[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307

Ryan rlichtenwalter at gmail.com
Fri Jul 5 19:00:23 UTC 2019 

On Fri, Jul 5, 2019 at 2:32 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 05/07/2019 18:50, Ryan via samba wrote:
> > On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On 04/07/2019 21:25, Ryan via samba wrote:
> >>> I am still trying to configure Samba to authenticate users against
> >>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP
> >>> server. Related to a previous recommendation, I found the idmap_rfc2307
> >>> capability, which seems likely exactly what I what.
> >>>
> >>> Unfortunately, it does not seem to work. Users are not permitted to
> >> access
> >>> shares for which they are in the group.
> >>>
> >>> Tests I found online of the idmapping using wbinfo, fail as follows.
> >>>
> >>> $>wbinfo -n user1
> >>> THE_SID SID_USER (1)
> >>>
> >>> $>net cache flush
> >>>
> >>> $>wbinfo -S THE_SID
> >>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> >>> Could not convert sid THE_SID to uid
> >>>
> >>> I do not see any indication in the log files that the LDAP server is
> >> being
> >>> contacted, though winbind startup shows that it is processing the idmap
> >>> directives.
> >>>
> >>> And I have done the following:
> >>>
> >>> net idmap set secret 'MYDOMAIN' 'password'
> >>>
> >>> Here is the smb.conf file:
> >>>
> >>> [global]
> >>> strict locking = no
> >>> workgroup = MYDOMAIN
> >>> server string = Samba Server Version %v
> >>> disable netbios = yes
> >>> interfaces = lo eth0
> >>> log file = /var/log/samba/log.%m
> >>> log level = 5
> >>> max log size = 64
> >>> security = ads
> >>> realm = MYDOMAIN.FULL
> >>> kerberos method = secrets and keytab
> >>> load printers = no
> >>> printcap name = /dev/null
> >>> printing = bsd
> >>> disable spoolss = yes
> >>> ldap ssl = off
> >>>
> >>> idmap config * : backend = tdb
> >>> idmap config * : range = 65536-4294967296
> >>>
> >>> idmap config MYDOMAIN : backend = rfc2307
> >>> idmap config MYDOMAIN : range = 1000-65535
> >>> idmap config MYDOMAIN : ldap_server = stand-alone
> >>> idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org
> >>> idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org
> >>> idmap config MYDOMAIN : user_cn = no
> >>> idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636
> >>> idmap config MYDOMAIN : ldap_user_dn =
> >> cn=samba,ou=agents,dc=myldap,dc=org
> >>> [home]
> >>> comment = Home Directories
> >>> path = /home/%U
> >>> browseable = no
> >>> writable = yes
> >>> create mask = 0600
> >>> directory mask = 0700
> >>> valid users = MYDOMAIN\%U
> >>> preexec = ls /home/%U
> >>>
> >>> [share]
> >>> path = /home/share
> >>> writable = yes
> >>> valid users = @share
> >>> force group = share
> >>> create mask = 0660
> >>> directory mask = 0770
> >>> preexec = ls /home/share
> >> Try changing 'security = ADS' to 'security = domain'
> >>
> > When I do this, I receive the following error both for 'net ads testjoin'
> > (maybe this only works with ads, though) and on the Windows clients that
> > try to connect to shares (the real problem).
> >
> > ads_connect: No logon servers are currently available to service the
> logon
> > request.
> > Join to domain is not valid: No logon servers are currently available to
> > service the logon request.
> >
> > When I restore 'security = ads' then 'net ads testjoin' works and clients
> > can again connect to shares (only without the right group information for
> > access, as is the subject of this thread).
> >
> >
> >> Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be
> correct.
> >>
> > I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can just
> use a
> > stand-alone LDAP for read-only lookups of UID and GIDs, correct? It looks
> > like the 'idmap_ldap' backend is mainly for also allowing Samba to store
> > mappings, though I do see in the man page a provision for read-only
> lookups
> > with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also,
> perhaps
> > importantly, my OpenLDAP server does use the RFC2307 schema rather than
> > RFC2307bis, so I need that functionality.
> >
> > Some other information, in case it's helpful:
> >
> > Samba version 4.8.3
> > net ads testjoin returns "Join is OK"
> > testparm shows no errors or warnings
> >
> > What part of the configuration file might not be correct, here? I
> > double-checked all the info (e.g. URI, base DN, user DN) for the LDAP
> > server and gave it the appropriate credentials with the 'net idmap set
> > secret' command.
> >
> > In 'log.winbindd-idmap', I do see the following:
> >
> > [2019/07/05 10:51:26.448651,  1]
> > ../source3/winbindd/idmap.c:435(idmap_init_domain)
> >    Error: invalid idmap range detected: 65536 - 0
> >
> > I realized the idmap range line for my TDB included 2^32, and this
> > apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that
> > problem and left me with:
> >
> > [2019/07/05 10:56:41.047022,  3]
> > ../source3/winbindd/idmap.c:397(idmap_init_domain)
> >    idmap backend rfc2307 not found
> > [2019/07/05 10:56:41.049427,  3]
> > ../lib/util/modules.c:167(load_module_absolute_path)
> >    load_module_absolute_path: Module '/usr/lib64/samba/idmap/rfc2307.so'
> > loaded
> > [2019/07/05 10:56:41.049512,  1]
> > ../source3/winbindd/idmap.c:447(idmap_init_domain)
> >    idmap initialization returned NT_STATUS_ACCESS_DENIED
> > [2019/07/05 10:56:41.049541,  3]
> > ../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
> >    idmap_found_domain_backend: Could not init idmap domain campus
> >
> > But idmap_rfc2307 should be a valid module, and it gets loaded.
> >
> > https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html
> >
> > What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I
> double
> > checked all the LDAP parameters in the smb.conf.
> >
> > Finally, at debug level 10, I get:
> >
> > [2019/07/05 13:47:00.092653,  5, pid=26399, effective(0, 0), real(0, 0),
> > class=winbind]
> ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online)
> >    msg_try_to_go_online: domain MYDOMAIN already online.
> >
> > in the log.winbindd-idmap, as if it has come up correctly?
> >
> Sorry, I should have been a bit more precise, change the 'security'
> parameter after the join.
>

I'm sorry. I may still be misunderstanding. Even after I successfully
execute the join, setting 'security = domain' breaks file sharing
functionality. Clients cannot connect and 'net ads testjoin' report the
error. As soon as I again set it back to 'security = ads', clients can
connect again without any further actions or commands.


> Yes, you are correct 'idmap_rfc2307' does exist, but it isn't used very
> much, if at all. It was introduced back in 2012.
>

Hmm. The reason I hesitated to use idmap_ldap is that is sounds like
idmap_ldap looks for existing SID-to-UID/GIDs mappings in the LDAP
database, whereas idmap_rfc2307 consults an LDAP database (with RFC 2307
schema) based only on the username , which is *exactly* what I want . In
fact, I was even using idmap_ldap previously, and it didn't seem to work,
but likely I made some error.

>From the man page for idmap_ldap:

>>> Defines the directory base suffix to use for ***SID/uid/gid mapping
entries.***

And from the man page for idmap_rfc2307:

>>> An AD server is always required to provide the mapping between name and
SID, and ***the LDAP server is queried for the mapping between name and
uid/gid.***

Is there a way to make idmap_ldap work the same way, ignoring the SID that
comes back from the AD server and querying the independent LDAP database
for uid and gids based on username? Can idmap_ldap query groups from
OpenLDAP in RFC 2307?


>
> I have tried it and I cannot make it work, either with 'security = ADS'
> or 'security = domain'
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list