[Samba] Samba 3 AD Member Server Strangeness
Rowland Penny
rowlandpenny at googlemail.com
Mon Jun 22 07:15:15 MDT 2015
On 22/06/15 13:55, Brian.Huffman at dupont.com wrote:
> On , June 20, 2015 5:10 AM, Rowland Penny wrote:
>> On 19/06/15 21:39, Brian.Huffman at dupont.com wrote:
>>> All,
>>>
>>> I'm trying to configure a Samba 3 AD member server including winbind. I'm
>> on RHEL 6.6, so I'm using Samba version 3.6.23.
>>> Here's my configuration:
>>> [global]
>>> log level = 3 winbind:10
>>> workgroup = ABC
>>> server string = LV37
>>> netbios name = LV37
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>> idmap config ABC:backend = rid
>>> idmap config ABC:range = 10000-199999
>>> winbind use default domain = true
>>> winbind enum users = no
>>> winbind enum groups = no
>>> winbind refresh tickets = yes
>>> template homedir = /
>>> template shell = /sbin/nologin
>>>
>>> realm = ABC.NET
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> allow trusted domains = no
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> socket options = TCP_NODELAY IPTOS_LOWDELAY
>> SO_RCVBUF=131072 SO_SNDBUF=131072
>>> map to guest = Bad User
>>>
>>> In general I followed the guide at
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>> We have been able to do a wbinfo -u and all users come back.
>> Unfortunately not all users are getting mapped to uids:
>>> [root at eslv37 samba]# wbinfo -u |egrep 'jx2354| nj3586
>>> jx2354
>>> nj3586
>>> [root at eslv37 samba]# wbinfo -i nj3586
>>> nj3586:*:11813:10513:USER NAME:/:/sbin/nologin
>>> [root at eslv37 samba]# wbinfo -i jx2354
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not
>> get
>>> info for user jx2354
>>>
>>> For a user that works, I see this in the winbind logs:
>>> [2015/06/19 16:28:56.608328, 3]
>> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>>> getpwnam nj3586
>>> [2015/06/19 16:28:56.608388, 10]
>> winbindd/winbindd_dual.c:1370(fork_domain_child)
>>> fork_domain_child called for domain 'ABC'
>>> [2015/06/19 16:28:56.608817, 10]
>> winbindd/winbindd_dual.c:1426(fork_domain_child)
>>> Child process 5713
>>> [2015/06/19 16:28:56.720068, 10]
>> winbindd/winbindd_cm.c:377(winbind_msg_domain_online)
>>> Domain DUPONTNET is marked as online now.
>>> [2015/06/19 16:28:56.746994, 10]
>> winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
>>> idmap_cache_find_sid2uid found 11813
>>> [2015/06/19 16:28:56.747036, 10]
>> winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
>>> find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-
>> 513
>>> )
>>> [2015/06/19 16:28:56.747065, 10]
>> winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
>>> calling find_our_domain
>>> [2015/06/19 16:28:56.749758, 10]
>> winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
>>> idmap_cache_find_sid2gid found 10513
>>> [2015/06/19 16:28:56.749811, 10]
>> winbindd/winbindd.c:707(wb_request_done)
>>> wb_request_done[5712:GETPWNAM]: NT_STATUS_OK
>>> [2015/06/19 16:28:56.749854, 10]
>> winbindd/winbindd.c:768(winbind_client_response_written)
>>> winbind_client_response_written[5712:GETPWNAM]: delivered
>> response
>>> to client
>>> [2015/06/19 16:28:56.750538, 6]
>> winbindd/winbindd.c:870(winbind_client_request_read)
>>> closing socket 27, client exited
>>>
>>> For a user that doesn't, I see this:
>>> getpwnam jx2354
>>> [2015/06/19 16:29:32.187469, 10]
>> winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
>>> find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-
>> 732
>>> 503)
>>> [2015/06/19 16:29:32.187510, 10]
>> winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
>>> calling find_our_domain
>>> [2015/06/19 16:29:32.188077, 10]
>> winbindd/winbindd_dual.c:1372(fork_domain_child)
>>> fork_domain_child called without domain.
