[Samba] idmap_nss: Default domain not being used

Patrick Rynhart prynhart at gmail.com
Tue Jan 1 01:02:12 GMT 2008


I have an existing PDC which I am attempting to move across to a new
server.  On the new server, I'm having trouble with idmap (using an LDAP
backend) and trusted domains.  The smb.conf file is the same on both
servers.  My idmap & winbind parameters are as follows:

ldap idmap suffix = ou=idmap
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-29000
idmap gid = 10000-29000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

On the new box, 'wbinfo -t' suceeds and I can list users and groups on
the foreign domain using 'wbinfo -u' and 'wbinfo -g'.  'net rpc trustdom
list' lists the trusted domain.

Comparing the winbind debug logs of the existing and new PDC, I have
discovered that the cruical difference appears to be the following line
(which is missing on the new PDC)

"SID S-1-5-21-15318837-110984162-118601546-6958 is being handled by
default domain"

On the new server I get:
------------------------

[ 3008]: lookupsid S-1-5-21-15318837-110984162-118601546-6958
refresh_sequence_number: IIST time ok
refresh_sequence_number: IIST seq number is now 60700
centry_expired: Key U/S-1-5-21-15318837-110984162-118601546-6958 for
domain IIST is good.
wcache_fetch: returning entry
U/S-1-5-21-15318837-110984162-118601546-6958 for domain IIST
query_user: [Cached] - cached info for domain IIST status: NT_STATUS_OK
Storing response for pid 3030, len 3240
Destroying timed event 99b8b28 "async_request_timeout"
Retrieving response for pid 3030
timed_events_timeout: 215/946559
Added timed event "async_request_timeout": 99b8b28
timed_events_timeout: 215/946536
child daemon request 48
process_request: request fn DUAL_SID2UID
[ 3008]: sid to uid S-1-5-21-15318837-110984162-118601546-6958
idmap_sid_to_uid: sid = [S-1-5-21-15318837-110984162-118601546-6958]
Query backends to map sids->ids
Could not find idmap backend for SID
S-1-5-21-15318837-110984162-118601546-6958Adding cache entry with key =
IDMAP/SID/S-1-5-21-15318837-110984162-118601546-6958; value =
1198915597/IDMAP/NEGATIVE and timeout = Sat Dec 29 21:06:37 2007
 (120 seconds ahead)
sid [S-1-5-21-15318837-110984162-118601546-6958] not mapped to an uid
[2,1,2683630]
Storing response for pid 3021, len 3240
Destroying timed event 99b8b28 "async_request_timeout"
Retrieving response for pid 3021
sid2uid returned an error
Could not query uid for user IIST\prynhart

On the existing (working) server I get:
---------------------------------------

idmap_sid_to_uid: sid = [S-1-5-21-15318837-110984162-118601546-6958]
Cache entry with key =
IDMAP/SID/S-1-5-21-15318837-110984162-118601546-6958 couldn't be found
Query backends to map sids->ids
SID S-1-5-21-15318837-110984162-118601546-6958 is being handled by
default domain
Query ids from domain default domain
Filter:
[(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-15318837-110984162-118601546-6958))]
smbldap_search_ext: base => [ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz],
filter =>
[(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-15318837-110984162-118601546-6958))],
scope => [2]
NO SIDs found
Search of the id pool (filter: (objectClass=sambaUnixIdPool))
smbldap_search_ext: base => [ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz],
filter => [(objectClass=sambaUnixIdPool)], scope => [2]
Try to atomically increment the id (10734 -> 10735)
smbldap_modify: dn => [ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz]
Setting mapping: S-1-5-21-15318837-110984162-118601546-6958 <-> UID 10734
smbldap_make_mod: adding attribute |uidNumber| value |10734|
smbldap_make_mod: adding attribute |sambaSID| value
|S-1-5-21-15318837-110984162-118601546-6958|
Set DN
sambaSID=S-1-5-21-15318837-110984162-118601546-6958,ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz
(S-1-5-21-15318837-110984162-118601546-6958 -> 10734)
smbldap_add: dn =>
[sambaSID=S-1-5-21-15318837-110984162-118601546-6958,ou=idmap,dc=ist,dc=massey,dc=ac,dc=nz]
ldap_set_mapping: Successfully created mapping from
S-1-5-21-15318837-110984162-118601546-6958 to 10734 [uidNumber]
Adding cache entry with key =
IDMAP/SID/S-1-5-21-15318837-110984162-118601546-6958; value =
1199090322/IDMAP/UID/10734 and timeout = Mon Dec 31 21:38:42 2007
 (900 seconds ahead)

And the authentication suceeds.

net getlocalsid gives the correct SID on the new server.

Could anyone please advise/assist ?

Thank you,

Patrick



More information about the samba mailing list