[Samba] Samba 3 AD Member Server Strangeness

Brian.Huffman at dupont.com Brian.Huffman at dupont.com
Mon Jun 22 07:26:39 MDT 2015 

On Monday, June 22, 2015 9:15 AM ,Rowland Penny wrote:
> On 22/06/15 13:55, Brian.Huffman at dupont.com wrote:
> > On , June 20, 2015 5:10 AM, Rowland Penny wrote:
> >> On 19/06/15 21:39, Brian.Huffman at dupont.com wrote:
> >>> All,
> >>>
> >>> I'm trying to configure a Samba 3 AD member server including
> >>> winbind.  I'm
> >> on RHEL 6.6, so I'm using Samba version 3.6.23.
> >>> Here's my configuration:
> >>> [global]
> >>>           log level = 3 winbind:10
> >>>           workgroup = ABC
> >>>           server string = LV37
> >>>           netbios name = LV37
> >>>
> >>>          idmap config *:backend = tdb
> >>>          idmap config *:range = 2000-9999
> >>>          idmap config ABC:backend = rid
> >>>          idmap config ABC:range = 10000-199999
> >>>          winbind use default domain = true
> >>>          winbind enum users = no
> >>>          winbind enum groups = no
> >>>          winbind refresh tickets = yes
> >>>          template homedir = /
> >>>          template shell = /sbin/nologin
> >>>
> >>>           realm = ABC.NET
> >>>           dedicated keytab file = /etc/krb5.keytab
> >>>           kerberos method = secrets and keytab
> >>>           allow trusted domains = no
> >>>           domain master = no
> >>>           local master = no
> >>>           preferred master = no
> >>>           socket options = TCP_NODELAY IPTOS_LOWDELAY
> >> SO_RCVBUF=131072 SO_SNDBUF=131072
> >>>           map to guest = Bad User
> >>>
> >>> In general I followed the guide at
> >>>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> >>>
> >>> We have been able to do a wbinfo -u and all users come back.
> >> Unfortunately not all users are getting mapped to uids:
> >>> [root at eslv37 samba]# wbinfo -u |egrep 'jx2354| nj3586
> >>> jx2354
> >>> nj3586
> >>> [root at eslv37 samba]# wbinfo -i nj3586 nj3586:*:11813:10513:USER
> >>> NAME:/:/sbin/nologin
> >>> [root at eslv37 samba]# wbinfo -i jx2354 failed to call wbcGetpwnam:
> >>> WBC_ERR_DOMAIN_NOT_FOUND Could not
> >> get
> >>> info for user jx2354
> >>>
> >>> For a user that works, I see this in the winbind logs:
> >>> [2015/06/19 16:28:56.608328,  3]
> >> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> >>>     getpwnam nj3586
> >>> [2015/06/19 16:28:56.608388, 10]
> >> winbindd/winbindd_dual.c:1370(fork_domain_child)
> >>>     fork_domain_child called for domain 'ABC'
> >>> [2015/06/19 16:28:56.608817, 10]
> >> winbindd/winbindd_dual.c:1426(fork_domain_child)
> >>>     Child process 5713
> >>> [2015/06/19 16:28:56.720068, 10]
> >> winbindd/winbindd_cm.c:377(winbind_msg_domain_online)
> >>>     Domain DUPONTNET is marked as online now.
> >>> [2015/06/19 16:28:56.746994, 10]
> >> winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
> >>>     idmap_cache_find_sid2uid found 11813
> >>> [2015/06/19 16:28:56.747036, 10]
> >> winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
> >>> find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-
> 447208795-
> >> 513
> >>> )
> >>> [2015/06/19 16:28:56.747065, 10]
> >> winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
> >>>     calling find_our_domain
> >>> [2015/06/19 16:28:56.749758, 10]
> >> winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
> >>>     idmap_cache_find_sid2gid found 10513
> >>> [2015/06/19 16:28:56.749811, 10]
> >> winbindd/winbindd.c:707(wb_request_done)
> >>>     wb_request_done[5712:GETPWNAM]: NT_STATUS_OK
> >>> [2015/06/19 16:28:56.749854, 10]
> >> winbindd/winbindd.c:768(winbind_client_response_written)
> >>>     winbind_client_response_written[5712:GETPWNAM]: delivered
> >> response
> >>> to client
> >>> [2015/06/19 16:28:56.750538,  6]
> >> winbindd/winbindd.c:870(winbind_client_request_read)
> >>>     closing socket 27, client exited
> >>>
> >>> For a user that doesn't, I see this:
> >>>     getpwnam jx2354
> >>> [2015/06/19 16:29:32.187469, 10]
> >> winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
> >>> find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-
> 447208795-
> >> 732
> >>> 503)
> >>> [2015/06/19 16:29:32.187510, 10]
> >> winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
> >>>     calling find_our_domain
> >>> [2015/06/19 16:29:32.188077, 10]
> >> winbindd/winbindd_dual.c:1372(fork_domain_child)
> >>>     fork_domain_child called without domain.
> >>> [2015/06/19 16:29:32.188445, 10]
> >> winbindd/winbindd_dual.c:1426(fork_domain_child)
> >>>     Child process 5718
> >>> [2015/06/19 16:29:32.215807,  5]
> >> winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> >>>     Could not convert sid
> >>> S-1-5-21-369997941-647960827-447208795-732503:
> >> NT_STATUS_NONE_MAPPED
> >>> [2015/06/19 16:29:32.215861, 10]
> >> winbindd/winbindd.c:707(wb_request_done)
> >>>     wb_request_done[5717:GETPWNAM]: NT_STATUS_NONE_MAPPED
> >>> [2015/06/19 16:29:32.215903, 10]
> >> winbindd/winbindd.c:768(winbind_client_response_written)
> >>>     winbind_client_response_written[5717:GETPWNAM]: delivered
> >> response
> >>> to client
> >>> [2015/06/19 16:29:32.216636,  6]
> >> winbindd/winbindd.c:870(winbind_client_request_read)
> >>>     closing socket 27, client exited
> >>>
> >>> I can't figure out what I'm doing wrong.
> >>>
> >>> Any ideas?
> >>>
> >>> Thanks!
> >>> Brian
> >> Hi, Firstly, can I suggest you add these lines to smb.conf:
> >>
> >>       security = ADS
> > I did have this line; I just forgot to include it when I cut and pasted my
> config.
> >
> >>       winbind nss info = rfc2307
> > I don't think this is applicable since we don't have any home directories or
> shells defined in our AD.  For this server we'd prefer to just specify a
> template for everyone.  Any other benefit?
> 
> You mean apart from getting the uidNumber & gidNumber attributes from
> AD ?

