On a UCS Memberserver the lookup of Posix GIDs for SIDs does not work for BUILTIN groups: root@member13:~# wbinfo --sid-to-gid S-1-5-32-546 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-546 to gid It should work though. The account is present in OpenLDAP, so the idmap_nss plugin should be able to find it: root@member13:~# univention-ldapsearch -LLL sambasid=S-1-5-32-546 gidnumber dn: cn=Guests,cn=Builtin,dc=ar41i1,dc=qa gidNumber: 5053
Some debug output for this: root@member13:~# net rpc testjoin Join to 'AR41I1' is OK root@member13:~# lsb_release -a No LSB modules are available. Distributor ID: Univention Description: Univention Corporate Server 4.4-0 errata47 (Blumenthal) Release: 4.4-0 errata47 Codename: Blumenthal root@member13:~# dpkg -l samba | grep ^ii ii samba 2:4.10.1-1A~4.4.0.201904031509 amd64 SMB/CIFS file, print, and login server for Unix root@member13:~# net cache flush; /etc/init.d/winbind restart [ ok ] Restarting winbind (via systemctl): winbind.service. root@member13:~# smbcontrol winbindd debug 10 root@member13:~# tail -f /var/log/samba/log.w* & [1] 20174 root@member13:~# ==> /var/log/samba/log.wb-AR41I1 <== smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 ==> /var/log/samba/log.wb-BUILTIN <== ==> /var/log/samba/log.wb-MEMBER13 <== [2015/11/25 02:41:22.659256, 0] ../source3/winbindd/winbindd.c:271(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) ==> /var/log/samba/log.winbindd <== dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 [2019/02/27 16:42:03.856288, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:862(winbind_msg_relay_fn) winbind_msg_relay_fn: sending message to pid 20171. [2019/02/27 16:42:03.856388, 10, pid=20153, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm.c:1436(messaging_dgm_send) messaging_dgm_send: Sending message to 20171 ==> /var/log/samba/log.winbindd-dc-connect <== ==> /var/log/samba/log.winbindd-idmap <== root@member13:~# wbinfo --sid-to-gid S-1-5-32-546 ==> /var/log/samba/log.winbindd <== [2019/02/27 16:42:52.954449, 6, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:920(new_connection) accepted socket 22 [2019/02/27 16:42:52.955047, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:768(process_request_send) process_request_send: process_request: request fn INTERFACE_VERSION [2019/02/27 16:42:52.955084, 3, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version) winbindd_interface_version: [wbinfo (20175)]: request interface version (version = 31) [2019/02/27 16:42:52.955184, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:854(process_request_written) process_request_written: [wbinfo(20175):unknown request]: delivered response to client [2019/02/27 16:42:52.955560, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:744(process_request_send) process_request_send: process_request: Handling async request wbinfo(20175):SIDS_TO_XIDS [2019/02/27 16:42:52.955602, 3, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_sids_to_xids.c:50(winbindd_sids_to_xids_send) sids_to_xids [2019/02/27 16:42:52.955634, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_sids_to_xids.c:68(winbindd_sids_to_xids_send) num_sids: 1 [2019/02/27 16:42:52.955663, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/wb_sids2xids.c:114(wb_sids2xids_send) SID 0: S-1-5-32-546 [2019/02/27 16:42:52.955714, 5, pid=20153, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:85(gencache_init) Opening cache file at /var/run/samba/gencache.tdb [2019/02/27 16:42:52.955845, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/wb_lookupsids.c:263(wb_lookupsids_bulk) wb_lookupsids_bulk: No bulk setup for SID S-1-5-32-546 with 2 subauths [2019/02/27 16:42:52.955886, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_util.c:1462(find_lookup_domain_from_sid) find_lookup_domain_from_sid: SID [S-1-5-32-546] [2019/02/27 16:42:52.955958, 1, pid=20153, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid sid : * sid : S-1-5-32-546 [2019/02/27 16:42:52.956113, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:1628(fork_domain_child) fork_domain_child called for domain 'BUILTIN' [2019/02/27 16:42:52.957591, 10, pid=20176, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:1694(fork_domain_child) Child process 20176 [2019/02/27 16:42:52.958397, 10, pid=20176, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:163(msg_dgm_ref_destructor) msg_dgm_ref_destructor: refs=0x5617fd142b80 [2019/02/27 16:42:52.959014, 