[Samba] winbind backends ad and rfc2307 both with errors...
L.P.H. van Belle
belle at bazuin.nl
Mon Jan 5 03:51:12 MST 2015
you have overlapping id's which will not work correctly.
> idmap config * : range = 70000-80000
> idmap config LUH-TFD : range = 500-69999
> idmap config POOL : range = 500-69999
> idmap config WINPOOL : range = 500-69999
Each range should not overlap the other.
>-----Oorspronkelijk bericht-----
>Van: schumacher at tfd.uni-hannover.de
>[mailto:samba-bounces at lists.samba.org] Namens Sven Schumacher
>Verzonden: maandag 5 januari 2015 11:31
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] winbind backends ad and rfc2307 both with errors...
>
>Hello,
>
>I just set up a samba server (version 2:4.1.13+dfsg-4) on Debian 7.7,
>being a member server of a Win2k8-Domain (before that, that server was
>an old SuSE (10.4)-Samba with own user-management (standalone-server).
>I would like to use winbind with the idmap backend "ad" or "rfc2307"
>instead.
>
>When using rfc2307 (like in my conf specified), I can do successfully:
>wbinfo -u
>wbinfo -g
>and even "getent passwd" shows the users. Only "getent group" doesn't
>list any domain-based group (but uid and gid-Values are looking like
>being served from tdb instead of ad).
>wbinfo -i $USER gives uid and gid values coming from the tdb-Database
>(70000...),too.
>wbinfo --group-info $GROUP gives the right members of the
>group, but the
>wrong gid (coming from tdb, too).
>
>When I use the backend "ad" wbinfo -u and wbinfo -g work without
>failure, too. But "getent passwd" and "getent group" didn't show any
>domain-based entry.
>Calling "wbinfo -i $USER" tells me:
>
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for user $USER
>
>wbinfo --group-info $GROUP
>
>works fine and has the correct information.
>
>In the winbind-logfiles (using -d 10 for debugging):
>
>2015/01/05 10:51:48.578960, 10, pid=18923, effective(0, 0),
>real(0, 0), class=idmap]
>../source3/winbindd/idmap.c:377(idmap_find_domain)
> idmap_find_domain called for domain 'LUH-TFD'
>[2015/01/05 10:51:48.579001, 10, pid=18923, effective(0, 0),
>real(0, 0), class=idmap]
>../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection)
> ad_idmap_cached_connection: called for domain 'LUH-TFD'
>[2015/01/05 10:51:48.579034, 7, pid=18923, effective(0, 0),
>real(0, 0), class=winbind]
>../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
> Current tickets expire in 35972 seconds (at 1420487480,
>time is now 1420451508)
>[2015/01/05 10:51:48.579085, 10, pid=18923, effective(0, 0),
>real(0, 0), class=idmap]
>../source3/winbindd/idmap_ad.c:452(idmap_ad_sids_to_unixids)
> Filter:
>[(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAc
>countType=805306370)(sAMAccountType=268435456)(sAMAccountType=5
>36870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\
>A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))]
>[2015/01/05 10:51:48.579963, 5, pid=18923, effective(0, 0),
>real(0, 0)]
>../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
> Search for
>(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAcc
>ountType=805306370)(sAMAccountType=268435456)(sAMAccountType=53
>6870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A
>7\D8\C3\A75a\80a<\EF\1A\80\04\00\00))) in
><dc=LUH-TFD,dc=LOCAL> gave 1 replies
>[2015/01/05 10:51:48.580034, 10, pid=18923, effective(0, 0),
>real(0, 0), class=idmap]
>../source3/winbindd/idmap_ad.c:539(idmap_ad_sids_to_unixids)
> Mapped S-1-5-21-3285755821-2153854375-451886177-1152 -> 516 (1)
>[2015/01/05 10:51:48.580078, 10, pid=18923, effective(0, 0),
>real(0, 0), class=winbind]
>../source3/winbindd/winbindd_dual_srv.c:194(_wbint_Sids2UnixIDs)
> sids_to_unixids returned NT_STATUS_OK
>[2015/01/05 10:51:48.580112, 1, pid=18923, effective(0, 0),
>real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> out: struct wbint_Sids2UnixIDs
> ids : *
> ids: struct wbint_TransIDArray
> num_ids : 0x00000001 (1)
> ids: ARRAY(1)
> ids: struct wbint_TransID
> type :
>ID_TYPE_UID (1)
> domain_index :
>0x00000000 (0)
> rid :
>0x00000480 (1152)
> xid: struct unixid
> id :
>0x00000204 (516)
> type :
>ID_TYPE_UID (1)
> result : NT_STATUS_OK
>[2015/01/05 10:51:48.580343, 4, pid=18923, effective(0, 0),
>real(0, 0), class=winbind]
>../source3/winbindd/winbindd_dual.c:1346(child_handler)
> Finished processing child request 59
>[2015/01/05 10:51:48.580402, 10, pid=18923, effective(0, 0),
>real(0, 0), class=winbind]
>../source3/winbindd/winbindd_dual.c:1363(child_handler)
> Writing 3528 bytes to parent
>[2015/01/05 10:51:48.582682, 10, pid=18923, effective(0, 0),
>real(0, 0), class=winbind]
>../source3/winbindd/winbindd_dual.c:71(child_read_request)
> Need to read 110 extra bytes
>[2015/01/05 10:51:48.582753, 4, pid=18923, effective(0, 0),
>real(0, 0), class=winbind]
>../source3/winbindd/winbindd_dual.c:1338(child_handler)
> child daemon request 59
>[2015/01/05 10:51:48.582801, 10, pid=18923, effective(0, 0),
>real(0, 0), class=winbind]
>../source3/winbindd/winbindd_dual.c:458(child_process_request)
> child_process_request: request fn NDRCMD
>
>
>Summary:
>So, by using backend ad winbind is able to fetch the uid, but reports
>errors (and getent passwd, getent group fails), fetching gid works
>without error.
