[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307

Ryan rlichtenwalter at gmail.com
Mon Jul 8 18:03:10 UTC 2019 

On Sat, Jul 6, 2019 at 3:04 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 05/07/2019 20:00, Ryan via samba wrote:
> > On Fri, Jul 5, 2019 at 2:32 PM Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On 05/07/2019 18:50, Ryan via samba wrote:
> >>> On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba <
> >>> samba at lists.samba.org> wrote:
> >>>
> >>>> On 04/07/2019 21:25, Ryan via samba wrote:
> >>>>> I am still trying to configure Samba to authenticate users against
> >>>>> ActiveDirectory, but lookup uid and gids against a stand-alone
> OpenLDAP
> >>>>> server. Related to a previous recommendation, I found the
> idmap_rfc2307
> >>>>> capability, which seems likely exactly what I what.
> >>>>>
> >>>>> Unfortunately, it does not seem to work. Users are not permitted to
> >>>> access
> >>>>> shares for which they are in the group.
> >>>>>
> >>>>> Tests I found online of the idmapping using wbinfo, fail as follows.
> >>>>>
> >>>>> $>wbinfo -n user1
> >>>>> THE_SID SID_USER (1)
> >>>>>
> >>>>> $>net cache flush
> >>>>>
> >>>>> $>wbinfo -S THE_SID
> >>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> >>>>> Could not convert sid THE_SID to uid
> >>>>>
> >>>>> I do not see any indication in the log files that the LDAP server is
> >>>> being
> >>>>> contacted, though winbind startup shows that it is processing the
> idmap
> >>>>> directives.
> >>>>>
> >>>>> And I have done the following:
> >>>>>
> >>>>> net idmap set secret 'MYDOMAIN' 'password'
> >>>>>
> >>>>> Here is the smb.conf file:
> >>>>>
> >>>>> [global]
> >>>>> strict locking = no
> >>>>> workgroup = MYDOMAIN
> >>>>> server string = Samba Server Version %v
> >>>>> disable netbios = yes
> >>>>> interfaces = lo eth0
> >>>>> log file = /var/log/samba/log.%m
> >>>>> log level = 5
> >>>>> max log size = 64
> >>>>> security = ads
> >>>>> realm = MYDOMAIN.FULL
> >>>>> kerberos method = secrets and keytab
> >>>>> load printers = no
> >>>>> printcap name = /dev/null
> >>>>> printing = bsd
> >>>>> disable spoolss = yes
> >>>>> ldap ssl = off
> >>>>>
> >>>>> idmap config * : backend = tdb
> >>>>> idmap config * : range = 65536-4294967296
> >>>>>
> >>>>> idmap config MYDOMAIN : backend = rfc2307
> >>>>> idmap config MYDOMAIN : range = 1000-65535
> >>>>> idmap config MYDOMAIN : ldap_server = stand-alone
> >>>>> idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org
> >>>>> idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org
> >>>>> idmap config MYDOMAIN : user_cn = no
> >>>>> idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636
> >>>>> idmap config MYDOMAIN : ldap_user_dn =
> >>>> cn=samba,ou=agents,dc=myldap,dc=org
> >>>>> [home]
> >>>>> comment = Home Directories
> >>>>> path = /home/%U
> >>>>> browseable = no
> >>>>> writable = yes
> >>>>> create mask = 0600
> >>>>> directory mask = 0700
> >>>>> valid users = MYDOMAIN\%U
> >>>>> preexec = ls /home/%U
> >>>>>
> >>>>> [share]
> >>>>> path = /home/share
> >>>>> writable = yes
> >>>>> valid users = @share
> >>>>> force group = share
> >>>>> create mask = 0660
> >>>>> directory mask = 0770
> >>>>> preexec = ls /home/share
> >>>> Try changing 'security = ADS' to 'security = domain'
> >>>>
> >>> When I do this, I receive the following error both for 'net ads
> testjoin'
> >>> (maybe this only works with ads, though) and on the Windows clients
> that
> >>> try to connect to shares (the real problem).
> >>>
> >>> ads_connect: No logon servers are currently available to service the
> >> logon
> >>> request.
> >>> Join to domain is not valid: No logon servers are currently available
> to
> >>> service the logon request.
> >>>
> >>> When I restore 'security = ads' then 'net ads testjoin' works and
> clients
> >>> can again connect to shares (only without the right group information
> for
> >>> access, as is the subject of this thread).
> >>>
> >>>
> >>>> Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be
> >> correct.
> >>> I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can just
> >> use a
> >>> stand-alone LDAP for read-only lookups of UID and GIDs, correct? It
> looks
> >>> like the 'idmap_ldap' backend is mainly for also allowing Samba to
> store
> >>> mappings, though I do see in the man page a provision for read-only
> >> lookups
> >>> with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also,
> >> perhaps
> >>> importantly, my OpenLDAP server does use the RFC2307 schema rather than
> >>> RFC2307bis, so I need that functionality.
