TrueNAS wbc error

ArmPl · July 10, 2024, 12:53pm

Hi,

I have a problem with AD in Scale. The server is added from the domain but not everything works as it should. I can’t see groups from my domain but users can. Wbinfo -g gives me this error:

failed to call wbcListGroups: WBC_ERR_INVALID_RESPONSE
Error looking up domain groups.

What could be the problem with?
Please help.

awalkerix · July 10, 2024, 2:45pm

That’s unusual. What is output of testparm -s?

ArmPl · July 11, 2024, 6:09am

testparm -s
Load smb config files from /etc/smb4.conf
regdb_init: Failed to open registry /var/run/samba-cache/registry.tdb (Permission denied)
Failed to initialize the registry: WERR_ACCESS_DENIED
error initializing registry configuration: SBC_ERR_BADFILE
Error loading services

awalkerix · July 11, 2024, 9:21am

Okay. sudo testparm -s

ArmPl · July 11, 2024, 9:43am

Load smb config files from /etc/smb4.conf
lpcfg_do_global_parameter: WARNING: The “syslog only” option is deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

Global parameters

[global]
allow trusted domains = No
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
domain master = No
kerberos method = secrets and keytab
load printers = No
logging = file
max log size = 5120
ntlm auth = ntlmv1-permitted
passdb backend = tdbsam:/var/run/samba-cache/private/passdb.tdb
preferred master = No
printcap name = /dev/null
realm = RADIO.COM.PL
registry shares = Yes
restrict anonymous = 2
security = ADS
server min protocol = NT1
server role = member server
server string = TrueNAS Server
template homedir = /var/empty
template shell = /bin/sh
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind max domain connections = 10
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = RADIO
idmap config radio : sssd_compat = false
idmap config radio : range = 100000001 - 200000000
idmap config radio : backend = rid
idmap config * : range = 90000001 - 100000000
fruit:zero_file_id = false
fruit:nfs_aces = false
rpc_server:mdssvc = disabled
rpc_daemon:mdssd = disabled
idmap config * : backend = tdb
create mask = 0775
directory mask = 0775

[rerere]
ea support = No
path = /mnt/testrm/rerere
posix locking = No
read only = No
smbd max xattr size = 2097152
vfs objects = streams_xattr shadow_copy_zfs ixnas zfs_core io_uring
tn:vuid =
fruit:time machine max size = 0
fruit:time machine = False
nfs4:chown = True
tn:home = False
tn:path_suffix =
tn:purpose = DEFAULT_SHARE

ArmPl · July 11, 2024, 12:54pm

obraz

awalkerix · July 11, 2024, 1:20pm

Right. Filling caches won’t work when winbind client is failing with an invalid response. Try turning off “use default domain”. Maybe review winbind logs in /var/log/samba4 for a more verbose error message.

ArmPl · July 11, 2024, 2:01pm

I already have the use default domain option turned off. In log.winbindd i can see

[2024/07/11 15:56:20.230554, 1] …/…/source3/winbindd/winbindd_getgrnam.c:175(winbindd_getgrnam_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

[2024/07/11 14:52:26.168007, 1] …/…/source3/winbindd/winbindd_getgrnam.c:175(winbindd_getgrnam_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

[2024/07/11 14:40:05.315933, 1] …/…/lib/param/loadparm.c:1909(lpcfg_do_global_parameter)
lpcfg_do_global_parameter: WARNING: The “syslog only” option is deprecated
[2024/07/11 14:40:17.673144, 1] …/…/source3/winbindd/winbindd_dual.c:2049(winbindd_sig_hup_handler)
Reloading services after SIGHUP

awalkerix · July 11, 2024, 2:38pm

Try increasing log level in Services-SMB to debug and then retry wbinfo -g

ArmPl · July 12, 2024, 8:06am

obraz

ArmPl · July 12, 2024, 8:07am

BC_ERR_INVALID_RESPONSE error still occurs

awalkerix · July 12, 2024, 11:43am

That wasn’t to fix the problem, but rather so that you could look at logs and see if there are more useful messages.

ArmPl · July 12, 2024, 12:25pm

Aaa ok sorry my bad.
In the logs I can see my domain groups but at the end there is a log that and I guess that’s why it doesn’t work.