>By using backend rfc2307 winbind is able to fetch user and group-lists
>using wbinfo and getent passwd/group but has wrong uid and gid.
>Any suggestions for possible solutions?
>Even stripping down my config to mention only the main domain (instead
>of the trusted ones, too) doesn't solves the problem.
>
>My config (smb.conf) for winbind (anything obvious wrong here?):
>
>[global]
> workgroup = LUH-TFD
> realm = LUH-TFD.LOCAL
> follow symlinks = yes
> security = ADS
> printing = cups
> printcap name = cups
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> idmap config * : backend = tdb
> idmap config * : range = 70000-80000
> idmap config LUH-TFD : range = 500-69999
> idmap config LUH-TFD : backend = rfc2307
> idmap config LUH-TFD : ldap_server = ad
> idmap config POOL : range = 500-69999
> idmap config POOL : backend = rfc2307
> idmap config POOL : ldap_server = ad
> idmap config WINPOOL : range = 500-69999
> idmap config WINPOOL : backend = rfc2307
> idmap config WINPOOL : ldap_server = ad
># idmap config WINPOOL : range = 500-69999
># idmap config WINPOOL : backend = ad
># idmap config WINPOOL : schema_mode = rfc2307
># idmap config LUH-TFD : range = 500-69999
># idmap config LUH-TFD : backend = ad
># idmap config LUH-TFD : schema_mode = rfc2307
># idmap config POOL : range = 500-69999
># idmap config POOL : backend = ad
># idmap config POOL : schema_mode = rfc2307
> template shell = /bin/false
> template homedir = /home/%U
> winbind offline logon = yes
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> map untrusted to domain = no
> obey pam restrictions = no
> client use spnego = yes
> client ntlmv2 auth = yes
> allow trusted domains = yes
> winbind normalize names = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind trusted domains only = no
>
>
>
>my /etc/krb5.conf:
>
>[libdefaults]
> default_realm = LUH-TFD.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> renew_lifetime = 7d
> ticket_lifetime = 24h
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> default_tgs_enctypes = rc4-hmac
>aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> default_tkt_enctypes = rc4-hmac
>aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
>aes128-cts-hmac-sha1-96
>[appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = true
> }
># The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
>[realms]
> POOL.LUH-TFD.LOCAL = {
> kdc = winad2.tfd.uni-hannover.de:88
> admin_server = winad2.tfd.uni-hannover.de:749
> default_domain = pool.luh-tfd.local
> }
> LUH-TFD.LOCAL = {
> kdc = winad1.tfd.uni-hannover.de:88
> admin_server = winad1.tfd.uni-hannover.de:749
> default_domain = luh-tfd.local
> }
> WINPOOL.TFD.UNI-HANNOVER.DE = {
> kdc = aias.winpool.tfd.uni-hannover.de:88
> admin_server = aias.winpool.tfd.uni-hannover.de:749
> default_domain = winpool.tfd.uni-hannover.de
> }
>
>[domain_realm]
> .luh-tfd.local = LUH-TFD.LOCAL
> luh-tfd.local = LUH-TFD.LOCAL
> .winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
> winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
> .pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
> pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
>
>[login]
> krb4_convert = true
> krb4_get_tickets = true
>
>
>my /etc/nsswitch.conf:
>
># /etc/nsswitch.conf
>#
># Example configuration of GNU Name Service Switch functionality.
># If you have the `glibc-doc-reference' and `info' packages
>installed, try:
># `info libc "Name Service Switch"' for information about this file.
>
>passwd: compat winbind
>group: compat winbind
>shadow: compat
>
>hosts: files dns mdns4
>networks: files
>
>protocols: db files
>services: db files
>ethers: db files
>rpc: db files
>
>netgroup: nis
>sudoers: files
>
>
>
>
>
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list