[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307

Rowland penny rpenny at samba.org
Sat Jul 6 19:03:32 UTC 2019 

On 05/07/2019 20:00, Ryan via samba wrote:
> On Fri, Jul 5, 2019 at 2:32 PM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
>> On 05/07/2019 18:50, Ryan via samba wrote:
>>> On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>>> On 04/07/2019 21:25, Ryan via samba wrote:
>>>>> I am still trying to configure Samba to authenticate users against
>>>>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP
>>>>> server. Related to a previous recommendation, I found the idmap_rfc2307
>>>>> capability, which seems likely exactly what I what.
>>>>>
>>>>> Unfortunately, it does not seem to work. Users are not permitted to
>>>> access
>>>>> shares for which they are in the group.
>>>>>
>>>>> Tests I found online of the idmapping using wbinfo, fail as follows.
>>>>>
>>>>> $>wbinfo -n user1
>>>>> THE_SID SID_USER (1)
>>>>>
>>>>> $>net cache flush
>>>>>
>>>>> $>wbinfo -S THE_SID
>>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>> Could not convert sid THE_SID to uid
>>>>>
>>>>> I do not see any indication in the log files that the LDAP server is
>>>> being
>>>>> contacted, though winbind startup shows that it is processing the idmap
>>>>> directives.
>>>>>
>>>>> And I have done the following:
>>>>>
>>>>> net idmap set secret 'MYDOMAIN' 'password'
>>>>>
>>>>> Here is the smb.conf file:
>>>>>
>>>>> [global]
>>>>> strict locking = no
>>>>> workgroup = MYDOMAIN
>>>>> server string = Samba Server Version %v
>>>>> disable netbios = yes
>>>>> interfaces = lo eth0
>>>>> log file = /var/log/samba/log.%m
>>>>> log level = 5
>>>>> max log size = 64
>>>>> security = ads
>>>>> realm = MYDOMAIN.FULL
>>>>> kerberos method = secrets and keytab
>>>>> load printers = no
>>>>> printcap name = /dev/null
>>>>> printing = bsd
>>>>> disable spoolss = yes
>>>>> ldap ssl = off
>>>>>
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 65536-4294967296
>>>>>
>>>>> idmap config MYDOMAIN : backend = rfc2307
>>>>> idmap config MYDOMAIN : range = 1000-65535
>>>>> idmap config MYDOMAIN : ldap_server = stand-alone
>>>>> idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org
>>>>> idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org
>>>>> idmap config MYDOMAIN : user_cn = no
>>>>> idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636
>>>>> idmap config MYDOMAIN : ldap_user_dn =
>>>> cn=samba,ou=agents,dc=myldap,dc=org
>>>>> [home]
>>>>> comment = Home Directories
>>>>> path = /home/%U
>>>>> browseable = no
>>>>> writable = yes
>>>>> create mask = 0600
>>>>> directory mask = 0700
>>>>> valid users = MYDOMAIN\%U
>>>>> preexec = ls /home/%U
>>>>>
>>>>> [share]
>>>>> path = /home/share
>>>>> writable = yes
>>>>> valid users = @share
>>>>> force group = share
>>>>> create mask = 0660
>>>>> directory mask = 0770
>>>>> preexec = ls /home/share
>>>> Try changing 'security = ADS' to 'security = domain'
>>>>
>>> When I do this, I receive the following error both for 'net ads testjoin'
>>> (maybe this only works with ads, though) and on the Windows clients that
>>> try to connect to shares (the real problem).
>>>
>>> ads_connect: No logon servers are currently available to service the
>> logon
>>> request.
>>> Join to domain is not valid: No logon servers are currently available to
>>> service the logon request.
>>>
>>> When I restore 'security = ads' then 'net ads testjoin' works and clients
>>> can again connect to shares (only without the right group information for
>>> access, as is the subject of this thread).
>>>
>>>
>>>> Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be
>> correct.
>>> I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can just
>> use a
>>> stand-alone LDAP for read-only lookups of UID and GIDs, correct? It looks
>>> like the 'idmap_ldap' backend is mainly for also allowing Samba to store
>>> mappings, though I do see in the man page a provision for read-only
>> lookups
>>> with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also,
>> perhaps
