[Samba] idmap_nss: Default domain not being used
Patrick Rynhart
prynhart at gmail.com
Tue Jan 1 01:02:12 GMT 2008
I have an existing PDC which I am attempting to move across to a new
server. On the new server, I'm having trouble with idmap (using an LDAP
backend) and trusted domains. The smb.conf file is the same on both
servers. My idmap & winbind parameters are as follows:
ldap idmap suffix = ou=idmap
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-29000
idmap gid = 10000-29000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
On the new box, 'wbinfo -t' suceeds and I can list users and groups on
the foreign domain using 'wbinfo -u' and 'wbinfo -g'. 'net rpc trustdom
list' lists the trusted domain.
Comparing the winbind debug logs of the existing and new PDC, I have
discovered that the cruical difference appears to be the following line
(which is missing on the new PDC)
"SID S-1-5-21-15318837-110984162-118601546-6958 is being handled by
default domain"
On the new server I get:
------------------------
[ 3008]: lookupsid S-1-5-21-15318837-110984162-118601546-6958
refresh_sequence_number: IIST time ok
refresh_sequence_number: IIST seq number is now 60700
centry_expired: Key U/S-1-5-21-15318837-110984162-118601546-6958 for
domain IIST is good.
wcache_fetch: returning entry
U/S-1-5-21-15318837-110984162-118601546-6958 for domain IIST
query_user: [Cached] - cached info for domain IIST status: NT_STATUS_OK
Storing response for pid 3030, len 3240
Destroying timed event 99b8b28 "async_request_timeout"
Retrieving response for pid 3030
timed_events_timeout: 215/946559
Added timed event "async_request_timeout": 99b8b28
timed_events_timeout: 215/946536
child daemon request 48
process_request: request fn DUAL_SID2UID
[ 3008]: sid to uid S-1-5-21-15318837-110984162-118601546-6958
idmap_sid_to_uid: sid = [S-1-5-21-15318837-110984162-118601546-6958]
Query backends to map sids->ids
Could not find idmap backend for SID
S-1-5-21-15318837-110984162-118601546-6958Adding cache entry with key =
IDMAP/SID/S-1-5-21-15318837-110984162-118601546-6958; value =
1198915597/IDMAP/NEGATIVE and timeout = Sat Dec 29 21:06:37 2007
(120 seconds ahead)
sid [S-1-5-21-15318837-110984162-118601546-6958] not mapped to an uid
[2,1,2683630]
Storing response for pid 3021, len 3240
Destroying timed event 99b8b28 "async_request_timeout"
Retrieving response for pid 3021
sid2uid returned an error
Could not query uid for user IIST\prynhart
On the existing (working) server I get:
---------------------------------------
idmap_sid_to_uid: sid = [S-1-5-21-15318837-110984162-118601546-6958]
Cache entry with key =
IDMAP/SID/S-1-5-21-15318837-110984162-118601546-6958 couldn't be found
Query backends to map sids->ids
SID S-1-5-21-15318837-110984162-118601546-6958 is being handled by
default domain
Query ids from domain default domain
Filter:
[(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-15318837-110984162-118601546-6958))]
smbldap_search_ext: base => [ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz],
filter =>
[(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-15318837-110984162-118601546-6958))],
scope => [2]
NO SIDs found
Search of the id pool (filter: (objectClass=sambaUnixIdPool))
smbldap_search_ext: base => [ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz],
filter => [(objectClass=sambaUnixIdPool)], scope => [2]
Try to atomically increment the id (10734 -> 10735)
smbldap_modify: dn => [ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz]
Setting mapping: S-1-5-21-15318837-110984162-118601546-6958 <-> UID 10734
smbldap_make_mod: adding attribute |uidNumber| value |10734|
smbldap_make_mod: adding attribute |sambaSID| value
|S-1-5-21-15318837-110984162-118601546-6958|
Set DN
sambaSID=S-1-5-21-15318837-110984162-118601546-6958,ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz
(S-1-5-21-15318837-110984162-118601546-6958 -> 10734)
smbldap_add: dn =>
[sambaSID=S-1-5-21-15318837-110984162-118601546-6958,ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz]
ldap_set_mapping: Successfully created mapping from
S-1-5-21-15318837-110984162-118601546-6958 to 10734 [uidNumber]
Adding cache entry with key =
IDMAP/SID/S-1-5-21-15318837-110984162-118601546-6958; value =
1199090322/IDMAP/UID/10734 and timeout = Mon Dec 31 21:38:42 2007
(900 seconds ahead)
And the authentication suceeds.
net getlocalsid gives the correct SID on the new server.
Could anyone please advise/assist ?
Thank you,
Patrick
More information about the samba
mailing list