[Samba] Samba 4.1.4 nsswitch/winbind issues

Michael Brown michael at netdirect.ca
Wed Jun 4 14:39:41 MDT 2014 

On 14-02-15 10:42 AM, Doug Meredith wrote:
> Things that don't work:
>
>    - getent passwd {any_ad_user}
>    - getent group
>    - getent passwd
Exactly the problem I'm struggling with. (update: have solved since I
started writing this!)

Centos/samba-3.6.9-168.el6_5.x86_64 and SciLinux/samba-3.6.3-78.el6.1.x86_64

Same symptoms, same things that work, same things that don't. I've
simplified my idmap configuration down to:

       idmap config * : backend = tdb2
       idmap config * : range = 1000000-1999999
       idmap config NETDIRECT:backend = ad
       idmap config NETDIRECT:schema_mode = rfc2307
       idmap config NETDIRECT:range = 100-999999

I get in my log:
Could not convert sid S-1-5-21-2070472328-935435760-1634736958-11032:
NT_STATUS_NONE_MAPPED

yet:
# wbinfo -n michael
S-1-5-21-2070472328-935435760-1634736958-11032 SID_USER (1)
# wbinfo -S S-1-5-21-2070472328-935435760-1634736958-11032
5016

which is within the configured range for the domain.

Near as I can tell I'm getting a complete user structure out of winbind:
wbint_QueryUser: struct wbint_QueryUser
   out: struct wbint_QueryUser
       info                     : *
           info: struct wbint_userinfo
               acct_name                : *
                   acct_name                : 'michael'
               full_name                : NULL
               homedir                  : *
                   homedir                  : '/net/nfshome/home/michael'
               shell                    : *
                   shell                    : '/bin/bash'
               primary_gid              : 0x0000000000000fa0 (4000)
               user_sid                 :
S-1-5-21-2070472328-935435760-1634736958-11032
               group_sid                :
S-1-5-21-2070472328-935435760-1634736958-513
       result                   : NT_STATUS_OK

but:

[2014/06/04 16:17:53.793013, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
  idmap_cache_find_sid2uid found 5016
[2014/06/04 16:17:53.793144, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
  idmap_cache_find_sid2gid found -1
[2014/06/04 16:17:53.793254,  5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-2070472328-935435760-1634736958-11032:
NT_STATUS_NONE_MAPPED

Damn. Now that I write that after cranking up the debug levels I wonder
if that line might be misleading. It was sid2gid that failed, but it
reported the user sid as unmappable.

Yes! It is misleading!

https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
"Please note that primary group membership is currently always
calculated via the "primaryGroupID" LDAP attribute."

winbind (unlike the other similar nss providers) will convert the
primary Windows group to the primary Unix group. Thus, when using the ad
backend you must have a gidNumber attribute on 'Domain Users'.

All of a sudden it works:
# id michael
uid=5016(michael) gid=4001(domain users) groups=4001(domain
users),4000(staff)

I suspect you have the same problem.

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
?: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba mailing list