>>> importantly, my OpenLDAP server does use the RFC2307 schema rather than
>>> RFC2307bis, so I need that functionality.
>>>
>>> Some other information, in case it's helpful:
>>>
>>> Samba version 4.8.3
>>> net ads testjoin returns "Join is OK"
>>> testparm shows no errors or warnings
>>>
>>> What part of the configuration file might not be correct, here? I
>>> double-checked all the info (e.g. URI, base DN, user DN) for the LDAP
>>> server and gave it the appropriate credentials with the 'net idmap set
>>> secret' command.
>>>
>>> In 'log.winbindd-idmap', I do see the following:
>>>
>>> [2019/07/05 10:51:26.448651,  1]
>>> ../source3/winbindd/idmap.c:435(idmap_init_domain)
>>>     Error: invalid idmap range detected: 65536 - 0
>>>
>>> I realized the idmap range line for my TDB included 2^32, and this
>>> apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that
>>> problem and left me with:
>>>
>>> [2019/07/05 10:56:41.047022,  3]
>>> ../source3/winbindd/idmap.c:397(idmap_init_domain)
>>>     idmap backend rfc2307 not found
>>> [2019/07/05 10:56:41.049427,  3]
>>> ../lib/util/modules.c:167(load_module_absolute_path)
>>>     load_module_absolute_path: Module '/usr/lib64/samba/idmap/rfc2307.so'
>>> loaded
>>> [2019/07/05 10:56:41.049512,  1]
>>> ../source3/winbindd/idmap.c:447(idmap_init_domain)
>>>     idmap initialization returned NT_STATUS_ACCESS_DENIED
>>> [2019/07/05 10:56:41.049541,  3]
>>> ../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
>>>     idmap_found_domain_backend: Could not init idmap domain campus
>>>
>>> But idmap_rfc2307 should be a valid module, and it gets loaded.
>>>
>>> https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html
>>>
>>> What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I
>> double
>>> checked all the LDAP parameters in the smb.conf.
>>>
>>> Finally, at debug level 10, I get:
>>>
>>> [2019/07/05 13:47:00.092653,  5, pid=26399, effective(0, 0), real(0, 0),
>>> class=winbind]
>> ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online)
>>>     msg_try_to_go_online: domain MYDOMAIN already online.
>>>
>>> in the log.winbindd-idmap, as if it has come up correctly?
>>>
>> Sorry, I should have been a bit more precise, change the 'security'
>> parameter after the join.
>>
> I'm sorry. I may still be misunderstanding. Even after I successfully
> execute the join, setting 'security = domain' breaks file sharing
> functionality. Clients cannot connect and 'net ads testjoin' report the
> error. As soon as I again set it back to 'security = ads', clients can
> connect again without any further actions or commands.
>
>
>> Yes, you are correct 'idmap_rfc2307' does exist, but it isn't used very
>> much, if at all. It was introduced back in 2012.
>>
> Hmm. The reason I hesitated to use idmap_ldap is that is sounds like
> idmap_ldap looks for existing SID-to-UID/GIDs mappings in the LDAP
> database, whereas idmap_rfc2307 consults an LDAP database (with RFC 2307
> schema) based only on the username , which is *exactly* what I want . In
> fact, I was even using idmap_ldap previously, and it didn't seem to work,
> but likely I made some error.
>
>  From the man page for idmap_ldap:
>
>>>> Defines the directory base suffix to use for ***SID/uid/gid mapping
> entries.***
>
> And from the man page for idmap_rfc2307:
>
>>>> An AD server is always required to provide the mapping between name and
> SID, and ***the LDAP server is queried for the mapping between name and
> uid/gid.***
>
> Is there a way to make idmap_ldap work the same way, ignoring the SID that
> comes back from the AD server and querying the independent LDAP database
> for uid and gids based on username? Can idmap_ldap query groups from
> OpenLDAP in RFC 2307?
>
>
>> I have tried it and I cannot make it work, either with 'security = ADS'
>> or 'security = domain'
>>
>> Rowland
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

'idmap_rfc2307' got me thinking about the other rarely used backends and 
I wonder if you could use 'idmap_script', see 'man idmap_script' for 
(limited) info

Rowland

More information about the samba mailing list