[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307
rpenny at samba.org
Fri Jul 5 18:31:47 UTC 2019
On 05/07/2019 18:50, Ryan via samba wrote:
> On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>> On 04/07/2019 21:25, Ryan via samba wrote:
>>> I am still trying to configure Samba to authenticate users against
>>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP
>>> server. Related to a previous recommendation, I found the idmap_rfc2307
>>> capability, which seems likely exactly what I what.
>>> Unfortunately, it does not seem to work. Users are not permitted to
>>> shares for which they are in the group.
>>> Tests I found online of the idmapping using wbinfo, fail as follows.
>>> $>wbinfo -n user1
>>> THE_SID SID_USER (1)
>>> $>net cache flush
>>> $>wbinfo -S THE_SID
>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not convert sid THE_SID to uid
>>> I do not see any indication in the log files that the LDAP server is
>>> contacted, though winbind startup shows that it is processing the idmap
>>> And I have done the following:
>>> net idmap set secret 'MYDOMAIN' 'password'
>>> Here is the smb.conf file:
>>> strict locking = no
>>> workgroup = MYDOMAIN
>>> server string = Samba Server Version %v
>>> disable netbios = yes
>>> interfaces = lo eth0
>>> log file = /var/log/samba/log.%m
>>> log level = 5
>>> max log size = 64
>>> security = ads
>>> realm = MYDOMAIN.FULL
>>> kerberos method = secrets and keytab
>>> load printers = no
>>> printcap name = /dev/null
>>> printing = bsd
>>> disable spoolss = yes
>>> ldap ssl = off
>>> idmap config * : backend = tdb
>>> idmap config * : range = 65536-4294967296
>>> idmap config MYDOMAIN : backend = rfc2307
>>> idmap config MYDOMAIN : range = 1000-65535
>>> idmap config MYDOMAIN : ldap_server = stand-alone
>>> idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org
>>> idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org
>>> idmap config MYDOMAIN : user_cn = no
>>> idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636
>>> idmap config MYDOMAIN : ldap_user_dn =
>>> comment = Home Directories
>>> path = /home/%U
>>> browseable = no
>>> writable = yes
>>> create mask = 0600
>>> directory mask = 0700
>>> valid users = MYDOMAIN\%U
>>> preexec = ls /home/%U
>>> path = /home/share
>>> writable = yes
>>> valid users = @share
>>> force group = share
>>> create mask = 0660
>>> directory mask = 0770
>>> preexec = ls /home/share
>> Try changing 'security = ADS' to 'security = domain'
> When I do this, I receive the following error both for 'net ads testjoin'
> (maybe this only works with ads, though) and on the Windows clients that
> try to connect to shares (the real problem).
> ads_connect: No logon servers are currently available to service the logon
> Join to domain is not valid: No logon servers are currently available to
> service the logon request.
> When I restore 'security = ads' then 'net ads testjoin' works and clients
> can again connect to shares (only without the right group information for
> access, as is the subject of this thread).
>> Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be correct.
> I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can just use a
> stand-alone LDAP for read-only lookups of UID and GIDs, correct? It looks
> like the 'idmap_ldap' backend is mainly for also allowing Samba to store
> mappings, though I do see in the man page a provision for read-only lookups
> with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also, perhaps
> importantly, my OpenLDAP server does use the RFC2307 schema rather than
> RFC2307bis, so I need that functionality.
> Some other information, in case it's helpful:
> Samba version 4.8.3
> net ads testjoin returns "Join is OK"
> testparm shows no errors or warnings
> What part of the configuration file might not be correct, here? I
> double-checked all the info (e.g. URI, base DN, user DN) for the LDAP
> server and gave it the appropriate credentials with the 'net idmap set
> secret' command.
> In 'log.winbindd-idmap', I do see the following:
> [2019/07/05 10:51:26.448651, 1]
> Error: invalid idmap range detected: 65536 - 0
> I realized the idmap range line for my TDB included 2^32, and this
> apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that
> problem and left me with:
> [2019/07/05 10:56:41.047022, 3]
> idmap backend rfc2307 not found
> [2019/07/05 10:56:41.049427, 3]
> load_module_absolute_path: Module '/usr/lib64/samba/idmap/rfc2307.so'
> [2019/07/05 10:56:41.049512, 1]
> idmap initialization returned NT_STATUS_ACCESS_DENIED
> [2019/07/05 10:56:41.049541, 3]
> idmap_found_domain_backend: Could not init idmap domain campus
> But idmap_rfc2307 should be a valid module, and it gets loaded.
> What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I double
> checked all the LDAP parameters in the smb.conf.
> Finally, at debug level 10, I get:
> [2019/07/05 13:47:00.092653, 5, pid=26399, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online)
> msg_try_to_go_online: domain MYDOMAIN already online.
> in the log.winbindd-idmap, as if it has come up correctly?
Sorry, I should have been a bit more precise, change the 'security'
parameter after the join.
Yes, you are correct 'idmap_rfc2307' does exist, but it isn't used very
much, if at all. It was introduced back in 2012.
I have tried it and I cannot make it work, either with 'security = ADS'
or 'security = domain'
More information about the samba