[Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3

Javier Conti javier.conti at gmail.com
Wed May 16 00:34:28 MDT 2012


On 15 May 2012 23:29, Michael Adam <obnox at samba.org> wrote:
> Hi Javier,
>
> Javier Conti wrote:
>> Dear list,
>>
>> upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3
>> to 3.6.3. I was successfully using idmap_ad to authenticate users but
>> after the upgrade it stopped working and users are not seen by the OS.
>> Obviously the users I want to see on the Linux server have all RFC2307
>> attributes populated and are seen by all other SLES11 SP1 servers.
>
>
>> Although I tried many changes to the config, according to some hints found
>> on the web, this is what I was using with Samba 3.4.3:
>>
>>   [global]
>>     workgroup = MYDOMAIN
>>     realm = MYREALM
>>     security = ADS
>>
>>     idmap backend = idmap_ad
>>     idmap uid = 64000 - 64999
>>     idmap gid = 64000 - 64999
>>
>>     idmap config MYDOMAIN : default = yes
>>     idmap config MYDOMAIN : backend = ad
>>     idmap config MYDOMAIN : range = 1000-50000
>>     idmap config MYDOMAIN : schema_mode = rfc2307
>>
>>     winbind use default domain = yes
>>     winbind nss info = rfc2307
>>     winbind offline logon = yes
>>     winbind refresh tickets = yes
>>     [...]
>>
>> Any hints on what has changed with Samba 3.6.3 and/or what to
>> change to adapt the configuration to 3.6.3 (if necessary)?
>
> Some comments:
> The above config makes no real sense for me,
> neither for 3.4 nor for 3.6:
>
> * The parameter "idmap config DOMAIN : default = yes/no"
>  has been removed in samba 3.3. It only existed from
>  3.0.25 to 3.2.
>  (http://www.samba.org/samba/history/samba-3.3.0.html)
>
> * You are using the backend "ad" (or "idmap_ad" which is
>  a deprecated synonym) both in "idmap config MYDOMAIN : backend"
>  and in "idmap backend". Both with different ranges.
>  This does not seem to make sense to me.
>
>  It is necessary to specify a writable backend for the
>  catch all default idmap configuration, e.g. tdb or ldap.
>
>  In 3.6, the "idmap backend" has been replaced by
>  "idmap config * : backend", etc.
>
> A valid config for 3.4 would be:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> [global]
>        workgroup = MYDOMAIN
>
>        idmap backend = tdb
>        idmap uid = xxxxx-yyyyy
>        idmap gid = xxxxx-yyyyy
>
>        idmap config MYDOMAIN : backend = ad
>        idmap config MYDOMAIN : range = 1000-50000
>        idmap config MYDOMAIN : schema mode = rfc2370
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> The corresponding for 3.6:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> [global]
>        workgroup = MYDOMAIN
>
>        idmap config * : backend = tdb
>        idmap config * : range = xxxxx-yyyyy
>
>        idmap config MYDOMAIN : backend = ad
>        idmap config MYDOMAIN : range = 1000-50000
>        idmap config MYDOMAIN : schema mode = rfc2370
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hi Michael,

thanks for your input. The latter is indeed the configuration I'm
running lately.

