ---------------------
    >>
    >> All non-local groups show up just fine in the BSD system. Local
    >> groups do not show up in a getent group.
    >>
    >> All groups, including the local ones, show up when I run wbinfo -g.
    >> Running wbinfo -n comes back with a SID:
    >> $ wbinfo -n dnsadmins
    >> Local Group (4)
    >>
    >> This SID is trackable back to a gid:
    >> $ sudo wbinfo --sid-to-gid
    >> 11105
    >>
    >> Why, then, are these groups not actually getting populated? Can anyone
    >> shed some light on this?
    >>
    >> -HKS
    >>

    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread