Univention Bugzilla – Bug 49310
lookup of Posix GIDs for SIDs does not work for BUILTIN groups on memberserver
Last modified: 2019-04-18 13:06:38 CEST
On a UCS Memberserver the lookup of Posix GIDs for SIDs does not work for BUILTIN groups: root@member13:~# wbinfo --sid-to-gid S-1-5-32-546 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-546 to gid It should work though. The account is present in OpenLDAP, so the idmap_nss plugin should be able to find it: root@member13:~# univention-ldapsearch -LLL sambasid=S-1-5-32-546 gidnumber dn: cn=Guests,cn=Builtin,dc=ar41i1,dc=qa gidNumber: 5053
Some debug output for this: root@member13:~# net rpc testjoin Join to 'AR41I1' is OK root@member13:~# lsb_release -a No LSB modules are available. Distributor ID: Univention Description: Univention Corporate Server 4.4-0 errata47 (Blumenthal) Release: 4.4-0 errata47 Codename: Blumenthal root@member13:~# dpkg -l samba | grep ^ii ii samba 2:4.10.1-1A~4.4.0.201904031509 amd64 SMB/CIFS file, print, and login server for Unix root@member13:~# net cache flush; /etc/init.d/winbind restart [ ok ] Restarting winbind (via systemctl): winbind.service. root@member13:~# smbcontrol winbindd debug 10 root@member13:~# tail -f /var/log/samba/log.w* & [1] 20174 root@member13:~# ==> /var/log/samba/log.wb-AR41I1 <== smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 ==> /var/log/samba/log.wb-BUILTIN <== ==> /var/log/samba/log.wb-MEMBER13 <== [2015/11/25 02:41:22.659256, 0] ../source3/winbindd/winbindd.c:271(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) ==> /var/log/samba/log.winbindd <== dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 [2019/02/27 16:42:03.856288, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:862(winbind_msg_relay_fn) winbind_msg_relay_fn: sending message to pid 20171. [2019/02/27 16:42:03.856388, 10, pid=20153, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm.c:1436(messaging_dgm_send) messaging_dgm_send: Sending message to 20171 ==> /var/log/samba/log.winbindd-dc-connect <== ==> /var/log/samba/log.winbindd-idmap <== root@member13:~# wbinfo --sid-to-gid S-1-5-32-546 ==> /var/log/samba/log.winbindd <== [2019/02/27 16:42:52.954449, 6, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:920(new_connection) accepted socket 22 [2019/02/27 16:42:52.955047, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:768(process_request_send) process_request_send: process_request: request fn INTERFACE_VERSION [2019/02/27 16:42:52.955084, 3, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version) winbindd_interface_version: [wbinfo (20175)]: request interface version (version = 31) [2019/02/27 16:42:52.955184, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:854(process_request_written) process_request_written: [wbinfo(20175):unknown request]: delivered response to client [2019/02/27 16:42:52.955560, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:744(process_request_send) process_request_send: process_request: Handling async request wbinfo(20175):SIDS_TO_XIDS [2019/02/27 16:42:52.955602, 3, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_sids_to_xids.c:50(winbindd_sids_to_xids_send) sids_to_xids [2019/02/27 16:42:52.955634, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_sids_to_xids.c:68(winbindd_sids_to_xids_send) num_sids: 1 [2019/02/27 16:42:52.955663, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/wb_sids2xids.c:114(wb_sids2xids_send) SID 0: S-1-5-32-546 [2019/02/27 16:42:52.955714, 5, pid=20153, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:85(gencache_init) Opening cache file at /var/run/samba/gencache.tdb [2019/02/27 16:42:52.955845, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/wb_lookupsids.c:263(wb_lookupsids_bulk) wb_lookupsids_bulk: No bulk setup for SID S-1-5-32-546 with 2 subauths [2019/02/27 16:42:52.955886, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_util.c:1462(find_lookup_domain_from_sid) find_lookup_domain_from_sid: SID [S-1-5-32-546] [2019/02/27 16:42:52.955958, 1, pid=20153, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid sid : * sid : S-1-5-32-546 [2019/02/27 16:42:52.956113, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:1628(fork_domain_child) fork_domain_child called for domain 'BUILTIN' [2019/02/27 16:42:52.957591, 10, pid=20176, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:1694(fork_domain_child) Child process 20176 [2019/02/27 16:42:52.958397, 