[Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
Heather Choi
hceuterpe at gmail.com
Thu Jul 12 19:28:27 MDT 2012
I think you might be missing some stuff in the prior config you had.
The following works for me with Samba 3.6.6 :
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 1000-999999
idmap config MYDOMAIN : base_rid = 0
You need the * entry in there because you need a range for defaults. I
only have a single domain (and yes it's not called "MYDOMAIN":-) ). For
instance, I have log files named:
log.wb-BUILTIN
log.wb-MYDOMAIN
log.wb-HOSTNAME
I do not have the winbind enum groups or users defined in my config
file. The default is no for both. Also, winbind refused to function
properly when I attempted setting the backend for my domain as tdb.
Everywhere I've read, rid is safe for multiple domains and multiple
winbind enabled systems, so long as those ranges are consistent
throughout your winbind systems' config settings, and they have
completely separate ranges. They must not overlap!
Sample output:
[hchoi at HOSTNAME hchoi](30)# wbinfo -i hchoi
hchoi:*:2601:1513::/home/hchoi:/bin/bash
[hchoi at HOSTNAME hchoi](31)# id hchoi
uid=2601(hchoi) gid=1513(domain users) groups=1513(domain
users),...,1000001(BUILTIN\users)
[hchoi at HOSTNAME hchoi](34)# wbinfo -i administrator
administrator:*:1500:1513::/home/administrator:/bin/bash
[hchoi at HOSTNAME hchoi](32)# id administrator
uid=1500(administrator) gid=1513(domain users) groups=1513(domain
users),1520(group policy creator owners),1512(domain
admins),2106(organization management),1519(enterprise
admins),1518(schema
admins),1000001(BUILTIN\users),1000000(BUILTIN\administrators)
My remaining smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.NET
server string = Linux Server
security = ADS
ntlm auth = No
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 1000
max protocol = SMB2
load printers = No
printcap name = /dev/null
disable spoolss = Yes
wins server = 192.168.10.10, 192.168.10.11
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind offline logon = Yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
...
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
Hope this helps..
On 07/12/2012 01:06 PM, Kevin Elliott wrote:
> I read the bugreport that Dale linked and ended up using the workaround listed there.
>
> Changes made to '/etc/samba/smb.conf' follow:
> @@ -28,9 +28,12 @@
> winbind enum users = Yes
> winbind enum groups = Yes
> panic action = /usr/share/samba/panic-action %d
> - idmap config CBJ_NT:backend = rid
> - idmap config CBJ_NT:base_rid = 0
> - idmap config CBJ_NT:range = 10000-65533
> + idmap config * : backend = rid
> + idmap config * : base_rid = 0
> + idmap config * : range = 10000-65533
> idmap config LIBRARY:backend = rid
> idmap config LIBRARY:base_rid = 0
> idmap config LIBRARY:range = 65535-79999
>
> Does anyone have any idea why not explictly specifying the domain fixes this issue?
>
>
>
>
>> -----Original Message-----
>> From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
>> Sent: Tuesday, July 10, 2012 11:18
>> To: Kevin Elliott
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba 3.6.5, idmap configuration and
>> WBC_ERR_DOMAIN_NOT_FOUND
>>
>> On 07/10/2012 12:56 PM, Kevin Elliott wrote:
>>> Hello all,
>>>
>>> I recently upgraded from Samba 3.5.6 (the version contained
>> in Debian Stable) to Samba 3.6.5 (the version from Debian
>> Backports) in an effort to closer track the current
>> development to try and chase some long standing bugs out.
>>> I think I've resolved one problem but introduced another.
>> I'm getting the "WBC_ERR_DOMAIN_NOT_FOUND" when I try to
>> perform a SID to UID lookup much like so:
>>> city-liza-lnx:/var/log/samba# wbinfo -t checking the trust
>> secret for
>>> domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba#
>>> wbinfo -n CBJ_NT+kevin_elliott
>>> S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1)
>>> city-liza-lnx:/var/log/samba# wbinfo -s
>>> S-1-5-21-505306839-1977890393-20515302-14949
>>> CBJ_NT+kevin_elliott 1
>>> city-liza-lnx:/var/log/samba# wbinfo -S
>>> S-1-5-21-505306839-1977890393-20515302-14949
>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
>> not convert
>>> sid S-1-5-21-505306839-1977890393-20515302-14949 to uid
>>>
>>>
>>> This looks like it has all the markings of following bugreport:
>>>
>>> https://bugzilla.samba.org/show_bug.cgi?id=8371#c5
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679
>>>
>>>
>>>
>>> Before I follow this upstream can someone sanity check my
>> configs for me? I understand that much has changed between
>> 3.5 and 3.6 regarding the idmaping.
>>>
>>> [global]
>>> workgroup = CBJ_NT
>>> realm = CBJ.LOCAL
>>> netbios aliases = CITY-LIZA-L90, CITY-LIZA
>>> server string = External FTP Server
>>> interfaces = 199.58.55.87/22, lo
>>> bind interfaces only = Yes
>>> security = ADS
>>> obey pam restrictions = Yes
>>> passdb backend = tdbsam
>>> password server = 199.58.55.25, 199.58.55.50
>>> passwd program = /usr/bin/passwd %u
>>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>>> client NTLMv2 auth = Yes
>>> log level = 10
>>> log file = /var/log/samba/log.%m
>>> max log size = 2500
>>> printcap name = cups
>>> os level = 5
>>> local master = No
>>> domain master = No
>>> wins server = 199.58.55.25
>>> ldap ssl = no
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> panic action = /usr/share/samba/panic-action %d
>>> idmap config CBJ_NT:backend = rid
>>> idmap config CBJ_NT:base_rid = 0
>>> idmap config CBJ_NT:range = 10000-65533
>>> idmap config LIBRARY:backend = rid
>>> idmap config LIBRARY:base_rid = 0
>>> idmap config LIBRARY:range = 65535-79999
>>> winbind separator = +
>>> winbind use default domain = Yes
>>>
>>> [ftp]
>>> comment = FTP directory
>>> path = /var/ftp/pub/
>>> valid users = "@CBJ_NT+domain users"
>>> read only = No
>>> create mask = 0775
>>> directory mask = 0775
>>> hide unreadable = Yes
>>>
>>>
>>>
>>> Thank you for your consideration.
>>>
>> Kevin,
>>
>> With idmap rid, it could also be this one:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=8676
>>
>> This bug has been in every version of 3.6. For me, a reboot
>> of the system usually will fix the problem until the next
>> samba/winbind restart is required; others have not been so fortunate.
>>
>> Dale
>>
>>
More information about the samba
mailing list