Query username ‘x’.
[2024/07/12 14:16:00.116329, 5, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/wb_lookupname.c:52(wb_lookupname_send)
WB command lookupname start.
Search namespace ‘RADTEC-NAS2’ and domain ‘’ for name ‘x’.
[2024/07/12 14:16:00.116356, 1, pid=8101, effective(0, 0), real(0, 0), class=rpc_parse] …/…/librpc/ndr/ndr.c:493(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : ‘’
name : *
name : ‘X’
flags : 0x00000008 (8)
[2024/07/12 14:16:00.130679, 1, pid=8101, effective(0, 0), real(0, 0), class=rpc_parse] …/…/librpc/ndr/ndr.c:493(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USE_NONE (0)
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
[2024/07/12 14:16:00.130753, 1, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2024/07/12 14:16:00.130768, 3, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:564(process_request_done)
process_request_done: [nss_winbind(27522):GETPWNAM]: NT_STATUS_NONE_MAPPED
[2024/07/12 14:16:00.130793, 10, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:609(process_request_written)
process_request_written: [nss_winbind(27522):GETPWNAM]: delivered response to client
[2024/07/12 14:16:00.142728, 6, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:725(winbind_client_request_read)
closing socket 23, client exited

ArmPl · July 12, 2024, 12:37pm

wbint_bh_raw_call_send: Got opnum 14 for domain RADIO from cache
[2024/07/12 14:34:12.754532, 1, pid=8101, effective(0, 0), real(0, 0), class=rpc_parse] …/…/librpc/ndr/ndr.c:493(ndr_print_function_debug)
wbint_QueryGroupList: struct wbint_QueryGroupList
out: struct wbint_QueryGroupList
groups : *
groups: struct wbint_Principals
num_principals : 0x00000086 (134)
principals: ARRAY(134)

THERE IS MY DOMAIN GROUPS LIST

          result                   : NT_STATUS_OK

[2024/07/12 14:34:12.757619, 10, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd_list_groups.c:145(winbindd_list_groups_done)
Domain RADIO returned 134 groups
[2024/07/12 14:34:12.757635, 3, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd_list_groups.c:176(winbindd_list_groups_recv)
Winbind external command LIST_GROUPS end.
[2024/07/12 14:34:12.757929, 3, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:564(process_request_done)
process_request_done: [wbinfo(28827):LIST_GROUPS]: NT_STATUS_OK
[2024/07/12 14:34:12.757961, 10, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:609(process_request_written)
process_request_written: [wbinfo(28827):LIST_GROUPS]: delivered response to client
[2024/07/12 14:34:12.758024, 6, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:725(winbind_client_request_read)
closing socket 25, client exited

ArmPl · July 12, 2024, 12:44pm

Now getent group show me my domain groups but wbinfo still return error.

awalkerix · July 12, 2024, 1:04pm

What are the logs you get from error case? Success logs are not particularly useful.

ArmPl · July 12, 2024, 1:18pm

Logs above are logs after i use wbinfo -g. The 2nd answer is part 1 of the logo and the first part 2 has nothing in between. I think a log bellow are the error logs. I still not see domain groups in my samba permission configuration even though after command getent group i see my groups. I don have username ‘x’ and i think thosse make error failed to call wbcListGroups: WBC_ERR_INVALID_RESPONSE
Error looking up domain groups.

Query username ‘x’.
[2024/07/12 14:16:00.116329, 5, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/wb_lookupname.c:52(wb_lookupname_send)
WB command lookupname start.
Search namespace ‘RADTEC-NAS2’ and domain ‘’ for name ‘x’.
[2024/07/12 14:16:00.116356, 1, pid=8101, effective(0, 0), real(0, 0), class=rpc_parse] …/…/librpc/ndr/ndr.c:493(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : ‘’
name : *
name : ‘X’
flags : 0x00000008 (8)
[2024/07/12 14:16:00.130679, 1, pid=8101, effective(0, 0), real(0, 0), class=rpc_parse] …/…/librpc/ndr/ndr.c:493(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USE_NONE (0)
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
[2024/07/12 14:16:00.130753, 1, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2024/07/12 14:16:00.130768, 3, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:564(process_request_done)
process_request_done: [nss_winbind(27522):GETPWNAM]: NT_STATUS_NONE_MAPPED
[2024/07/12 14:16:00.130793, 10, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:609(process_request_written)
process_request_written: [nss_winbind(27522):GETPWNAM]: delivered response to client
[2024/07/12 14:16:00.142728, 6, pid=8101, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:725(winbind_client_request_read)
closing socket 23, client exited

ArmPl · July 18, 2024, 6:58am

HI.
Do you have any more ideas on how to solve this problem.

ArmPl · July 18, 2024, 7:09am

I still not see my domain group in my ACL editor