[Samba] Samba 3.5.5. id-map issues with Active Directory
andrew.lyon at gmail.com
Wed Oct 20 02:41:05 MDT 2010
On Tue, Oct 12, 2010 at 4:03 PM, Haven <haven at thehavennet.org.uk> wrote:
> Hi Andrew,
> On 10/12/10 08:26, Andrew Lyon wrote:
>> I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap
>> working in rfc2307 mode, wbinfo -u and -g return users and groups, but
>> wbinfo -i<user> fails, other test I tried is:
>> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
>> sAMAccountName uidNumber gidNumber -P
>> Which shows that I have 3 users and 2 groups which have rfc2307
>> attributes, however mapping is not working, files owned by the mapped
>> uid/gid do not show the username or group when listed, and users are
>> unable to authenticate to the samba server.
>> I've noticed some errors in winbindd log:
>> [2010/10/12 08:24:53.276576, 3]
>> [ 8296]: request interface version
>> [2010/10/12 08:24:53.276748, 3]
>> [ 8296]: request location of privileged pipe
>> [2010/10/12 08:24:53.276975, 3]
>> [2010/10/12 08:24:56.764312, 3]
>> [ 8381]: request interface version
>> [2010/10/12 08:24:56.764473, 3]
>> [ 8381]: request location of privileged pipe
>> [2010/10/12 08:24:56.794828, 3]
>> getpwnam test
>> [2010/10/12 08:24:56.927925, 3]
>> ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED
>> [2010/10/12 08:24:56.927999, 2]
>> ad_idmap_cached_connection: Failed to obtain schema details!
> Your errors look different but the symptoms are the same. I've another
> person with the same issue, the link below explains the exact problem I
> A snippet from one of my logs shows the issue:
>> [2010/10/12 12:54:42.931329, 5]
>> Could not convert sid S-1-5-21-4140011924-985775245-1159988818-1608:
>> [2010/10/12 12:54:42.931436, 10] winbindd/winbindd.c:655(wb_request_done)
>> wb_request_done[25718:GETPWNAM]: NT_STATUS_NONE_MAPPED
> If I "wbinfo -S S-1-5-21-4140011924-985775245-1159988818-1608" then I get
> the right UID returned.
> When I type "id" I get "No such user"
> wbinfo -u and -g show all my users and groups fine.
> I've found an odd hack that gets me up and running for a short while but I'm
> not entirely sure why its working, I've described it below.
>> > Old broken:
>> > idmap backend = ad
>> > winbind nss info = rfc2307
>> > New working:
>> > idmap uid = 10000-20000
>> > idmap gid = 10000-20000
>> Doesn't that change work around the problem by disabling idmap
>> altogether? it may work but the mappings will not be consistent if you
>> have multiple samba servers.
> If I replace my standard smb.conf with the changes above and then "net ads
> join" and restart winbind I can get an id for any of my users. I only need
> to do this for one user.
> Then I switch back to the original "idmap backend = ad" smb.conf and restart
> winbind again.
> At this point all my user id's work once again with the exception of the
> test user that I used which now has an invalidly cached uid.
> If I "net cache flush" then this breaks the id mapping once again.
> So basically something is screwy and somehow cache files are involved, I'm
> pretty sure its /var/run/samba/gencache* that is storing this data but that
> could be a symptom and not the cause. I've not had chance to start decoding
> cache files and examining their contents yet.
> An alternative option that I've tried is to switch to an rid back end across
> all of our systems, this is obviously going to take some more verification
> and planning before going into effect but I've included my test rid config
> below in-case it is of use to you. The few test cases I've run so far gave
> good results.
> If you manage to get any further then let me know as curiosity has long
> since moved onto frustration :)
>> dos charset = 850
>> workgroup = DOMAIN
>> realm = DOMAIN.NET
>> server string = Samba Server Version %v
>> security = ADS
>> password server = 192.168.1.2, 192.168.1.3, *
>> client NTLMv2 auth = Yes
>> kerberos method = system keytab
>> log level = 10
>> debug timestamp = No
>> disable netbios = Yes
>> name resolve order = host lmhosts
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>> SO_RCVBUF=8192 SO_SNDBUF=8192
>> local master = No
>> domain master = No
>> dns proxy = No
>> idmap uid = 9000-9999
>> idmap gid = 9000-9999
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind separator = +
>> winbind use default domain = Yes
>> winbind refresh tickets = Yes
>> winbind offline logon = Yes
>> idmap config DOMAIN : default = yes
>> idmap config DOMAIN : schema_mode = rfc2307
>> #idmap config DOMAIN : backend = ad
>> #idmap config DOMAIN : range = 10000-20000
>> idmap config DOMAIN : backend = rid
>> idmap config DOMAIN : range = 10000 - 20000
>> hosts allow = 127.0.0.1, 192.168.1.0/24
>> hosts deny = 0.0.0.0/0
I've made some progress on this, in order to use rfc2307/sfu id
mapping you must have a writable default idmap backend and an explicit
domain configuration which uses rfc2307/sfu , this has been mentioned
in a bug report back in 2009
https://bugzilla.samba.org/show_bug.cgi?id=6322 but it appears nothing
further was done to make it clear in the documentation.
Example working config:
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-49999
idmap config DOMAIN : schema_mode = rfc2307
idmap backend = tdb
idmap uid = 50000-99999
idmap gid = 50000-99999
There seems to be a problem with winbind nss info = rfc2307 but I'm
going to start a new thread about that.
So far I can list users and groups using wbinfo and also get details
for a single user with wbinfo -i, I can su to an AD account and
setting ownership of files and folders to mapped id's results in the
AD user/group names being displayed so mapping does seems to be
working ok, but getent passwd/group does not list AD users and I
cannot login to the system using an AD account, so I think I've still
got some nsswitch/pam issues which I'm going to work on today.
More information about the samba