10, pid=20176, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:80(messaging_dgm_ref) messaging_dgm_ref: messaging_dgm_init returned Erfolg [2019/02/27 16:42:52.959218, 10, pid=20176, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:109(messaging_dgm_ref) messaging_dgm_ref: unique = 1406167998688456097 [2019/02/27 16:42:52.959266, 5, pid=20176, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:155(make_pdb_method_name) Attempting to find a passdb backend to match tdbsam (tdbsam) [2019/02/27 16:42:52.959296, 5, pid=20176, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:176(make_pdb_method_name) Found pdb backend tdbsam [2019/02/27 16:42:52.959330, 5, pid=20176, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:187(make_pdb_method_name) pdb backend tdbsam has a valid init [2019/02/27 16:42:52.960914, 1, pid=20153, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid out: struct wbint_LookupSid type : * type : SID_NAME_ALIAS (4) domain : * domain : * domain : 'BUILTIN' name : * name : * name : 'Guests' result : NT_STATUS_OK [2019/02/27 16:42:52.962039, 1, pid=20153, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000001 (1) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000222 (546) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_GID (2) [2019/02/27 16:42:52.962409, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:1630(fork_domain_child) fork_domain_child called without domain. [2019/02/27 16:42:52.963868, 10, pid=20177, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:1694(fork_domain_child) Child process 20177 [2019/02/27 16:42:52.964831, 10, pid=20177, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:163(msg_dgm_ref_destructor) msg_dgm_ref_destructor: refs=0x5617fd142b80 [2019/02/27 16:42:52.965210, 10, pid=20177, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:80(messaging_dgm_ref) messaging_dgm_ref: messaging_dgm_init returned Erfolg [2019/02/27 16:42:52.965619, 10, pid=20177, effective(0, 0), real(0, 0)] ../../source3/lib/messages_dgm_ref.c:109(messaging_dgm_ref) messaging_dgm_ref: unique = 13992256947172106056 [2019/02/27 16:42:52.965883, 5, pid=20177, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:155(make_pdb_method_name) Attempting to find a passdb backend to match tdbsam (tdbsam) [2019/02/27 16:42:52.966119, 5, pid=20177, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:176(make_pdb_method_name) Found pdb backend tdbsam [2019/02/27 16:42:52.966352, 5, pid=20177, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_interface.c:187(make_pdb_method_name) pdb backend tdbsam has a valid init [2019/02/27 16:42:53.050696, 1, pid=20153, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000000 (0) rid : 0x00000222 (546) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) result : NT_STATUS_OK [2019/02/27 16:42:53.052359, 10, pid=20153, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:226(gencache_set_data_blob) gencache_set_data_blob: Adding cache entry with key=[IDMAP/SID2XID/S-1-5-32-546] and timeout=[Mi Feb 27 16:44:53 2019 CET] (120 seconds ahead) [2019/02/27 16:42:53.052749, 10, pid=20153, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:810(process_request_done) process_request_done: [wbinfo(20175):SIDS_TO_XIDS]: NT_STATUS_OK failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-546 to gid
An additional point of confusion: There is a difference in behaviour for BUILTIN groups (this bug) and "NT AUTHORITY" groups (Bug #45840): If you ask for a SID from the "NT AUTHORITY" range, e.g. for this one: =========================================================================== root@member13:~# univention-ldapsearch -LLL sambasid=S-1-5-9 gidNumber dn: cn=Enterprise Domain Controllers,cn=groups,dc=ar41i1,dc=qa gidNumber: 5015 =========================================================================== It just quickly allocates one in the '*' range: =========================================================================== root@member13:~# wbinfo --sid-to-gid S-1-5-9 55005 root@member13:~# univention-ldapsearch -LLL sambasid=S-1-5-9 gidNumber dn: cn=Enterprise Domain Controllers,cn=groups,dc=ar41i1,dc=qa gidNumber: 5015 dn: sambaSID=S-1-5-9,cn=idmap,cn=univention,dc=ar41i1,dc=qa gidNumber: 55005 =========================================================================== But that's the topic of Bug #45840.
This issue has been filed against UCS 4.4. UCS 4.4 is out of general maintenance and components may have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.