10, pid=20176, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:163(msg_dgm_ref_destructor) msg_dgm_ref_destructor: refs=0x5617fd142b80 [2019/02/27 16:42:52.959014, 10, pid=20176, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:80(messaging_dgm_ref) messaging_dgm_ref: messaging_dgm_init returned Erfolg [2019/02/27 16:42:52.959218, 10, pid=20176, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:109(messaging_dgm_ref) messaging_dgm_ref: unique = 1406167998688456097 [2019/02/27 16:42:52.959266, 5, pid=20176, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:155(make_pdb_method_name) Attempting to find a passdb backend to match tdbsam (tdbsam) [2019/02/27 16:42:52.959296, 5, pid=20176, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:176(make_pdb_method_name) Found pdb backend tdbsam [2019/02/27 16:42:52.959330, 5, pid=20176, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:187(make_pdb_method_name) pdb backend tdbsam has a valid init [2019/02/27 16:42:52.960914, 1, pid=20153, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid out: struct wbint_LookupSid type : * type : SID_NAME_ALIAS (4) domain : * domain : * domain : 'BUILTIN' name : * name : * name : 'Guests' result : NT_STATUS_OK [2019/02/27 16:42:52.962039, 1, pid=20153, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000001 (1) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000222 (546) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) [2019/02/27 16:42:52.962409, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:1630(fork_domain_child) fork_domain_child called without domain. [2019/02/27 16:42:52.963868, 10, pid=20177, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:1694(fork_domain_child) Child process 20177 [2019/02/27 16:42:52.964831, 10, pid=20177, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:163(msg_dgm_ref_destructor) msg_dgm_ref_destructor: refs=0x5617fd142b80 [2019/02/27 16:42:52.965210, 10, pid=20177, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:80(messaging_dgm_ref) messaging_dgm_ref: messaging_dgm_init returned Erfolg [2019/02/27 16:42:52.965619, 10, pid=20177, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:109(messaging_dgm_ref) messaging_dgm_ref: unique = 13992256947172106056 [2019/02/27 16:42:52.965883, 5, pid=20177, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:155(make_pdb_method_name) Attempting to find a passdb backend to match tdbsam (tdbsam) [2019/02/27 16:42:52.966119, 5, pid=20177, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:176(make_pdb_method_name) Found pdb backend tdbsam [2019/02/27 16:42:52.966352, 5, pid=20177, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:187(make_pdb_method_name) pdb backend tdbsam has a valid init [2019/02/27 16:42:53.050696, 1, pid=20153, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000222 (546) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) result : NT_STATUS_OK [2019/02/27 16:42:53.052359, 10, pid=20153, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:226(gencache_set_data_blob) gencache_set_data_blob: Adding cache entry with key=[IDMAP/SID2XID/S-1-5-32-546] and timeout=[Mi Feb 27 16:44:53 2019 CET] (120 seconds ahead) [2019/02/27 16:42:53.052749, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:810(process_request_done) process_request_done: [wbinfo(20175):SIDS_TO_XIDS]: NT_STATUS_OK failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-546 to gid
An additional point of confusion: There is a difference in behaviour for BUILTIN groups (this bug) and "NT AUTHORITY" groups (Bug #45840): If you ask for a SID from the "NT AUTHORITY" range, e.g. for this one: =========================================================================== root@member13:~# univention-ldapsearch -LLL sambasid=S-1-5-9 gidNumber dn: cn=Enterprise Domain Controllers,cn=groups,dc=ar41i1,dc=qa gidNumber: 5015 =========================================================================== It just quickly allocates one in the '*' range: =========================================================================== root@member13:~# wbinfo --sid-to-gid S-1-5-9 55005 root@member13:~# univention-ldapsearch -LLL sambasid=S-1-5-9 gidNumber dn: cn=Enterprise Domain Controllers,cn=groups,dc=ar41i1,dc=qa gidNumber: 5015 dn: sambaSID=S-1-5-9,cn=idmap,cn=univention,dc=ar41i1,dc=qa gidNumber: 55005 =========================================================================== But that's the topic of Bug #45840.