Winbind syslog errors and Domain Local Groups

> Hello all.
>
> I'm relatively new to Samba, and haven't been able to track down a
> solution to this particular problem.
>
> I use Samba/Winbind to authenticate FreeBSD machines against a
> Windows 2003 Active Directory. That all works fine. The problem is
> that groups in the AD of type "Security Group - Domain Local" are
> causing winbindd a lot of grief. Every time the winbindd daemon is
> accessed, it spews syslog messages like these for every Domain
> Local group in the AD:
>
> --------------------
> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
> group dhcp users
> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
> group dhcp administrators
> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
> group dnsadmins
> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
> group debugger users
> ---------------------
>
> All non-local groups show up just fine in the BSD system. Local
> groups do not show up in a getent group.
>
> All groups, including the local ones, show up when I run wbinfo -g.
> Running wbinfo -n <localgroup> comes back with a SID:
> $ wbinfo -n dnsadmins
> <munged-SID> Local Group (4)
>
> This SID is trackable back to a gid:
> $ sudo wbinfo --sid-to-gid <munged-SID>
> 11105
>
> Why, then, are these groups not actually getting populated? Can anyone
> shed some light on this?
>
> -HKS
>

> Any ideas?
> -HKS
>
> On Mon, Jul 7, 2008 at 5:01 PM, (private) HKS <hks.private@...> wrote:
>> Hello all.
>>
>> I'm relatively new to Samba, and haven't been able to track down a
>> solution to this particular problem.
>>
>> I use Samba/Winbind to authenticate FreeBSD machines against a
>> Windows 2003 Active Directory. That all works fine. The problem is
>> that groups in the AD of type "Security Group - Domain Local" are
>> causing winbindd a lot of grief. Every time the winbindd daemon is
>> accessed, it spews syslog messages like these for every Domain
>> Local group in the AD:
>>
>> --------------------
>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>> group dhcp users
>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>> group dhcp administrators
>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>> group dnsadmins
>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>> group debugger users
>> ---------------------
>>
>> All non-local groups show up just fine in the BSD system. Local
>> groups do not show up in a getent group.
>>
>> All groups, including the local ones, show up when I run wbinfo -g.
>> Running wbinfo -n <localgroup> comes back with a SID:
>> $ wbinfo -n dnsadmins
>> <munged-SID> Local Group (4)
>>
>> This SID is trackable back to a gid:
>> $ sudo wbinfo --sid-to-gid <munged-SID>
>> 11105
>>
>> Why, then, are these groups not actually getting populated? Can anyone
>> shed some light on this?
>>
>> -HKS
>>
>

> A few more tidbits...
>
> My winbind logs have this complaint for each of the domain local groups:
> [2008/07/11 14:40:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(365)
>  could not lookup membership for group sid <munged-sid> in domain
> DOMAIN (error: NT_STATUS_NO_SUCH_GROUP)
> [2008/07/11 14:40:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>  could not lookup domain group dnsadmins
>
> wbinfo doesn't have any difficulty with converting name -> SID -> gid
> -> SID, but if I run wbinfo -r on a user that's a member of one of the
> groups, that group doesn't show up.
>
> So, at the moment, it appears that winbind just can't grab membership
> for these domain local groups. I found this reported a few other
> places on the 'net, but it doesn't seem that a resolution has ever
> been reached.
>
> -HKS
>
>
> On Fri, Jul 11, 2008 at 1:13 PM, (private) HKS <hks.private@...> wrote:
>> Any ideas?
>> -HKS
>>
>> On Mon, Jul 7, 2008 at 5:01 PM, (private) HKS <hks.private@...> wrote:
>>> Hello all.
>>>
>>> I'm relatively new to Samba, and haven't been able to track down a
>>> solution to this particular problem.
>>>
>>> I use Samba/Winbind to authenticate FreeBSD machines against a
>>> Windows 2003 Active Directory. That all works fine. The problem is
>>> that groups in the AD of type "Security Group - Domain Local" are
>>> causing winbindd a lot of grief. Every time the winbindd daemon is
>>> accessed, it spews syslog messages like these for every Domain
>>> Local group in the AD:
>>>
>>> --------------------
>>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>>> group dhcp users
>>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>>> group dhcp administrators
>>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>>> group dnsadmins
>>> Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
>>> nsswitch/winbindd_group.c:winbindd_getgrent(1110)
>>> Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
>>> group debugger users
>>> ---------------------
>>>
>>> All non-local groups show up just fine in the BSD system. Local
>>> groups do not show up in a getent group.
>>>
>>> All groups, including the local ones, show up when I run wbinfo -g.
>>> Running wbinfo -n <localgroup> comes back with a SID:
>>> $ wbinfo -n dnsadmins
>>> <munged-SID> Local Group (4)
>>>
>>> This SID is trackable back to a gid:
>>> $ sudo wbinfo --sid-to-gid <munged-SID>
>>> 11105
>>>
>>> Why, then, are these groups not actually getting populated? Can anyone
>>> shed some light on this?
>>>
>>> -HKS
>>>
>>
>

> I was finally able to correct these errors by enabling Kerberos
> and changing the security model from domain to ads, but now
> I've run into the same problem reported here:
> http://www.usenet-forums.com/samba/394092-re-samba-accessing-member-server-prompts-credentials.html
>
> After about 5 minutes of uptime the winbind service throws
> several errors into syslog and nothing referencing it will work
> correctly until I restart it. The processes are still running.
>
> Jul 15 17:57:26 testbox winbindd[994]: [2008/07/15 17:57:26, 0]
> nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
> Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]:
> [2008/07/15 17:57:26, 0]
> nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
> Jul 15 17:57:26 testbox winbindd[994]:
> async_request_timeout_handler: child pid 992 is not responding.
> Closing connection to it.
> Jul 15 17:57:26 testbox kernel: Jul 15 17:57:26 testbox winbindd[994]:
>   async_request_timeout_handler: child pid 992 is not responding.
> Closing connection to it.
>
> This is Samba 3.0.30 and Kerberos 5 running on FreeBSD 7.0.
>
> Can anyone help me out here?