Are uidNumber and gidNumber populated manually?  If so, I don't think they're going to be there.  As far as I know we aren't using AD for storing any UNIX attributes.

> 
> >
> >> And remove these:
> >>
> >>       allow trusted domains = no
> >
> > I added this one specifically b/c we have a lot of domains for which this
> computer account doesn't seem to have access.  So it's just generating lots of
> logs trying to connect when it can't.  Is there any benefit to removing this line
> if it's working with it?
> 
> Well no, but it is the default setting, it does not need to be there.

Oops.  That's a good point.  :-)

> 
> >
> >> Now to what is your problem.
> >> You are using the 'rid' backend, this means that your users ID
> >> numbers are calculated from this:
> >>
> >> ID = RID - BASE_RID + LOW_RANGE_ID
> >>
> >> So from the info you posted:
> >>
> >> idmap config ABC:range = 10000-199999
> >> find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-
> 447208795-
> >> 732503)
> >>
> >> The calculation becomes:
> >>
> >> ID = 732503 - 0 + 10000
> >>
> >> Note: unless set, the base rid is always 0
> >>
> >> So:
> >>
> >> ID = 742503
> >>
> >> Any ID numbers outside the range *you* set in smb.conf are ignored,
> >> or to put it the way your log fragment shows: 'Could not convert sid
> >> S-1-5-21-369997941-647960827-447208795-732503:
> >> NT_STATUS_NONE_MAPPED'
> >>
> >> This means '742503' is not used for an ID number because it is larger
> >> than '199999'
> >>
> > This was the problem!  But I'm unsure of the "best" way to fix it.  I just
> removed the range completely and now it works.  Why would you use the
> range if you don't know for sure what the upper and lower RIDs are for a set
> of users?  How would you know?
> 
> The best way to fix it to put the line back and put another 9 on the end i.e.
> make the range larger.

I'm just afraid that if I don't know what the RID range for the domain is, then I can't pick the right range.  How can I guarantee that there won't be a user that's outside of the new range that I select?  Is it ok to just leave that range out of my configuration?

Thank you,
Brian

This communication is for use by the intended recipient and contains
information that may be Privileged, confidential or copyrighted under
applicable law. If you are not the intended recipient, you are hereby
formally notified that any use, copying or distribution of this e-mail,
in whole or in part, is strictly prohibited. Please notify the sender by
return e-mail and delete this e-mail from your system. Unless explicitly
and conspicuously designated as "E-Contract Intended", this e-mail does
not constitute a contract offer, a contract amendment, or an acceptance
of a contract offer. This e-mail does not constitute a consent to the
use of sender's contact information for direct marketing purposes or for
transfers of data to third parties.

The dupont.com http://dupont.com web address may be used for a limited period of time by the following
divested businesses that are no longer affiliated in any way with DuPont:
Borealis Polymers NV
Jacob Holm & Sonner Holding A/S (Jacob Holm)
Kuraray Co., Ltd

DuPont accepts no liability or responsibility for the content or use of communications
sent or received on behalf of such divested businesses or for the consequences of
any actions taken on the basis of such communications.

Francais Deutsch Italiano  Espanol  Portugues  Japanese  Chinese  Korean

          http://www.DuPont.com/corp/email_disclaimer.html

More information about the samba mailing list