[Samba] Samba 3.5.5. id-map issues with Active Directory
Andrew Lyon
andrew.lyon at gmail.com
Wed Oct 20 02:41:05 MDT 2010
On Tue, Oct 12, 2010 at 4:03 PM, Haven <haven at thehavennet.org.uk> wrote:
> Hi Andrew,
>
> On 10/12/10 08:26, Andrew Lyon wrote:
>>
>> I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap
>> working in rfc2307 mode, wbinfo -u and -g return users and groups, but
>> wbinfo -i<user> fails, other test I tried is:
>>
>> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
>> sAMAccountName uidNumber gidNumber -P
>>
>> Which shows that I have 3 users and 2 groups which have rfc2307
>> attributes, however mapping is not working, files owned by the mapped
>> uid/gid do not show the username or group when listed, and users are
>> unable to authenticate to the samba server.
>>
>> I've noticed some errors in winbindd log:
>>
>> [2010/10/12 08:24:53.276576, 3]
>> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>> [ 8296]: request interface version
>> [2010/10/12 08:24:53.276748, 3]
>> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>> [ 8296]: request location of privileged pipe
>> [2010/10/12 08:24:53.276975, 3]
>> winbindd/winbindd_list_users.c:58(winbindd_list_users_send)
>> list_users
>> [2010/10/12 08:24:56.764312, 3]
>> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>> [ 8381]: request interface version
>> [2010/10/12 08:24:56.764473, 3]
>> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>> [ 8381]: request location of privileged pipe
>> [2010/10/12 08:24:56.794828, 3]
>> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>> getpwnam test
>> [2010/10/12 08:24:56.927925, 3]
>> libads/ldap_schema.c:324(ads_check_posix_schema_mapping)
>> ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED
>> [2010/10/12 08:24:56.927999, 2]
>> winbindd/idmap_ad.c:185(ad_idmap_cached_connection)
>> ad_idmap_cached_connection: Failed to obtain schema details!
>
> Your errors look different but the symptoms are the same. I've another
> person with the same issue, the link below explains the exact problem I
> have:
>
> http://www.spinics.net/lists/samba/msg92328.html
>
> A snippet from one of my logs shows the issue:
>>
>> [2010/10/12 12:54:42.931329, 5]
>> winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv)
>> Could not convert sid S-1-5-21-4140011924-985775245-1159988818-1608:
>> NT_STATUS_NONE_MAPPED
>> [2010/10/12 12:54:42.931436, 10] winbindd/winbindd.c:655(wb_request_done)
>> wb_request_done[25718:GETPWNAM]: NT_STATUS_NONE_MAPPED
>
> If I "wbinfo -S S-1-5-21-4140011924-985775245-1159988818-1608" then I get
> the right UID returned.
>
> When I type "id" I get "No such user"
>
> wbinfo -u and -g show all my users and groups fine.
>
> I've found an odd hack that gets me up and running for a short while but I'm
> not entirely sure why its working, I've described it below.
>
>> > Old broken:
>> >
>> > idmap backend = ad
>> > winbind nss info = rfc2307
>> >
>> > New working:
>> >
>> > idmap uid = 10000-20000
>> > idmap gid = 10000-20000
>> >
>> Doesn't that change work around the problem by disabling idmap
>> altogether? it may work but the mappings will not be consistent if you
>> have multiple samba servers.
>
> If I replace my standard smb.conf with the changes above and then "net ads
> join" and restart winbind I can get an id for any of my users. I only need
> to do this for one user.
>
> Then I switch back to the original "idmap backend = ad" smb.conf and restart
> winbind again.
>
> At this point all my user id's work once again with the exception of the
> test user that I used which now has an invalidly cached uid.
>
> If I "net cache flush" then this breaks the id mapping once again.
>
> So basically something is screwy and somehow cache files are involved, I'm
> pretty sure its /var/run/samba/gencache* that is storing this data but that
> could be a symptom and not the cause. I've not had chance to start decoding
> cache files and examining their contents yet.
>
> An alternative option that I've tried is to switch to an rid back end across
> all of our systems, this is obviously going to take some more verification
> and planning before going into effect but I've included my test rid config
> below in-case it is of use to you. The few test cases I've run so far gave
> good results.
>
> If you manage to get any further then let me know as curiosity has long
> since moved onto frustration :)
>
>> [global]
>> dos charset = 850
>> workgroup = DOMAIN
>> realm = DOMAIN.NET
>> server string = Samba Server Version %v
>> security = ADS
>> password server = 192.168.1.2, 192.168.1.3, *
>> client NTLMv2 auth = Yes
>> kerberos method = system keytab
>> log level = 10
>> debug timestamp = No
>> disable netbios = Yes
>> name resolve order = host lmhosts
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>> SO_RCVBUF=8192 SO_SNDBUF=8192
>> local master = No
>> domain master = No
>> dns proxy = No
>> idmap uid = 9000-9999
>> idmap gid = 9000-9999
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind separator = +
>> winbind use default domain = Yes
>> winbind refresh tickets = Yes
>> winbind offline logon = Yes
>>
>> idmap config DOMAIN : default = yes
>> idmap config DOMAIN : schema_mode = rfc2307
>> #idmap config DOMAIN : backend = ad
>> #idmap config DOMAIN : range = 10000-20000
>>
>> idmap config DOMAIN : backend = rid
>> idmap config DOMAIN : range = 10000 - 20000
>>
>> hosts allow = 127.0.0.1, 192.168.1.0/24
>> hosts deny = 0.0.0.0/0
>
> Regards
>
> Simon
>
Hi,
I've made some progress on this, in order to use rfc2307/sfu id
mapping you must have a writable default idmap backend and an explicit
domain configuration which uses rfc2307/sfu , this has been mentioned
in a bug report back in 2009
https://bugzilla.samba.org/show_bug.cgi?id=6322 but it appears nothing
further was done to make it clear in the documentation.
Example working config:
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-49999
idmap config DOMAIN : schema_mode = rfc2307
idmap backend = tdb
idmap uid = 50000-99999
idmap gid = 50000-99999
There seems to be a problem with winbind nss info = rfc2307 but I'm
going to start a new thread about that.
So far I can list users and groups using wbinfo and also get details
for a single user with wbinfo -i, I can su to an AD account and
setting ownership of files and folders to mapped id's results in the
AD user/group names being displayed so mapping does seems to be
working ok, but getent passwd/group does not list AD users and I
cannot login to the system using an AD account, so I think I've still
got some nsswitch/pam issues which I'm going to work on today.
Andy
More information about the samba
mailing list