[Samba] Samba 3 AD Member Server Strangeness

Rowland Penny rowlandpenny at googlemail.com
Sat Jun 20 03:10:10 MDT 2015


On 19/06/15 21:39, Brian.Huffman at dupont.com wrote:
> All,
>
> I'm trying to configure a Samba 3 AD member server including winbind.  I'm on RHEL 6.6, so I'm using Samba version 3.6.23.
>
> Here's my configuration:
> [global]
>          log level = 3 winbind:10
>          workgroup = ABC
>          server string = LV37
>          netbios name = LV37
>
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>         idmap config ABC:backend = rid
>         idmap config ABC:range = 10000-199999
>         winbind use default domain = true
>         winbind enum users = no
>         winbind enum groups = no
>         winbind refresh tickets = yes
>         template homedir = /
>         template shell = /sbin/nologin
>
>          realm = ABC.NET
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>          allow trusted domains = no
>          domain master = no
>          local master = no
>          preferred master = no
>          socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
>          map to guest = Bad User
>
> In general I followed the guide at https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> We have been able to do a wbinfo -u and all users come back.  Unfortunately not all users are getting mapped to uids:
> [root at eslv37 samba]# wbinfo -u |egrep 'jx2354| nj3586
> jx2354
> nj3586
> [root at eslv37 samba]# wbinfo -i nj3586
> nj3586:*:11813:10513:USER NAME:/:/sbin/nologin
> [root at eslv37 samba]# wbinfo -i jx2354
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user jx2354
>
> For a user that works, I see this in the winbind logs:
> [2015/06/19 16:28:56.608328,  3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>    getpwnam nj3586
> [2015/06/19 16:28:56.608388, 10] winbindd/winbindd_dual.c:1370(fork_domain_child)
>    fork_domain_child called for domain 'ABC'
> [2015/06/19 16:28:56.608817, 10] winbindd/winbindd_dual.c:1426(fork_domain_child)
>    Child process 5713
> [2015/06/19 16:28:56.720068, 10] winbindd/winbindd_cm.c:377(winbind_msg_domain_online)
>    Domain DUPONTNET is marked as online now.
> [2015/06/19 16:28:56.746994, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
>    idmap_cache_find_sid2uid found 11813
> [2015/06/19 16:28:56.747036, 10] winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
>    find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-513)
> [2015/06/19 16:28:56.747065, 10] winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
>    calling find_our_domain
> [2015/06/19 16:28:56.749758, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
>    idmap_cache_find_sid2gid found 10513
> [2015/06/19 16:28:56.749811, 10] winbindd/winbindd.c:707(wb_request_done)
>    wb_request_done[5712:GETPWNAM]: NT_STATUS_OK
> [2015/06/19 16:28:56.749854, 10] winbindd/winbindd.c:768(winbind_client_response_written)
>    winbind_client_response_written[5712:GETPWNAM]: delivered response to client
> [2015/06/19 16:28:56.750538,  6] winbindd/winbindd.c:870(winbind_client_request_read)
>    closing socket 27, client exited
>
> For a user that doesn't, I see this:
>    getpwnam jx2354
> [2015/06/19 16:29:32.187469, 10] winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
>    find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-732503)
> [2015/06/19 16:29:32.187510, 10] winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
>    calling find_our_domain
> [2015/06/19 16:29:32.188077, 10] winbindd/winbindd_dual.c:1372(fork_domain_child)
>    fork_domain_child called without domain.
> [2015/06/19 16:29:32.188445, 10] winbindd/winbindd_dual.c:1426(fork_domain_child)
>    Child process 5718
> [2015/06/19 16:29:32.215807,  5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid S-1-5-21-369997941-647960827-447208795-732503: NT_STATUS_NONE_MAPPED
> [2015/06/19 16:29:32.215861, 10] winbindd/winbindd.c:707(wb_request_done)
>    wb_request_done[5717:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2015/06/19 16:29:32.215903, 10] winbindd/winbindd.c:768(winbind_client_response_written)
>    winbind_client_response_written[5717:GETPWNAM]: delivered response to client
> [2015/06/19 16:29:32.216636,  6] winbindd/winbindd.c:870(winbind_client_request_read)
>    closing socket 27, client exited
>
> I can't figure out what I'm doing wrong.
>
> Any ideas?
>
> Thanks!
> Brian
>
> This communication is for use by the intended recipient and contains
> information that may be Privileged, confidential or copyrighted under
> applicable law. If you are not the intended recipient, you are hereby
> formally notified that any use, copying or distribution of this e-mail,
> in whole or in part, is strictly prohibited. Please notify the sender by
> return e-mail and delete this e-mail from your system. Unless explicitly
> and conspicuously designated as "E-Contract Intended", this e-mail does
> not constitute a contract offer, a contract amendment, or an acceptance
> of a contract offer. This e-mail does not constitute a consent to the
> use of sender's contact information for direct marketing purposes or for
> transfers of data to third parties.
>
> The dupont.com http://dupont.com web address may be used for a limited period of time by the following
> divested businesses that are no longer affiliated in any way with DuPont:
> Borealis Polymers NV
> Jacob Holm & Sonner Holding A/S (Jacob Holm)
> Kuraray Co., Ltd
>
> DuPont accepts no liability or responsibility for the content or use of communications
> sent or received on behalf of such divested businesses or for the consequences of
> any actions taken on the basis of such communications.
>
> Francais Deutsch Italiano  Espanol  Portugues  Japanese  Chinese  Korean
>
>            http://www.DuPont.com/corp/email_disclaimer.html
>

Hi, Firstly, can I suggest you add these lines to smb.conf:

     security = ADS
     winbind expand groups = 4
     winbind nss info = rfc2307

And remove these:

     allow trusted domains = no
     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 
SO_SNDBUF=131072

Not that they are your problem, but they are better changed. :-)

Now to what is your problem.
You are using the 'rid' backend, this means that your users ID numbers 
are calculated from this:

ID = RID - BASE_RID + LOW_RANGE_ID

So from the info you posted:

idmap config ABC:range = 10000-199999
find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-732503)

The calculation becomes:

ID = 732503 - 0 + 10000

Note: unless set, the base rid is always 0

So:

ID = 742503

Any ID numbers outside the range *you* set in smb.conf are ignored, or 
to put it the way your log fragment shows: 'Could not convert sid 
S-1-5-21-369997941-647960827-447208795-732503: NT_STATUS_NONE_MAPPED'

This means '742503' is not used for an ID number because it is larger 
than '199999'

Rowland


More information about the samba mailing list