[Samba] Using idmap_rid backend, cannot browse home directory from XP

Thu Apr 14 16:00:13 GMT 2005

On Thursday 14 April 2005 09:45, Scott E. Smith wrote:
> Samba version is 3.0.10 on Gentoo linux. I am trying
> to use idmap_rid backend in a Windows AD environment,
> the Linux PC acting only as a domain member. I am
> using idmap_rid because I need UID/GID predictability.
> I can log in to console correctly, and it shows the
> right user and the "Domain Users" as the group.
>
> When I use default winbind TDB, I can browse the home
> directory from an XP PC.
>
> When using idmap_rid, and I try to browse to a home
> directory from a Windows XP PC, the user/password
> dialog pops up. When I enter the DOMAIN\user +
> password, the box merely pops up again, and this is
> what I see in log.winbind on the Samba domain member:

You have set the UID and GID range to 100000 to 10000000.
This is the range that all RIDs must fit into. Below is a predictable failure 
to allocate a UID of hex 513 because it is out of range.

Does that make sense? Change the IDMAP UID and IDMAP GID ranges to start at 
1000 and it should work.

- John T.

>
> [2005/04/14 10:11:15, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(261)
>   [11340]: request interface version
> [2005/04/14 10:11:15, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
>   [11340]: request location of privileged pipe
> [2005/04/14 10:11:15, 3]
> nsswitch/winbindd_misc.c:winbindd_ping(238)
>   [11340]: ping
> [2005/04/14 10:11:15, 3]
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(465)
>   [11340]: pam auth crap domain: DOMAIN1 user: ssmith
> [2005/04/14 10:11:15, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(261)
>   [11340]: request interface version
> [2005/04/14 10:11:15, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
>   [11340]: request location of privileged pipe
> [2005/04/14 10:11:15, 3]
> nsswitch/winbindd_user.c:winbindd_getpwnam(126)
>   [11340]: getpwnam domain1\ssmith
> [2005/04/14 10:11:15, 3]
> lib/charcnv.c:convert_string_allocate(576)
> ) convert_string_allocate: Conversion error: Illegal
> multibyte sequence(µ
> [2005/04/14 10:11:15, 3]
> nsswitch/winbindd_group.c:winbindd_getgroups(1003)
>   [11340]: getgroups DOMAIN1\ssmith
> [2005/04/14 10:11:15, 0]
> sam/idmap_rid.c:rid_idmap_get_id_from_sid(461)
>   rid_idmap_get_id_from_sid: no suitable range
> available for sid:
> S-1-5-21-1844237615-1644491937-725345543-513
>
>
> When I execute 'id', the following is logged in
> log.winbind:
>
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(261)
>   [11343]: request interface version
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
>   [11343]: request location of privileged pipe
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_user.c:winbindd_getpwuid(225)
>   [11343]: getpwuid 112830
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_ads.c:sequence_number(792)
>   ads: fetch sequence_number for DOMAIN1
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(576)
> ) convert_string_allocate: Conversion error: Illegal
> multibyte sequence(µ
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_user.c:winbindd_getpwuid(225)
>   [11343]: getpwuid 112830
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_rpc.c:msrpc_sid_to_name(338)
>   sid_to_name [rpc]
> S-1-5-21-725345543-1677128483-839522115-12830 for
> domain DOMAIN1
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_group.c:winbindd_getgrgid(348)
>   [11343]: getgrgid 100513
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;`&#9618;`&#9618;`&#9618;{&#9618;&#9472;&#9618;`&#9618;&#947
>2;&#9618;) [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;`&#9618;`&#9618;{&#9618;&#9472;&#9618;`&#9618;&#9472;&#9618
>;) [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;`&#9618;{&#9618;&#9472;&#9618;`&#9618;&#9472;&#9618;)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;{&#9618;&#9472;&#9618;`&#9618;&#9472;&#9618;)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;&#9472;&#9618;`&#9618;&#9472;&#9618;)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(&#9618;&#9472;&#9618;)
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_ads.c:query_user(391)
>   ads: query_user
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_group.c:winbindd_getgrgid(348)
>   [11343]: getgrgid 100513
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;`&#9618;`&#9618;`&#9618;{&#9618;&#9472;&#9618;`&#9618;&#947
>2;&#9618;) [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;`&#9618;`&#9618;{&#9618;&#9472;&#9618;`&#9618;&#9472;&#9618
>;) [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;`&#9618;{&#9618;&#9472;&#9618;`&#9618;&#9472;&#9618;)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;{&#9618;&#9472;&#9618;`&#9618;&#9472;&#9618;)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte
> sequence(&#9618;&#9472;&#9618;`&#9618;&#9472;&#9618;)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(&#9618;&#9472;&#9618;)
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_ads.c:query_user(437)
>   ads query_user gave ssmith
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_group.c:winbindd_getgrgid(348)
>   [11343]: getgrgid 100513
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_rpc.c:msrpc_sid_to_name(338)
>   sid_to_name [rpc]
> S-1-5-21-725345543-1677128483-839522115-513 for domain
> DOMAIN1
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(&#9565;lXl&#9565;l)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(&#9565;l)
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_ads.c:dn_lookup(339)
>   ads: dn_lookup
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_ads.c:lookup_groupmem(777)
>   ads lookup_groupmem for
> sid=S-1-5-21-725345543-1677128483-839522115-513
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(Éá)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(á)
> [2005/04/14 10:15:46, 3]
> nsswitch/winbindd_group.c:winbindd_getgrgid(348)
>   [11343]: getgrgid 100513
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(&#9565;lXl&#9565;l)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(&#9565;l)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(Éá)
> [2005/04/14 10:15:46, 3]
> lib/charcnv.c:convert_string_allocate(567)
>   convert_string_allocate: Conversion error:
> Incomplete multibyte sequence(á)
>
>
> /etc/samba/smb.conf contains:
>
> [global]
>    workgroup = DOMAIN1
>    server string =
>    realm = DOMAIN1.COM
>    log file = /var/log/samba3/log.%m
>    max log size = 50
>    log level = 3
>    map to guest = never
>    security = ADS
>    allow trusted domains = no
>    password server = *
>    encrypt passwords = yes
>    smb passwd file = /etc/samba/private/smbpasswd
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind nested groups = yes
>    template homedir = /export/home/%D/%U
>    template shell = /bin/bash
>    socket options = TCP_NODELAY SO_RCVBUF=16384
> SO_SNDBUF=16384
>    preferred master = no
>    idmap uid = 100000-10000000
>    idmap gid = 100000-10000000
>    idmap backend = idmap_rid:DOMAIN1=100000-10000000
>    wins server = 10.1.129.25
>    dns proxy = no
> [homes]
>    comment = Home Directories
>    browseable = no
>    writable = yes
>
>
> Thanks in advance for any help!
>
> /Scott

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.