[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307

Fri Jul 5 18:31:47 UTC 2019

On 05/07/2019 18:50, Ryan via samba wrote:
> On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
>> On 04/07/2019 21:25, Ryan via samba wrote:
>>> I am still trying to configure Samba to authenticate users against
>>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP
>>> server. Related to a previous recommendation, I found the idmap_rfc2307
>>> capability, which seems likely exactly what I what.
>>>
>>> Unfortunately, it does not seem to work. Users are not permitted to
>> access
>>> shares for which they are in the group.
>>>
>>> Tests I found online of the idmapping using wbinfo, fail as follows.
>>>
>>> $>wbinfo -n user1
>>> THE_SID SID_USER (1)
>>>
>>> $>net cache flush
>>>
>>> $>wbinfo -S THE_SID
>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not convert sid THE_SID to uid
>>>
>>> I do not see any indication in the log files that the LDAP server is
>> being
>>> contacted, though winbind startup shows that it is processing the idmap
>>> directives.
>>>
>>> And I have done the following:
>>>
>>> net idmap set secret 'MYDOMAIN' 'password'
>>>
>>> Here is the smb.conf file:
>>>
>>> [global]
>>> strict locking = no
>>> workgroup = MYDOMAIN
>>> server string = Samba Server Version %v
>>> disable netbios = yes
>>> interfaces = lo eth0
>>> log file = /var/log/samba/log.%m
>>> log level = 5
>>> max log size = 64
>>> security = ads
>>> realm = MYDOMAIN.FULL
>>> kerberos method = secrets and keytab
>>> load printers = no
>>> printcap name = /dev/null
>>> printing = bsd
>>> disable spoolss = yes
>>> ldap ssl = off
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 65536-4294967296
>>>
>>> idmap config MYDOMAIN : backend = rfc2307
>>> idmap config MYDOMAIN : range = 1000-65535
>>> idmap config MYDOMAIN : ldap_server = stand-alone
>>> idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org
>>> idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org
>>> idmap config MYDOMAIN : user_cn = no
>>> idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636
>>> idmap config MYDOMAIN : ldap_user_dn =
>> cn=samba,ou=agents,dc=myldap,dc=org
>>> [home]
>>> comment = Home Directories
>>> path = /home/%U
>>> browseable = no
>>> writable = yes
>>> create mask = 0600
>>> directory mask = 0700
>>> valid users = MYDOMAIN\%U
>>> preexec = ls /home/%U
>>>
>>> [share]
>>> path = /home/share
>>> writable = yes
>>> valid users = @share
>>> force group = share
>>> create mask = 0660
>>> directory mask = 0770
>>> preexec = ls /home/share
>> Try changing 'security = ADS' to 'security = domain'
>>
> When I do this, I receive the following error both for 'net ads testjoin'
> (maybe this only works with ads, though) and on the Windows clients that
> try to connect to shares (the real problem).
>
> ads_connect: No logon servers are currently available to service the logon
> request.
> Join to domain is not valid: No logon servers are currently available to
> service the logon request.
>
> When I restore 'security = ads' then 'net ads testjoin' works and clients
> can again connect to shares (only without the right group information for
> access, as is the subject of this thread).
>
>
>> Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be correct.
>>
> I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can just use a
> stand-alone LDAP for read-only lookups of UID and GIDs, correct? It looks
> like the 'idmap_ldap' backend is mainly for also allowing Samba to store
> mappings, though I do see in the man page a provision for read-only lookups
> with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also, perhaps
> importantly, my OpenLDAP server does use the RFC2307 schema rather than
> RFC2307bis, so I need that functionality.
>
> Some other information, in case it's helpful:
>
> Samba version 4.8.3
> net ads testjoin returns "Join is OK"
> testparm shows no errors or warnings
>
> What part of the configuration file might not be correct, here? I
> double-checked all the info (e.g. URI, base DN, user DN) for the LDAP
> server and gave it the appropriate credentials with the 'net idmap set
> secret' command.
>
> In 'log.winbindd-idmap', I do see the following:
>
> [2019/07/05 10:51:26.448651,  1]
> ../source3/winbindd/idmap.c:435(idmap_init_domain)
>    Error: invalid idmap range detected: 65536 - 0
>
> I realized the idmap range line for my TDB included 2^32, and this
> apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that
> problem and left me with:
>
> [2019/07/05 10:56:41.047022,  3]
> ../source3/winbindd/idmap.c:397(idmap_init_domain)
>    idmap backend rfc2307 not found
> [2019/07/05 10:56:41.049427,  3]
> ../lib/util/modules.c:167(load_module_absolute_path)
>    load_module_absolute_path: Module '/usr/lib64/samba/idmap/rfc2307.so'
> loaded
> [2019/07/05 10:56:41.049512,  1]
> ../source3/winbindd/idmap.c:447(idmap_init_domain)
>    idmap initialization returned NT_STATUS_ACCESS_DENIED
> [2019/07/05 10:56:41.049541,  3]
> ../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
>    idmap_found_domain_backend: Could not init idmap domain campus
>
> But idmap_rfc2307 should be a valid module, and it gets loaded.
>
> https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html
>
> What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I double
> checked all the LDAP parameters in the smb.conf.
>
> Finally, at debug level 10, I get:
>
> [2019/07/05 13:47:00.092653,  5, pid=26399, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online)
>    msg_try_to_go_online: domain MYDOMAIN already online.
>
> in the log.winbindd-idmap, as if it has come up correctly?
>
Sorry, I should have been a bit more precise, change the 'security' 
parameter after the join.

Yes, you are correct 'idmap_rfc2307' does exist, but it isn't used very 
much, if at all. It was introduced back in 2012.

I have tried it and I cannot make it work, either with 'security = ADS' 
or 'security = domain'

Rowland