[Samba] Samba 3.5.5. id-map issues with Active Directory

Andrew Lyon andrew.lyon at gmail.com
Wed Oct 20 02:41:05 MDT 2010 

On Tue, Oct 12, 2010 at 4:03 PM, Haven <haven at thehavennet.org.uk> wrote:
>  Hi Andrew,
>
> On 10/12/10 08:26, Andrew Lyon wrote:
>>
>> I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap
>> working in rfc2307 mode, wbinfo -u and -g return users and groups, but
>> wbinfo -i<user>  fails, other test I tried is:
>>
>> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
>> sAMAccountName uidNumber gidNumber -P
>>
>> Which shows that I have 3 users and 2 groups which have rfc2307
>> attributes, however mapping is not working, files owned by the mapped
>> uid/gid do not show the username or group when listed, and users are
>> unable to authenticate to the samba server.
>>
>> I've noticed some errors in winbindd log:
>>
>> [2010/10/12 08:24:53.276576,  3]
>> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>>   [ 8296]: request interface version
>> [2010/10/12 08:24:53.276748,  3]
>> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>>   [ 8296]: request location of privileged pipe
>> [2010/10/12 08:24:53.276975,  3]
>> winbindd/winbindd_list_users.c:58(winbindd_list_users_send)
>>   list_users
>> [2010/10/12 08:24:56.764312,  3]
>> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>>   [ 8381]: request interface version
>> [2010/10/12 08:24:56.764473,  3]
>> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>>   [ 8381]: request location of privileged pipe
>> [2010/10/12 08:24:56.794828,  3]
>> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>>   getpwnam test
>> [2010/10/12 08:24:56.927925,  3]
>> libads/ldap_schema.c:324(ads_check_posix_schema_mapping)
>>   ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED
>> [2010/10/12 08:24:56.927999,  2]
>> winbindd/idmap_ad.c:185(ad_idmap_cached_connection)
>>   ad_idmap_cached_connection: Failed to obtain schema details!
>
> Your errors look different but the symptoms are the same. I've another
> person with the same issue, the link below explains the exact problem I
> have:
>
> http://www.spinics.net/lists/samba/msg92328.html
>
> A snippet from one of my logs shows the issue:
>>
>> [2010/10/12 12:54:42.931329,  5]
>> winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv)
>>  Could not convert sid S-1-5-21-4140011924-985775245-1159988818-1608:
>> NT_STATUS_NONE_MAPPED
>> [2010/10/12 12:54:42.931436, 10] winbindd/winbindd.c:655(wb_request_done)
>>  wb_request_done[25718:GETPWNAM]: NT_STATUS_NONE_MAPPED
>
> If I "wbinfo -S S-1-5-21-4140011924-985775245-1159988818-1608" then I get
> the right UID returned.
>
> When I type "id" I get "No such user"
>
> wbinfo -u and -g show all my users and groups fine.
>
> I've found an odd hack that gets me up and running for a short while but I'm
> not entirely sure why its working, I've described it below.
>
>> >  Old broken:
>> >
>> >          idmap backend = ad
>> >          winbind nss info = rfc2307
>> >
>> >  New working:
>> >
>> >          idmap uid = 10000-20000
>> >          idmap gid = 10000-20000
>> >
>> Doesn't that change work around the problem by disabling idmap
>> altogether? it may work but the mappings will not be consistent if you
>> have multiple samba servers.
>
> If I replace my standard smb.conf with the changes above and then "net ads
> join"  and restart winbind I can get an id for any of my users. I only need
> to do this for one user.
>
> Then I switch back to the original "idmap backend = ad" smb.conf and restart
> winbind again.
>
> At this point all my user id's work once again with the exception of the
> test user that I used which now has an invalidly cached uid.
>
> If I "net cache flush" then this breaks the id mapping once again.
>
> So basically something is screwy and somehow cache files are involved, I'm
> pretty sure its /var/run/samba/gencache* that is storing this data but that
> could be a symptom and not the cause. I've not had chance to start decoding
> cache files and examining their contents yet.
>
> An alternative option that I've tried is to switch to an rid back end across
> all of our systems, this is obviously going to take some more verification
> and planning before going into effect but I've included my test rid config
> below in-case it is of use to you. The few test cases I've run so far gave
> good results.
>
> If you manage to get any further then let me know as curiosity has long
> since moved onto frustration :)
>
>> [global]
>>        dos charset = 850
>>        workgroup = DOMAIN
>>        realm = DOMAIN.NET
>>        server string = Samba Server Version %v
>>        security = ADS
>>        password server = 192.168.1.2, 192.168.1.3, *
>>        client NTLMv2 auth = Yes
>>        kerberos method = system keytab
>>        log level = 10
>>        debug timestamp = No
>>        disable netbios = Yes
>>        name resolve order = host lmhosts
>>        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>> SO_RCVBUF=8192 SO_SNDBUF=8192
>>        local master = No
>>        domain master = No
>>        dns proxy = No
>>        idmap uid = 9000-9999
>>        idmap gid = 9000-9999
>>        template homedir = /home/%U
>>        template shell = /bin/bash
>>        winbind separator = +
>>        winbind use default domain = Yes
>>        winbind refresh tickets = Yes
>>        winbind offline logon = Yes
>>
>>        idmap config DOMAIN : default = yes
>>        idmap config DOMAIN : schema_mode = rfc2307
>>        #idmap config DOMAIN : backend = ad
>>        #idmap config DOMAIN : range = 10000-20000
>>
>>        idmap config DOMAIN : backend  = rid
>>        idmap config DOMAIN : range = 10000 - 20000
>>
>>        hosts allow = 127.0.0.1, 192.168.1.0/24
>>        hosts deny = 0.0.0.0/0
>
> Regards
>
> Simon
>

Hi,

I've made some progress on this, in order to use rfc2307/sfu id
mapping you must have a writable default idmap backend and an explicit
domain configuration which uses rfc2307/sfu , this has been mentioned
in a bug report back in 2009
https://bugzilla.samba.org/show_bug.cgi?id=6322 but it appears nothing
further was done to make it clear in the documentation.

Example working config:

idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-49999
idmap config DOMAIN : schema_mode = rfc2307

idmap backend = tdb
idmap uid = 50000-99999
idmap gid = 50000-99999

There seems to be a problem with winbind nss info  = rfc2307 but I'm
going to start a new thread about that.

So far I can list users and groups using wbinfo and also get details
for a single user with wbinfo -i, I can su to an AD account and
setting ownership of files and folders to mapped id's results in the
AD user/group names being displayed so mapping does seems to be
working ok, but getent passwd/group does not list AD users and I
cannot login to the system using an AD account, so I think I've still
got some nsswitch/pam issues which I'm going to work on today.

Andy

More information about the samba mailing list