[Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND

Heather Choi hceuterpe at gmail.com
Thu Jul 12 19:28:27 MDT 2012 

I think you might be missing some stuff in the prior config you had.  
The following works for me with Samba 3.6.6    :

    idmap config * : backend = tdb
    idmap config * : range = 1000000-1999999

    idmap config MYDOMAIN : backend  = rid
    idmap config MYDOMAIN : range = 1000-999999
    idmap config MYDOMAIN : base_rid    = 0

You need the * entry in there because you need a range for defaults.  I 
only have a single domain (and yes it's not called "MYDOMAIN":-) ). For 
instance, I have log files named:
   log.wb-BUILTIN
   log.wb-MYDOMAIN
   log.wb-HOSTNAME

I do not have the winbind enum groups or users defined in my config 
file.  The default is no for both.  Also, winbind refused to function 
properly when I attempted setting  the backend for my domain as tdb.  
Everywhere I've read, rid is safe for multiple domains and multiple 
winbind enabled systems, so long as those ranges are consistent 
throughout your winbind systems' config settings, and they have 
completely separate ranges.  They must not overlap!

Sample output:

    [hchoi at HOSTNAME hchoi](30)# wbinfo -i hchoi
    hchoi:*:2601:1513::/home/hchoi:/bin/bash

    [hchoi at HOSTNAME hchoi](31)# id hchoi
    uid=2601(hchoi) gid=1513(domain users) groups=1513(domain
    users),...,1000001(BUILTIN\users)

    [hchoi at HOSTNAME hchoi](34)# wbinfo -i administrator
    administrator:*:1500:1513::/home/administrator:/bin/bash

    [hchoi at HOSTNAME hchoi](32)# id administrator
    uid=1500(administrator) gid=1513(domain users) groups=1513(domain
    users),1520(group policy creator owners),1512(domain
    admins),2106(organization management),1519(enterprise
    admins),1518(schema
    admins),1000001(BUILTIN\users),1000000(BUILTIN\administrators)

My remaining smb.conf:
[global]
     workgroup = MYDOMAIN
     realm = MYDOMAIN.NET
     server string = Linux Server
     security = ADS
     ntlm auth = No
     kerberos method = secrets and keytab
     log file = /var/log/samba/log.%m
     max log size = 1000
     max protocol = SMB2
     load printers = No
     printcap name = /dev/null
     disable spoolss = Yes
     wins server = 192.168.10.10, 192.168.10.11
     template homedir = /home/%U
     template shell = /bin/bash
     winbind use default domain = Yes
     winbind offline logon = Yes

[netlogon]
     comment = Network Logon Service
     path = /var/lib/samba/netlogon
     guest ok = Yes
...

krb5.conf:
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MYDOMAIN.NET
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = yes

[appdefaults]
pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
}

[domain_realm]
  .mydomain.net = MYDOMAIN.NET
  mydomain.net = MYDOMAIN.NET


Hope this helps..

On 07/12/2012 01:06 PM, Kevin Elliott wrote:
> I read the bugreport that Dale linked and ended up using the workaround listed there.
>
> Changes made to '/etc/samba/smb.conf' follow:
>    @@ -28,9 +28,12 @@
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         panic action = /usr/share/samba/panic-action %d
>    -    idmap config CBJ_NT:backend = rid
>    -    idmap config CBJ_NT:base_rid = 0
>    -    idmap config CBJ_NT:range = 10000-65533
>    +    idmap config * : backend = rid
>    +    idmap config * : base_rid = 0
>    +    idmap config * : range = 10000-65533
>         idmap config LIBRARY:backend = rid
>         idmap config LIBRARY:base_rid = 0
>         idmap config LIBRARY:range = 65535-79999
>
> Does anyone have any idea why not explictly specifying the domain fixes this issue?
>
>
>
>
>> -----Original Message-----
>> From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
>> Sent: Tuesday, July 10, 2012 11:18
>> To: Kevin Elliott
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba 3.6.5, idmap configuration and
>> WBC_ERR_DOMAIN_NOT_FOUND
>>
>> On 07/10/2012 12:56 PM, Kevin Elliott wrote:
>>> Hello all,
>>>
>>> I recently upgraded from Samba 3.5.6 (the version contained
>> in Debian Stable) to Samba 3.6.5 (the version from Debian
>> Backports) in an effort to closer track the current
>> development to try and chase some long standing bugs out.
>>> I think I've resolved one problem but introduced another.
>> I'm getting the "WBC_ERR_DOMAIN_NOT_FOUND" when I try to
>> perform a SID to UID lookup much like so:
>>> city-liza-lnx:/var/log/samba# wbinfo -t checking the trust
>> secret for
>>> domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba#
>>> wbinfo -n CBJ_NT+kevin_elliott
>>> S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1)
>>> city-liza-lnx:/var/log/samba# wbinfo -s
>>> S-1-5-21-505306839-1977890393-20515302-14949
>>> CBJ_NT+kevin_elliott 1
>>> city-liza-lnx:/var/log/samba# wbinfo -S
>>> S-1-5-21-505306839-1977890393-20515302-14949
>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
>> not convert
>>> sid S-1-5-21-505306839-1977890393-20515302-14949 to uid
>>>
>>>
>>> This looks like it has all the markings of following bugreport:
>>>
>>> https://bugzilla.samba.org/show_bug.cgi?id=8371#c5
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679
>>>
>>>
>>>
>>> Before I follow this upstream can someone sanity check my
>> configs for me? I understand that much has changed between
>> 3.5 and 3.6 regarding the idmaping.
>>>
>>> [global]
>>>           workgroup = CBJ_NT
>>>           realm = CBJ.LOCAL
>>>           netbios aliases = CITY-LIZA-L90, CITY-LIZA
>>>           server string = External FTP Server
>>>           interfaces = 199.58.55.87/22, lo
>>>           bind interfaces only = Yes
>>>           security = ADS
>>>           obey pam restrictions = Yes
>>>           passdb backend = tdbsam
>>>           password server = 199.58.55.25, 199.58.55.50
>>>           passwd program = /usr/bin/passwd %u
>>>           passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>>>           client NTLMv2 auth = Yes
>>>           log level = 10
>>>           log file = /var/log/samba/log.%m
>>>           max log size = 2500
>>>           printcap name = cups
>>>           os level = 5
>>>           local master = No
>>>           domain master = No
>>>           wins server = 199.58.55.25
>>>           ldap ssl = no
>>>           winbind enum users = Yes
>>>           winbind enum groups = Yes
>>>           panic action = /usr/share/samba/panic-action %d
>>>           idmap config CBJ_NT:backend = rid
>>>           idmap config CBJ_NT:base_rid = 0
>>>           idmap config CBJ_NT:range = 10000-65533
>>>           idmap config LIBRARY:backend = rid
>>>           idmap config LIBRARY:base_rid = 0
>>>           idmap config LIBRARY:range = 65535-79999
>>>           winbind separator = +
>>>           winbind use default domain = Yes
>>>
>>> [ftp]
>>>           comment = FTP directory
>>>           path = /var/ftp/pub/
>>>           valid users = "@CBJ_NT+domain users"
>>>           read only = No
>>>           create mask = 0775
>>>           directory mask = 0775
>>>           hide unreadable = Yes
>>>
>>>
>>>
>>> Thank you for your consideration.
>>>
>> Kevin,
>>
>> With idmap rid, it could also be this one:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=8676
>>
>> This bug has been in every version of 3.6.  For me, a reboot
>> of the system usually will fix the problem until the next
>> samba/winbind restart is required; others have not been so fortunate.
>>
>> Dale
>>
>>

More information about the samba mailing list