>>> [2015/06/19 16:29:32.188445, 10]
>> winbindd/winbindd_dual.c:1426(fork_domain_child)
>>> Child process 5718
>>> [2015/06/19 16:29:32.215807, 5]
>> winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>>> Could not convert sid
>>> S-1-5-21-369997941-647960827-447208795-732503:
>> NT_STATUS_NONE_MAPPED
>>> [2015/06/19 16:29:32.215861, 10]
>> winbindd/winbindd.c:707(wb_request_done)
>>> wb_request_done[5717:GETPWNAM]: NT_STATUS_NONE_MAPPED
>>> [2015/06/19 16:29:32.215903, 10]
>> winbindd/winbindd.c:768(winbind_client_response_written)
>>> winbind_client_response_written[5717:GETPWNAM]: delivered
>> response
>>> to client
>>> [2015/06/19 16:29:32.216636, 6]
>> winbindd/winbindd.c:870(winbind_client_request_read)
>>> closing socket 27, client exited
>>>
>>> I can't figure out what I'm doing wrong.
>>>
>>> Any ideas?
>>>
>>> Thanks!
>>> Brian
>> Hi, Firstly, can I suggest you add these lines to smb.conf:
>>
>> security = ADS
> I did have this line; I just forgot to include it when I cut and pasted my config.
>
>> winbind nss info = rfc2307
> I don't think this is applicable since we don't have any home directories or shells defined in our AD. For this server we'd prefer to just specify a template for everyone. Any other benefit?
You mean apart from getting the uidNumber & gidNumber attributes from AD ?
>
>> And remove these:
>>
>> allow trusted domains = no
>
> I added this one specifically b/c we have a lot of domains for which this computer account doesn't seem to have access. So it's just generating lots of logs trying to connect when it can't. Is there any benefit to removing this line if it's working with it?
Well no, but it is the default setting, it does not need to be there.
>
>> Now to what is your problem.
>> You are using the 'rid' backend, this means that your users ID numbers are
>> calculated from this:
>>
>> ID = RID - BASE_RID + LOW_RANGE_ID
>>
>> So from the info you posted:
>>
>> idmap config ABC:range = 10000-199999
>> find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-
>> 732503)
>>
>> The calculation becomes:
>>
>> ID = 732503 - 0 + 10000
>>
>> Note: unless set, the base rid is always 0
>>
>> So:
>>
>> ID = 742503
>>
>> Any ID numbers outside the range *you* set in smb.conf are ignored, or to
>> put it the way your log fragment shows: 'Could not convert sid
>> S-1-5-21-369997941-647960827-447208795-732503:
>> NT_STATUS_NONE_MAPPED'
>>
>> This means '742503' is not used for an ID number because it is larger than
>> '199999'
>>
> This was the problem! But I'm unsure of the "best" way to fix it. I just removed the range completely and now it works. Why would you use the range if you don't know for sure what the upper and lower RIDs are for a set of users? How would you know?
The best way to fix it to put the line back and put another 9 on the end
i.e. make the range larger.
> Thanks!
> Brian
>
>
> This communication is for use by the intended recipient and contains
> information that may be Privileged, confidential or copyrighted under
> applicable law. If you are not the intended recipient, you are hereby
> formally notified that any use, copying or distribution of this e-mail,
> in whole or in part, is strictly prohibited. Please notify the sender by
> return e-mail and delete this e-mail from your system. Unless explicitly
> and conspicuously designated as "E-Contract Intended", this e-mail does
> not constitute a contract offer, a contract amendment, or an acceptance
> of a contract offer. This e-mail does not constitute a consent to the
> use of sender's contact information for direct marketing purposes or for
> transfers of data to third parties.
>
> The dupont.com http://dupont.com web address may be used for a limited period of time by the following
> divested businesses that are no longer affiliated in any way with DuPont:
> Borealis Polymers NV
> Jacob Holm & Sonner Holding A/S (Jacob Holm)
> Kuraray Co., Ltd
>
> DuPont accepts no liability or responsibility for the content or use of communications
> sent or received on behalf of such divested businesses or for the consequences of
> any actions taken on the basis of such communications.
>
> Francais Deutsch Italiano Espanol Portugues Japanese Chinese Korean
>
> http://www.DuPont.com/corp/email_disclaimer.html
>
More information about the samba
mailing list