[Samba] How can I confirm that idmap_ad is being used?
Kai Lanz
lanz at stanford.edu
Tue May 17 14:55:26 MDT 2011
Hi Daniel,
On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote:
> Have a look at:
>
> log.winbindd-idmap
I've looked at that file; it's empty. (Not a single entry.) I run my
tests with "winbindd -n -d 10 -D".
> Also have a look at:
> https://bugzilla.samba.org/show_bug.cgi?id=6322
Now, this is interesting! The problem Edgar Holleis describes sounds
exactly like the one I am facing. See my
post to the Samba mailing list, "Winbindd can't convert between SIDs
and uid/gid". Edgar said:
> Winbind correctly resolves:
> User-Name->SID (wbinfo -n), Group-Name->SID (wbinfo -s)
> What doesn't work:
> SID->UID (wbinfo -S), UID->SID (wbinfo -U),
> SID->GID (wbinfo -Y), GID->UID (wbinfo -G)
(Except, "wbinfo -s" is SID->User-name, the reverse of "wbinfo -n",
not Group-Name->SID as Edgar wrote...)
That's the same pattern of success and failure I get in my wbinfo tests.
So, how does one go from Edgar's bug report, with 4 failing wbinfo
queries, to your comment, "wbinfo resolves
everything correctly"? I'm running samba-3.5.8 on OpenSolaris.
Following Michael Adam's example, I tried the
following in my smb.conf:
idmap backend = tdb
idmap uid = 50000 - 99999
idmap gid = 50000 - 99999
idmap config SU : backend = ad
idmap config SU : schema_mode = rfc2307
idmap config SU : range = 10000 - 29999
idmap config WIN : backend = ad
idmap config WIN : schema_mode = rfc2307
idmap config WIN : range = 30000 - 49999
Note the disjoint ranges for each domain. I still get the same
failures with wbinfo S, U, G, and Y. It seems I'm
still missing something, since our wbinfo doesn't "resolve everything
correctly". Is nsswitch.conf important,
perhaps? It doesn't seem to make any difference whether I add
"winbind" to the passwd and group lines or
not. Is that expected?
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org
> ] Im Auftrag von Kai Lanz
> Gesendet: Dienstag, 17. Mai 2011 02:56
> An: samba at lists.samba.org
> Betreff: [Samba] How can I confirm that idmap_ad is being used?
>
>
> How can I confirm that idmap_ad is being called?
>
> I've configured Samba with --with-shared-modules=idmap_ad, built and
> installed it; the file ad.so is now present in /usr/local/samba/lib/
> idmap/ as expected. I then added the following to smb.conf:
>
> idmap backend = tdb
> idmap uid = 65536 - 999999
> idmap gid = 65536 - 999999
>
> idmap config SU : backend = ad
> idmap config SU : schema_mode = rfc2307
> idmap config SU : range = 1 - 65535
> idmap config WIN : backend = ad
> idmap config WIN : schema_mode = rfc2307
> idmap config WIN : range = 1 - 65535
>
> Now I fire up winbindd with debug-level = 10, and issue some queries
> via wbinfo. Some requests work as expected, some fail, but when I
> look in log.winbindd I never see any reference to idmap.c or
> idmap_ad.c. I'd like to confirm that this module is being used.
>
> I went so far as to deliberately break the smb.conf by specifying
>
> idmap config SU range = 1 -
>
> which I expected to produce an error from idmap_ad_initialize(),
> "invalid filter range". But that message is never logged; instead I
> see only errors from winbindd_util.c, add_trusted_domain():
>
> [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c:
> 204(add_trusted_domain)
> invalid range syntax in idmap config SU: 1 -
>
> Have I missed out on some crucial bit of configuration that's
> required to enable idmap_ad?
>
> --
> Kai Lanz Stanford University School of Earth Sciences
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
Kai Lanz
More information about the samba
mailing list