Bug 56334 – wbinfo on school memberserver fails

Bug 56334 - wbinfo on school memberserver fails


Summary:	wbinfo on school memberserver fails

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-07-18 11:54 CEST by Christina Scheinig
Modified:	2024-01-15 08:32 CET (History)
CC List:	2 users (show)

See Also:	56886
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.229
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2023071121000251, 2023071821000103, 2024011221000212
Bug group (optional):
Max CVSS v3 score:

Attachments
script to add the special SID (1.14 KB, text/plain) 2023-11-17 15:17 CET, Christina Scheinig	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2023-07-18 11:54:09 CEST

Environment:
School replica UCS5.0-4  with memberserver UCS5.0-3/5.0-4

symptom:
School replica:
wbinfo -Y S-1-18-1
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-18-1 to gid

memberserver:
 wbinfo -t
checking the trust secret for domain SCHEIN via RPC calls failed
wbcCheckTrustCredentials(SCHEIN): error code was NT_STATUS_INVALID_SID (0xc0000078)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

wbinfo -n Administrator
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name Administrator
------------------

The SID S-1-18-1 is not in the idmap.ldb of the school replica.

-----------------
The SID is not found with the filter:
'(&(|(objectClass=sambaSamAccount)(objectClass=sambaGroupMapping))(sambaSID=*))'

so we should add this object during join on the Server, so that there is an entry for this in the idmap.ldb

Comment 1 Christina Scheinig

2023-07-21 13:10:15 CEST

I saw this now in an other environment, non school, primary server:

  Unable to convert SID (S-1-18-1) at index 3 in user token to a GID.  Conversion was returned as type 0, full token:
[2023/07/21 12:58:34.429331,  0, pid=25052] ../../libcli/security/security_token.c:52(security_token_debug)
  Security token SIDs (8):

Comment 2 Christina Scheinig

2023-07-25 09:34:57 CEST

Ticket 2023071821000103 is a non memberserver, non school environment

Comment 3 Christina Scheinig

2023-11-17 15:17:52 CET

Created attachment 11145 [details]
script to add the special SID

Comment 4 Arvid Requate

2024-01-12 15:37:51 CET

Please note the extended version of the script in Bug 56886 Comment 2.