[Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Michael Adam
obnox at samba.org
Tue May 15 15:29:37 MDT 2012
Hi Javier,
Javier Conti wrote:
> Dear list,
>
> upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3
> to 3.6.3. I was successfully using idmap_ad to authenticate users but
> after the upgrade it stopped working and users are not seen by the OS.
> Obviously the users I want to see on the Linux server have all RFC2307
> attributes populated and are seen by all other SLES11 SP1 servers.
> Although I tried many changes to the config, according to some hints found
> on the web, this is what I was using with Samba 3.4.3:
>
> [global]
> workgroup = MYDOMAIN
> realm = MYREALM
> security = ADS
>
> idmap backend = idmap_ad
> idmap uid = 64000 - 64999
> idmap gid = 64000 - 64999
>
> idmap config MYDOMAIN : default = yes
> idmap config MYDOMAIN : backend = ad
> idmap config MYDOMAIN : range = 1000-50000
> idmap config MYDOMAIN : schema_mode = rfc2307
>
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind offline logon = yes
> winbind refresh tickets = yes
> [...]
>
> Any hints on what has changed with Samba 3.6.3 and/or what to
> change to adapt the configuration to 3.6.3 (if necessary)?
Some comments:
The above config makes no real sense for me,
neither for 3.4 nor for 3.6:
* The parameter "idmap config DOMAIN : default = yes/no"
has been removed in samba 3.3. It only existed from
3.0.25 to 3.2.
(http://www.samba.org/samba/history/samba-3.3.0.html)
* You are using the backend "ad" (or "idmap_ad" which is
a deprecated synonym) both in "idmap config MYDOMAIN : backend"
and in "idmap backend". Both with different ranges.
This does not seem to make sense to me.
It is necessary to specify a writable backend for the
catch all default idmap configuration, e.g. tdb or ldap.
In 3.6, the "idmap backend" has been replaced by
"idmap config * : backend", etc.
A valid config for 3.4 would be:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[global]
workgroup = MYDOMAIN
idmap backend = tdb
idmap uid = xxxxx-yyyyy
idmap gid = xxxxx-yyyyy
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : range = 1000-50000
idmap config MYDOMAIN : schema mode = rfc2370
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The corresponding for 3.6:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[global]
workgroup = MYDOMAIN
idmap config * : backend = tdb
idmap config * : range = xxxxx-yyyyy
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : range = 1000-50000
idmap config MYDOMAIN : schema mode = rfc2370
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I checked everything (I know) from the Samba point of view, and it almost
> seems ok, but "wbinfo -i" fails as follows:
>
> # wbinfo -i myuser
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user myuser
>
> Using the same user, for example, I can do:
>
> # wbinfo -n myuser
> S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1)
> # wbinfo -n "Domain Users"
> S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2)
>
> # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794
> MYDOMAIN\myuser 1
> # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513
> MYDOMAIN\Domain Users
>
> # net -Uadminuser user info myuser |head
> Enter adminuser's password:
> domain users
> [...]
> # net -Uadminuser ads user |grep myuser
> Enter adminuser's password:
> myuser
>
> Obviously, id(1) and getent(1) fail. What I get is:
>
> [2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection)
> accepted socket 25
> [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request)
> process_request: request fn INTERFACE_VERSION
> [2012/05/14 16:50:47.958644, 3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
> [ 5756]: request interface version
> [2012/05/14 16:50:47.958705, 10]
> winbindd/winbindd.c:738(winbind_client_response_written)
> winbind_client_response_written[5756:INTERFACE_VERSION]: delivered
> response to client
> [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request)
> process_request: request fn WINBINDD_PRIV_PIPE_DIR
> [2012/05/14 16:50:47.958808, 3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
> [ 5756]: request location of privileged pipe
> [2012/05/14 16:50:47.958870, 10]
> winbindd/winbindd.c:738(winbind_client_response_written)
> winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]:
> delivered response to client
> [2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection)
> accepted socket 26
> [2012/05/14 16:50:47.958995, 6]
> winbindd/winbindd.c:840(winbind_client_request_read)
> closing socket 25, client exited
> [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request)
> process_request: Handling async request 5756:GETPWNAM
> [2012/05/14 16:50:47.959097, 3]
> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam myuser
> [2012/05/14 16:50:47.959135, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> in: struct wbint_LookupName
> domain : *
> domain : 'MYDOMAIN'
> name : *
> name : 'MYUSER'
> flags : 0x00000008 (8)
> [2012/05/14 16:50:47.959276, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USER (1)
> sid : *
> sid :
> S-1-5-21-828208052-1092558876-1846952604-22794
> result : NT_STATUS_OK
> [2012/05/14 16:50:47.959404, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> wbint_QueryUser: struct wbint_QueryUser
> in: struct wbint_QueryUser
> sid : *
> sid :
> S-1-5-21-828208052-1092558876-1846952604-22794
> [2012/05/14 16:50:47.959499, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> wbint_QueryUser: struct wbint_QueryUser
> out: struct wbint_QueryUser
> info : *
> info: struct wbint_userinfo
> acct_name : *
> acct_name : 'myuser'
> full_name : *
> full_name : 'Lastname Firstname'
> homedir : *
> homedir : '/home/myuser'
> shell : *
> shell : '/bin/bash'
> primary_gid : 0x0000000000002710 (10000)
> user_sid :
> S-1-5-21-828208052-1092558876-1846952604-22794
> group_sid :
> S-1-5-21-828208052-1092558876-1846952604-513
> result : NT_STATUS_OK
> [2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
> idmap_cache_find_sid2uid found 10106
> [2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
> idmap_cache_find_sid2gid found -1
> [2012/05/14 16:50:47.959763, 5]
> winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid
> S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED
> [2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done)
> wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2012/05/14 16:50:47.959843, 10]
> winbindd/winbindd.c:738(winbind_client_response_written)
> winbind_client_response_written[5756:GETPWNAM]: delivered response to client
> [2012/05/14 16:50:47.959937, 6]
> winbindd/winbindd.c:840(winbind_client_request_read)
> closing socket 26, client exited
Hmm, it finds a sid2uid mapping in the cache,
but then a sid2gid lookup fails (from cache).
Due to bad error message, it can not be seen
which sid was the input. Could also be the ...-513
group sid.
Could you please check with the more low level wbinfo commands
the results of the commands for id mapping:
wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794
==> should give a uid
wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794
==> should fail
wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513
==> should fail
wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513
==> should give a gid
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20120515/11ed2a75/attachment.pgp>
More information about the samba
mailing list