X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.6 required=5.0	tests=AWL,BAYES_00,KHOP_THREADED,SPF_HELO_PASS,TW_MK,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Orion Poplawski <orion AT nwra DOT com>
Subject: Re: mkpasswd with domain gives The security database is corrupted error - SOLVED
Date: Fri, 10 Aug 2012 16:53:27 +0000 (UTC)
Lines: 55
Message-ID: <loom.20120810T184627-44@post.gmane.org>
References: <loom DOT 20120810T002948-294 AT post DOT gmane DOT org> <20120810144844 DOT GH7317 AT calimero DOT vinschen DOT de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
User-Agent: Loom/3.14 (http://gmane.org/)
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:

> 
> On Aug  9 22:37, Orion Poplawski wrote:
> > Fresh install of cygwin 1.7.16 on Windows Server 2008 R2.  Trying to add my
> > domain users to /etc/passwd, but when I run mkpasswd I get (somewhat
obfuscated):
> > 
> > $ mkpasswd -l -d CO-RA
> > SYSTEM:*:18:544:,S-1-5-18::
> > LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
> > NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
> > Administrators:*:544:544:,S-1-5-32-544::
> > TrustedInstaller:*:4294967294:4294967294:U-NT
> > SERVICE\TrustedInstaller,S-*::
> > Administrator:unused:500:513:U-FONT3\Administrator,S-*
> > Guest:unused:501:513:U-FONT3\Guest,S-*:/home/Guest:/bin/bash
> > sgeadmin:unused:1000:513:U-FONT3\sgeadmin,S-*:/home/sgeadmin:/bin/bash
> > mkpasswd (374): [2247] The security database is corrupted.
> > 
> > That message led me to trying to check the status to the secedit.sdb database
> > with esentutl but that checks out okay.
> 
> The error message is a result of an error returned from a simple call to
> the Windows function NetUserEnum.  I have no idea what's causing this.
> 
> Corinna
> 

Thanks, figured it out.  It was a problem with the user/group database on our
samba PDC.

First clue is that I didn't get the error without the -d option, indicating a
domain issue rather than local issue.

Next clue came from tshark which showed a STATUS_INTERNAL_DB_CORRUPTION error
being sent in response to a groupforuser command.  Then bumping up the debug
level for the smbd process for that host to level 3 I got:

[2012/08/10 10:42:26.852922,  3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
  api_rpcTNP: rpc command: SAMR_GETGROUPSFORUSER
[2012/08/10 10:42:26.859341,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: nobody
[2012/08/10 10:42:26.862206,  3] passdb/pdb_ldap.c:5197(ldapsam_gid_to_sid)
  ERROR: Got 0 entries for gid 99, expected one
[2012/08/10 10:42:26.862492,  3] passdb/lookup_sid.c:1754(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for nobody
[2012/08/10 10:42:26.866774,  3]
passdb/pdb_ldap.c:3039(ldapsam_enum_group_memberships)
  primary group of [nobody] not found

And indeed I had a user called 'nobody' with no corresponding group in the ldap
database.  Removing that user fixed the issue.

- Orion


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple