[Samba] winbind backends ad and rfc2307 both with errors...

L.P.H. van Belle belle at bazuin.nl
Mon Jan 5 03:51:12 MST 2015


you have overlapping id's which will not work correctly.

>     idmap config * : range = 70000-80000

>     idmap config LUH-TFD : range = 500-69999
>     idmap config POOL : range = 500-69999
>     idmap config WINPOOL : range = 500-69999

Each range should not overlap the other.



>-----Oorspronkelijk bericht-----
>Van: schumacher at tfd.uni-hannover.de 
>[mailto:samba-bounces at lists.samba.org] Namens Sven Schumacher
>Verzonden: maandag 5 januari 2015 11:31
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] winbind backends ad and rfc2307 both with errors...
>
>Hello,
>
>I just set up a samba server (version 2:4.1.13+dfsg-4) on Debian 7.7, 
>being a member server of a Win2k8-Domain (before that, that server was 
>an old SuSE (10.4)-Samba with own user-management (standalone-server).
>I would like to use winbind with the idmap backend "ad" or "rfc2307" 
>instead.
>
>When using rfc2307 (like in my conf specified), I can do successfully:
>wbinfo -u
>wbinfo -g
>and even "getent passwd" shows the users. Only "getent group" doesn't 
>list any domain-based group (but uid and gid-Values are looking like 
>being served from tdb instead of ad).
>wbinfo -i $USER gives uid and gid values coming from the tdb-Database 
>(70000...),too.
>wbinfo --group-info $GROUP gives the right members of the 
>group, but the 
>wrong gid (coming from tdb, too).
>
>When I use the backend "ad" wbinfo -u and wbinfo -g work without 
>failure, too. But "getent passwd" and "getent group" didn't show any 
>domain-based entry.
>Calling "wbinfo -i $USER" tells me:
>
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for user $USER
>
>wbinfo --group-info $GROUP
>
>works fine and has the correct information.
>
>In the winbind-logfiles (using -d 10 for debugging):
>
>2015/01/05 10:51:48.578960, 10, pid=18923, effective(0, 0), 
>real(0, 0), class=idmap] 
>../source3/winbindd/idmap.c:377(idmap_find_domain)
>   idmap_find_domain called for domain 'LUH-TFD'
>[2015/01/05 10:51:48.579001, 10, pid=18923, effective(0, 0), 
>real(0, 0), class=idmap] 
>../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection)
>   ad_idmap_cached_connection: called for domain 'LUH-TFD'
>[2015/01/05 10:51:48.579034,  7, pid=18923, effective(0, 0), 
>real(0, 0), class=winbind] 
>../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
>   Current tickets expire in 35972 seconds (at 1420487480, 
>time is now 1420451508)
>[2015/01/05 10:51:48.579085, 10, pid=18923, effective(0, 0), 
>real(0, 0), class=idmap] 
>../source3/winbindd/idmap_ad.c:452(idmap_ad_sids_to_unixids)
>   Filter: 
>[(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAc
>countType=805306370)(sAMAccountType=268435456)(sAMAccountType=5
>36870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\
>A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))]
>[2015/01/05 10:51:48.579963,  5, pid=18923, effective(0, 0), 
>real(0, 0)] 
>../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
>   Search for 
>(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAcc
>ountType=805306370)(sAMAccountType=268435456)(sAMAccountType=53
>6870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A
>7\D8\C3\A75a\80a<\EF\1A\80\04\00\00))) in 
><dc=LUH-TFD,dc=LOCAL> gave 1 replies
>[2015/01/05 10:51:48.580034, 10, pid=18923, effective(0, 0), 
>real(0, 0), class=idmap] 
>../source3/winbindd/idmap_ad.c:539(idmap_ad_sids_to_unixids)
>   Mapped S-1-5-21-3285755821-2153854375-451886177-1152 -> 516 (1)
>[2015/01/05 10:51:48.580078, 10, pid=18923, effective(0, 0), 
>real(0, 0), class=winbind] 
>../source3/winbindd/winbindd_dual_srv.c:194(_wbint_Sids2UnixIDs)
>   sids_to_unixids returned NT_STATUS_OK
>[2015/01/05 10:51:48.580112,  1, pid=18923, effective(0, 0), 
>real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
>        wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
>           out: struct wbint_Sids2UnixIDs
>               ids                      : *
>                   ids: struct wbint_TransIDArray
>                       num_ids                  : 0x00000001 (1)
>                       ids: ARRAY(1)
>                           ids: struct wbint_TransID
>                               type                     : 
>ID_TYPE_UID (1)
>                               domain_index             : 
>0x00000000 (0)
>                               rid                      : 
>0x00000480 (1152)
>                               xid: struct unixid
>                                   id                       : 
>0x00000204 (516)
>                                   type                     : 
>ID_TYPE_UID (1)
>               result                   : NT_STATUS_OK
>[2015/01/05 10:51:48.580343,  4, pid=18923, effective(0, 0), 
>real(0, 0), class=winbind] 
>../source3/winbindd/winbindd_dual.c:1346(child_handler)
>   Finished processing child request 59
>[2015/01/05 10:51:48.580402, 10, pid=18923, effective(0, 0), 
>real(0, 0), class=winbind] 
>../source3/winbindd/winbindd_dual.c:1363(child_handler)
>   Writing 3528 bytes to parent
>[2015/01/05 10:51:48.582682, 10, pid=18923, effective(0, 0), 
>real(0, 0), class=winbind] 
>../source3/winbindd/winbindd_dual.c:71(child_read_request)
