[Samba] Samba 3 AD Member Server Strangeness
Rowland Penny
rowlandpenny at googlemail.com
Sat Jun 20 03:10:10 MDT 2015
On 19/06/15 21:39, Brian.Huffman at dupont.com wrote:
> All,
>
> I'm trying to configure a Samba 3 AD member server including winbind. I'm on RHEL 6.6, so I'm using Samba version 3.6.23.
>
> Here's my configuration:
> [global]
> log level = 3 winbind:10
> workgroup = ABC
> server string = LV37
> netbios name = LV37
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config ABC:backend = rid
> idmap config ABC:range = 10000-199999
> winbind use default domain = true
> winbind enum users = no
> winbind enum groups = no
> winbind refresh tickets = yes
> template homedir = /
> template shell = /sbin/nologin
>
> realm = ABC.NET
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> allow trusted domains = no
> domain master = no
> local master = no
> preferred master = no
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
> map to guest = Bad User
>
> In general I followed the guide at https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> We have been able to do a wbinfo -u and all users come back. Unfortunately not all users are getting mapped to uids:
> [root at eslv37 samba]# wbinfo -u |egrep 'jx2354| nj3586
> jx2354
> nj3586
> [root at eslv37 samba]# wbinfo -i nj3586
> nj3586:*:11813:10513:USER NAME:/:/sbin/nologin
> [root at eslv37 samba]# wbinfo -i jx2354
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user jx2354
>
> For a user that works, I see this in the winbind logs:
> [2015/06/19 16:28:56.608328, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam nj3586
> [2015/06/19 16:28:56.608388, 10] winbindd/winbindd_dual.c:1370(fork_domain_child)
> fork_domain_child called for domain 'ABC'
> [2015/06/19 16:28:56.608817, 10] winbindd/winbindd_dual.c:1426(fork_domain_child)
> Child process 5713
> [2015/06/19 16:28:56.720068, 10] winbindd/winbindd_cm.c:377(winbind_msg_domain_online)
> Domain DUPONTNET is marked as online now.
> [2015/06/19 16:28:56.746994, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
> idmap_cache_find_sid2uid found 11813
> [2015/06/19 16:28:56.747036, 10] winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
> find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-513)
> [2015/06/19 16:28:56.747065, 10] winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
> calling find_our_domain
> [2015/06/19 16:28:56.749758, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
> idmap_cache_find_sid2gid found 10513
> [2015/06/19 16:28:56.749811, 10] winbindd/winbindd.c:707(wb_request_done)
> wb_request_done[5712:GETPWNAM]: NT_STATUS_OK
> [2015/06/19 16:28:56.749854, 10] winbindd/winbindd.c:768(winbind_client_response_written)
> winbind_client_response_written[5712:GETPWNAM]: delivered response to client
> [2015/06/19 16:28:56.750538, 6] winbindd/winbindd.c:870(winbind_client_request_read)
> closing socket 27, client exited
>
> For a user that doesn't, I see this:
> getpwnam jx2354
> [2015/06/19 16:29:32.187469, 10] winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
> find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-732503)
> [2015/06/19 16:29:32.187510, 10] winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
> calling find_our_domain
> [2015/06/19 16:29:32.188077, 10] winbindd/winbindd_dual.c:1372(fork_domain_child)
> fork_domain_child called without domain.
> [2015/06/19 16:29:32.188445, 10] winbindd/winbindd_dual.c:1426(fork_domain_child)
> Child process 5718
> [2015/06/19 16:29:32.215807, 5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-369997941-647960827-447208795-732503: NT_STATUS_NONE_MAPPED
> [2015/06/19 16:29:32.215861, 10] winbindd/winbindd.c:707(wb_request_done)
> wb_request_done[5717:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2015/06/19 16:29:32.215903, 10] winbindd/winbindd.c:768(winbind_client_response_written)
> winbind_client_response_written[5717:GETPWNAM]: delivered response to client
> [2015/06/19 16:29:32.216636, 6] winbindd/winbindd.c:870(winbind_client_request_read)
> closing socket 27, client exited
>
> I can't figure out what I'm doing wrong.
>
> Any ideas?
>
> Thanks!
> Brian
>
> This communication is for use by the intended recipient and contains
> information that may be Privileged, confidential or copyrighted under
> applicable law. If you are not the intended recipient, you are hereby
> formally notified that any use, copying or distribution of this e-mail,
> in whole or in part, is strictly prohibited. Please notify the sender by
> return e-mail and delete this e-mail from your system. Unless explicitly
> and conspicuously designated as "E-Contract Intended", this e-mail does
> not constitute a contract offer, a contract amendment, or an acceptance
> of a contract offer. This e-mail does not constitute a consent to the
> use of sender's contact information for direct marketing purposes or for
> transfers of data to third parties.
>
> The dupont.com http://dupont.com web address may be used for a limited period of time by the following
> divested businesses that are no longer affiliated in any way with DuPont:
> Borealis Polymers NV
> Jacob Holm & Sonner Holding A/S (Jacob Holm)
> Kuraray Co., Ltd
>
> DuPont accepts no liability or responsibility for the content or use of communications
> sent or received on behalf of such divested businesses or for the consequences of
> any actions taken on the basis of such communications.
>
> Francais Deutsch Italiano Espanol Portugues Japanese Chinese Korean
>
> http://www.DuPont.com/corp/email_disclaimer.html
>
Hi, Firstly, can I suggest you add these lines to smb.conf:
security = ADS
winbind expand groups = 4
winbind nss info = rfc2307
And remove these:
allow trusted domains = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072
Not that they are your problem, but they are better changed. :-)
Now to what is your problem.
You are using the 'rid' backend, this means that your users ID numbers
are calculated from this:
ID = RID - BASE_RID + LOW_RANGE_ID
So from the info you posted:
idmap config ABC:range = 10000-199999
find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-732503)
The calculation becomes:
ID = 732503 - 0 + 10000
Note: unless set, the base rid is always 0
So:
ID = 742503
Any ID numbers outside the range *you* set in smb.conf are ignored, or
to put it the way your log fragment shows: 'Could not convert sid
S-1-5-21-369997941-647960827-447208795-732503: NT_STATUS_NONE_MAPPED'
This means '742503' is not used for an ID number because it is larger
than '199999'
Rowland
More information about the samba
mailing list