[Samba] Samba 3.5.5. id-map issues with Active Directory

Haven haven at thehavennet.org.uk
Tue Oct 12 09:03:14 MDT 2010 

  Hi Andrew,

On 10/12/10 08:26, Andrew Lyon wrote:
> I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap
> working in rfc2307 mode, wbinfo -u and -g return users and groups, but
> wbinfo -i<user>  fails, other test I tried is:
>
> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
> sAMAccountName uidNumber gidNumber -P
>
> Which shows that I have 3 users and 2 groups which have rfc2307
> attributes, however mapping is not working, files owned by the mapped
> uid/gid do not show the username or group when listed, and users are
> unable to authenticate to the samba server.
>
> I've noticed some errors in winbindd log:
>
> [2010/10/12 08:24:53.276576,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>    [ 8296]: request interface version
> [2010/10/12 08:24:53.276748,  3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>    [ 8296]: request location of privileged pipe
> [2010/10/12 08:24:53.276975,  3]
> winbindd/winbindd_list_users.c:58(winbindd_list_users_send)
>    list_users
> [2010/10/12 08:24:56.764312,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>    [ 8381]: request interface version
> [2010/10/12 08:24:56.764473,  3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>    [ 8381]: request location of privileged pipe
> [2010/10/12 08:24:56.794828,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>    getpwnam test
> [2010/10/12 08:24:56.927925,  3]
> libads/ldap_schema.c:324(ads_check_posix_schema_mapping)
>    ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED
> [2010/10/12 08:24:56.927999,  2]
> winbindd/idmap_ad.c:185(ad_idmap_cached_connection)
>    ad_idmap_cached_connection: Failed to obtain schema details!
Your errors look different but the symptoms are the same. I've 
another person with the same issue, the link below explains the 
exact problem I have:

http://www.spinics.net/lists/samba/msg92328.html

A snippet from one of my logs shows the issue:
> [2010/10/12 12:54:42.931329,  5] 
> winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv)
>   Could not convert sid 
> S-1-5-21-4140011924-985775245-1159988818-1608: NT_STATUS_NONE_MAPPED
> [2010/10/12 12:54:42.931436, 10] 
> winbindd/winbindd.c:655(wb_request_done)
>   wb_request_done[25718:GETPWNAM]: NT_STATUS_NONE_MAPPED

If I "wbinfo -S S-1-5-21-4140011924-985775245-1159988818-1608" then 
I get the right UID returned.

When I type "id" I get "No such user"

wbinfo -u and -g show all my users and groups fine.

I've found an odd hack that gets me up and running for a short while 
but I'm not entirely sure why its working, I've described it below.

> >  Old broken:
> >
> >          idmap backend = ad
> >          winbind nss info = rfc2307
> >
> >  New working:
> >
> >          idmap uid = 10000-20000
> >          idmap gid = 10000-20000
> >
> Doesn't that change work around the problem by disabling idmap
> altogether? it may work but the mappings will not be consistent if you
> have multiple samba servers.

If I replace my standard smb.conf with the changes above and then 
"net ads join"  and restart winbind I can get an id for any of my 
users. I only need to do this for one user.

Then I switch back to the original "idmap backend = ad" smb.conf and 
restart winbind again.

At this point all my user id's work once again with the exception of 
the test user that I used which now has an invalidly cached uid.

If I "net cache flush" then this breaks the id mapping once again.

So basically something is screwy and somehow cache files are 
involved, I'm pretty sure its /var/run/samba/gencache* that is 
storing this data but that could be a symptom and not the cause. 
I've not had chance to start decoding cache files and examining 
their contents yet.

An alternative option that I've tried is to switch to an rid back 
end across all of our systems, this is obviously going to take some 
more verification and planning before going into effect but I've 
included my test rid config below in-case it is of use to you. The 
few test cases I've run so far gave good results.

If you manage to get any further then let me know as curiosity has 
long since moved onto frustration :)

> [global]
>         dos charset = 850
>         workgroup = DOMAIN
>         realm = DOMAIN.NET
>         server string = Samba Server Version %v
>         security = ADS
>         password server = 192.168.1.2, 192.168.1.3, *
>         client NTLMv2 auth = Yes
>         kerberos method = system keytab
>         log level = 10
>         debug timestamp = No
>         disable netbios = Yes
>         name resolve order = host lmhosts
>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
> SO_RCVBUF=8192 SO_SNDBUF=8192
>         local master = No
>         domain master = No
>         dns proxy = No
>         idmap uid = 9000-9999
>         idmap gid = 9000-9999
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind separator = +
>         winbind use default domain = Yes
>         winbind refresh tickets = Yes
>         winbind offline logon = Yes
>
>         idmap config DOMAIN : default = yes
>         idmap config DOMAIN : schema_mode = rfc2307
>         #idmap config DOMAIN : backend = ad
>         #idmap config DOMAIN : range = 10000-20000
>
>         idmap config DOMAIN : backend  = rid
>         idmap config DOMAIN : range = 10000 - 20000
>
>         hosts allow = 127.0.0.1, 192.168.1.0/24
>         hosts deny = 0.0.0.0/0

Regards

Simon

More information about the samba mailing list