>> I checked everything (I know) from the Samba point of view, and it almost
>> seems ok, but "wbinfo -i" fails as follows:
>>
>>   # wbinfo -i myuser
>>   failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>   Could not get info for user myuser
>>
>> Using the same user, for example, I can do:
>>
>>   # wbinfo -n myuser
>>   S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1)
>>   # wbinfo -n "Domain Users"
>>   S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2)
>>
>>   # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794
>>   MYDOMAIN\myuser 1
>>   # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513
>>   MYDOMAIN\Domain Users
>>
>>   # net -Uadminuser user info myuser |head
>>   Enter adminuser's password:
>>   domain users
>>   [...]
>>   # net -Uadminuser ads user  |grep myuser
>>   Enter adminuser's password:
>>   myuser
>>
>> Obviously, id(1) and getent(1) fail. What I get is:
>>
>> [2012/05/14 16:50:47.958484,  6] winbindd/winbindd.c:792(new_connection)
>>   accepted socket 25
>> [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request)
>>   process_request: request fn INTERFACE_VERSION
>> [2012/05/14 16:50:47.958644,  3]
>> winbindd/winbindd_misc.c:384(winbindd_interface_version)
>>   [ 5756]: request interface version
>> [2012/05/14 16:50:47.958705, 10]
>> winbindd/winbindd.c:738(winbind_client_response_written)
>>   winbind_client_response_written[5756:INTERFACE_VERSION]: delivered
>> response to client
>> [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request)
>>   process_request: request fn WINBINDD_PRIV_PIPE_DIR
>> [2012/05/14 16:50:47.958808,  3]
>> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
>>   [ 5756]: request location of privileged pipe
>> [2012/05/14 16:50:47.958870, 10]
>> winbindd/winbindd.c:738(winbind_client_response_written)
>>   winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]:
>> delivered response to client
>> [2012/05/14 16:50:47.958939,  6] winbindd/winbindd.c:792(new_connection)
>>   accepted socket 26
>> [2012/05/14 16:50:47.958995,  6]
>> winbindd/winbindd.c:840(winbind_client_request_read)
>>   closing socket 25, client exited
>> [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request)
>>   process_request: Handling async request 5756:GETPWNAM
>> [2012/05/14 16:50:47.959097,  3]
>> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>>   getpwnam myuser
>> [2012/05/14 16:50:47.959135,  1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>        wbint_LookupName: struct wbint_LookupName
>>           in: struct wbint_LookupName
>>               domain                   : *
>>                   domain                   : 'MYDOMAIN'
>>               name                     : *
>>                   name                     : 'MYUSER'
>>               flags                    : 0x00000008 (8)
>> [2012/05/14 16:50:47.959276,  1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>        wbint_LookupName: struct wbint_LookupName
>>           out: struct wbint_LookupName
>>               type                     : *
>>                   type                     : SID_NAME_USER (1)
>>               sid                      : *
>>                   sid                      :
>> S-1-5-21-828208052-1092558876-1846952604-22794
>>               result                   : NT_STATUS_OK
>> [2012/05/14 16:50:47.959404,  1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>        wbint_QueryUser: struct wbint_QueryUser
>>           in: struct wbint_QueryUser
>>               sid                      : *
>>                   sid                      :
>> S-1-5-21-828208052-1092558876-1846952604-22794
>> [2012/05/14 16:50:47.959499,  1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>        wbint_QueryUser: struct wbint_QueryUser
>>           out: struct wbint_QueryUser
>>               info                     : *
>>                   info: struct wbint_userinfo
>>                       acct_name                : *
>>                           acct_name                : 'myuser'
>>                       full_name                : *
>>                           full_name                : 'Lastname Firstname'
>>                       homedir                  : *
>>                           homedir                  : '/home/myuser'
>>                       shell                    : *
>>                           shell                    : '/bin/bash'
>>                       primary_gid              : 0x0000000000002710 (10000)
>>                       user_sid                 :
>> S-1-5-21-828208052-1092558876-1846952604-22794
>>                       group_sid                :
>> S-1-5-21-828208052-1092558876-1846952604-513
>>               result                   : NT_STATUS_OK
>> [2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
>>   idmap_cache_find_sid2uid found 10106
>> [2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
>>   idmap_cache_find_sid2gid found -1
>> [2012/05/14 16:50:47.959763,  5]
>> winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>>   Could not convert sid
>> S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED
>> [2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done)
>>   wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED
>> [2012/05/14 16:50:47.959843, 10]
>> winbindd/winbindd.c:738(winbind_client_response_written)
>>   winbind_client_response_written[5756:GETPWNAM]: delivered response to client
>> [2012/05/14 16:50:47.959937,  6]
>> winbindd/winbindd.c:840(winbind_client_request_read)
>>   closing socket 26, client exited
>
> Hmm, it finds a sid2uid mapping in the cache,
> but then a sid2gid lookup fails (from cache).
> Due to bad error message, it can not be seen
> which sid was the input. Could also be the ...-513
> group sid.
>
> Could you please check with the more low level wbinfo commands
> the results of the commands for id mapping:
>
> wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794
> ==> should give a uid

That works and gives me 10106.

> wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794
> ==> should fail

That fails with WBC_ERR_DOMAIN_NOT_FOUND.

> wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513
> ==> should fail

That fails with WBC_ERR_DOMAIN_NOT_FOUND.

> wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513
> ==> should give a gid

That fails with WBC_ERR_DOMAIN_NOT_FOUND.


I don't know if it's related to that, but in the RFC2307 fields of the 10106
user I put as primary group 10000, which is not "Domain Users", but
S-1-5-21-828208052-1092558876-1846952604-51 is actually
"Domain Users". The group "Domain Users" has no RFC2307 gid
attribute. We didn't populate it since it's not used at all in the Unix
environment.

If I get the SID of the user primary group (i.e. the one I see using id(1)
on a 3.4.3 client) and then perform a sid-to-gid (wbinfo -Y) it works.

Thanks, Javier

>
> Cheers - Michael
>
>


More information about the samba mailing list