[Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Javier Conti
javier.conti at gmail.com
Mon May 14 09:48:09 MDT 2012
Dear list,
upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3
to 3.6.3. I was successfully using idmap_ad to authenticate users but
after the upgrade it stopped working and users are not seen by the OS.
Obviously the users I want to see on the Linux server have all RFC2307
attributes populated and are seen by all other SLES11 SP1 servers.
I checked everything (I know) from the Samba point of view, and it almost
seems ok, but "wbinfo -i" fails as follows:
# wbinfo -i myuser
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user myuser
Using the same user, for example, I can do:
# wbinfo -n myuser
S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1)
# wbinfo -n "Domain Users"
S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2)
# wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794
MYDOMAIN\myuser 1
# wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513
MYDOMAIN\Domain Users
# net -Uadminuser user info myuser |head
Enter adminuser's password:
domain users
[...]
# net -Uadminuser ads user |grep myuser
Enter adminuser's password:
myuser
Obviously, id(1) and getent(1) fail. What I get is:
[2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection)
accepted socket 25
[2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request)
process_request: request fn INTERFACE_VERSION
[2012/05/14 16:50:47.958644, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 5756]: request interface version
[2012/05/14 16:50:47.958705, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[5756:INTERFACE_VERSION]: delivered
response to client
[2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/05/14 16:50:47.958808, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 5756]: request location of privileged pipe
[2012/05/14 16:50:47.958870, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]:
delivered response to client
[2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection)
accepted socket 26
[2012/05/14 16:50:47.958995, 6]
winbindd/winbindd.c:840(winbind_client_request_read)
closing socket 25, client exited
[2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request)
process_request: Handling async request 5756:GETPWNAM
[2012/05/14 16:50:47.959097, 3]
winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam myuser
[2012/05/14 16:50:47.959135, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'MYDOMAIN'
name : *
name : 'MYUSER'
flags : 0x00000008 (8)
[2012/05/14 16:50:47.959276, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-828208052-1092558876-1846952604-22794
result : NT_STATUS_OK
[2012/05/14 16:50:47.959404, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
in: struct wbint_QueryUser
sid : *
sid :
S-1-5-21-828208052-1092558876-1846952604-22794
[2012/05/14 16:50:47.959499, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'myuser'
full_name : *
full_name : 'Lastname Firstname'
homedir : *
homedir : '/home/myuser'
shell : *
shell : '/bin/bash'
primary_gid : 0x0000000000002710 (10000)
user_sid :
S-1-5-21-828208052-1092558876-1846952604-22794
group_sid :
S-1-5-21-828208052-1092558876-1846952604-513
result : NT_STATUS_OK
[2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
idmap_cache_find_sid2uid found 10106
[2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
idmap_cache_find_sid2gid found -1
[2012/05/14 16:50:47.959763, 5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid
S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED
[2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done)
wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED
[2012/05/14 16:50:47.959843, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
winbind_client_response_written[5756:GETPWNAM]: delivered response to client
[2012/05/14 16:50:47.959937, 6]
winbindd/winbindd.c:840(winbind_client_request_read)
closing socket 26, client exited
Although I tried many changes to the config, according to some hints found
on the web, this is what I was using with Samba 3.4.3:
[global]
workgroup = MYDOMAIN
realm = MYREALM
security = ADS
log level = 10
passdb backend = tdbsam
idmap backend = idmap_ad
idmap uid = 64000 - 64999
idmap gid = 64000 - 64999
idmap config MYDOMAIN : default = yes
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : range = 1000-50000
idmap config MYDOMAIN : schema_mode = rfc2307
winbind use default domain = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind refresh tickets = yes
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
template homedir = /home/%D/%U
template shell = /bin/bash
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
Any hints on what has changed with Samba 3.6.3 and/or what to
change to adapt the configuration to 3.6.3 (if necessary)?
Thanks, Javier
More information about the samba
mailing list