>   Need to read 110 extra bytes
>[2015/01/05 10:51:48.582753,  4, pid=18923, effective(0, 0), 
>real(0, 0), class=winbind] 
>../source3/winbindd/winbindd_dual.c:1338(child_handler)
>   child daemon request 59
>[2015/01/05 10:51:48.582801, 10, pid=18923, effective(0, 0), 
>real(0, 0), class=winbind] 
>../source3/winbindd/winbindd_dual.c:458(child_process_request)
>   child_process_request: request fn NDRCMD
>
>
>Summary:
>So, by using backend ad winbind is able to fetch the uid, but reports 
>errors (and getent passwd, getent group fails), fetching gid works 
>without error.
>By using backend rfc2307 winbind is able to fetch user and group-lists 
>using wbinfo and getent passwd/group but has wrong uid and gid.
>Any suggestions for possible solutions?
>Even stripping down my config to mention only the main domain (instead 
>of the trusted ones, too) doesn't solves the problem.
>
>My config (smb.conf) for winbind (anything obvious wrong here?):
>
>[global]
>    workgroup = LUH-TFD
>    realm = LUH-TFD.LOCAL
>    follow symlinks = yes
>    security = ADS
>    printing = cups
>    printcap name = cups
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>     idmap config * : backend = tdb
>     idmap config * : range = 70000-80000
>     idmap config LUH-TFD : range = 500-69999
>     idmap config LUH-TFD : backend = rfc2307
>     idmap config LUH-TFD : ldap_server = ad
>     idmap config POOL : range = 500-69999
>     idmap config POOL : backend = rfc2307
>     idmap config POOL : ldap_server = ad
>     idmap config WINPOOL : range = 500-69999
>     idmap config WINPOOL : backend = rfc2307
>     idmap config WINPOOL : ldap_server = ad
>#    idmap config WINPOOL : range = 500-69999
>#    idmap config WINPOOL : backend = ad
>#    idmap config WINPOOL : schema_mode = rfc2307
>#    idmap config LUH-TFD : range = 500-69999
>#    idmap config LUH-TFD : backend = ad
>#    idmap config LUH-TFD : schema_mode = rfc2307
>#    idmap config POOL : range = 500-69999
>#    idmap config POOL : backend = ad
>#    idmap config POOL : schema_mode = rfc2307
>     template shell = /bin/false
>     template homedir = /home/%U
>     winbind offline logon = yes
>          kerberos method = secrets and keytab
>          dedicated keytab file = /etc/krb5.keytab
>     map untrusted to domain = no
>     obey pam restrictions = no
>     client use spnego = yes
>     client ntlmv2 auth = yes
>     allow trusted domains = yes
>     winbind normalize names = yes
>     winbind use default domain = yes
>     winbind refresh tickets = yes
>     winbind nss info = rfc2307
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind nested groups = yes
>     winbind trusted domains only = no
>
>
>
>my /etc/krb5.conf:
>
>[libdefaults]
>         default_realm = LUH-TFD.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = false
>         renew_lifetime = 7d
>         ticket_lifetime = 24h
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>         default_tgs_enctypes = rc4-hmac 
>aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
>         default_tkt_enctypes = rc4-hmac 
>aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
>         permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 
>aes128-cts-hmac-sha1-96
>[appdefaults]
>     pam = {
>         debug = false
>         ticket_lifetime = 36000
>         renew_lifetime = 36000
>         forwardable = true
>         krb4_convert = true
>     }
># The following libdefaults parameters are only for Heimdal Kerberos.
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true
>
>[realms]
>         POOL.LUH-TFD.LOCAL = {
>                 kdc = winad2.tfd.uni-hannover.de:88
>                 admin_server = winad2.tfd.uni-hannover.de:749
>                 default_domain = pool.luh-tfd.local
>         }
>         LUH-TFD.LOCAL = {
>                 kdc = winad1.tfd.uni-hannover.de:88
>                 admin_server = winad1.tfd.uni-hannover.de:749
>                 default_domain = luh-tfd.local
>         }
>         WINPOOL.TFD.UNI-HANNOVER.DE = {
>                 kdc = aias.winpool.tfd.uni-hannover.de:88
>                 admin_server = aias.winpool.tfd.uni-hannover.de:749
>                 default_domain = winpool.tfd.uni-hannover.de
>         }
>
>[domain_realm]
>         .luh-tfd.local = LUH-TFD.LOCAL
>         luh-tfd.local = LUH-TFD.LOCAL
>         .winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
>         winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
>         .pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
>         pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
>
>[login]
>         krb4_convert = true
>         krb4_get_tickets = true
>
>
>my /etc/nsswitch.conf:
>
># /etc/nsswitch.conf
>#
># Example configuration of GNU Name Service Switch functionality.
># If you have the `glibc-doc-reference' and `info' packages 
>installed, try:
># `info libc "Name Service Switch"' for information about this file.
>
>passwd:         compat winbind
>group:          compat winbind
>shadow:         compat
>
>hosts:          files dns mdns4
>networks:       files
>
>protocols:      db files
>services:       db files
>ethers:         db files
>rpc:            db files
>
>netgroup:       nis
>sudoers:        files
>
>
>
>
>
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list