> >>>
> >>> Some other information, in case it's helpful:
> >>>
> >>> Samba version 4.8.3
> >>> net ads testjoin returns "Join is OK"
> >>> testparm shows no errors or warnings
> >>>
> >>> What part of the configuration file might not be correct, here? I
> >>> double-checked all the info (e.g. URI, base DN, user DN) for the LDAP
> >>> server and gave it the appropriate credentials with the 'net idmap set
> >>> secret' command.
> >>>
> >>> In 'log.winbindd-idmap', I do see the following:
> >>>
> >>> [2019/07/05 10:51:26.448651,  1]
> >>> ../source3/winbindd/idmap.c:435(idmap_init_domain)
> >>>     Error: invalid idmap range detected: 65536 - 0
> >>>
> >>> I realized the idmap range line for my TDB included 2^32, and this
> >>> apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that
> >>> problem and left me with:
> >>>
> >>> [2019/07/05 10:56:41.047022,  3]
> >>> ../source3/winbindd/idmap.c:397(idmap_init_domain)
> >>>     idmap backend rfc2307 not found
> >>> [2019/07/05 10:56:41.049427,  3]
> >>> ../lib/util/modules.c:167(load_module_absolute_path)
> >>>     load_module_absolute_path: Module
> '/usr/lib64/samba/idmap/rfc2307.so'
> >>> loaded
> >>> [2019/07/05 10:56:41.049512,  1]
> >>> ../source3/winbindd/idmap.c:447(idmap_init_domain)
> >>>     idmap initialization returned NT_STATUS_ACCESS_DENIED
> >>> [2019/07/05 10:56:41.049541,  3]
> >>> ../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
> >>>     idmap_found_domain_backend: Could not init idmap domain campus
> >>>
> >>> But idmap_rfc2307 should be a valid module, and it gets loaded.
> >>>
> >>> https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html
> >>>
> >>> What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I
> >> double
> >>> checked all the LDAP parameters in the smb.conf.
> >>>
> >>> Finally, at debug level 10, I get:
> >>>
> >>> [2019/07/05 13:47:00.092653,  5, pid=26399, effective(0, 0), real(0,
> 0),
> >>> class=winbind]
> >> ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online)
> >>>     msg_try_to_go_online: domain MYDOMAIN already online.
> >>>
> >>> in the log.winbindd-idmap, as if it has come up correctly?
> >>>
> >> Sorry, I should have been a bit more precise, change the 'security'
> >> parameter after the join.
> >>
> > I'm sorry. I may still be misunderstanding. Even after I successfully
> > execute the join, setting 'security = domain' breaks file sharing
> > functionality. Clients cannot connect and 'net ads testjoin' report the
> > error. As soon as I again set it back to 'security = ads', clients can
> > connect again without any further actions or commands.
> >
> >
> >> Yes, you are correct 'idmap_rfc2307' does exist, but it isn't used very
> >> much, if at all. It was introduced back in 2012.
> >>
> > Hmm. The reason I hesitated to use idmap_ldap is that is sounds like
> > idmap_ldap looks for existing SID-to-UID/GIDs mappings in the LDAP
> > database, whereas idmap_rfc2307 consults an LDAP database (with RFC 2307
> > schema) based only on the username , which is *exactly* what I want . In
> > fact, I was even using idmap_ldap previously, and it didn't seem to work,
> > but likely I made some error.
> >
> >  From the man page for idmap_ldap:
> >
> >>>> Defines the directory base suffix to use for ***SID/uid/gid mapping
> > entries.***
> >
> > And from the man page for idmap_rfc2307:
> >
> >>>> An AD server is always required to provide the mapping between name
> and
> > SID, and ***the LDAP server is queried for the mapping between name and
> > uid/gid.***
> >
> > Is there a way to make idmap_ldap work the same way, ignoring the SID
> that
> > comes back from the AD server and querying the independent LDAP database
> > for uid and gids based on username? Can idmap_ldap query groups from
> > OpenLDAP in RFC 2307?
> >
> >
> >> I have tried it and I cannot make it work, either with 'security = ADS'
> >> or 'security = domain'
> >>
> >> Rowland
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
> 'idmap_rfc2307' got me thinking about the other rarely used backends and
> I wonder if you could use 'idmap_script', see 'man idmap_script' for
> (limited) info
>
> Rowland
>
> Hi Rowland,

Indeed, I switched to using the idmap_script back end. For posterity (in
case it could ever help you or others), I have included the simple script
below. It correctly returns the UID and primary GID, which in our LDAP
system is the same, so it gets returned as XID per the man page. Then, and
this part I don't understand but I verified it in the idmap logs, somehow
Samba/winbind becomes aware of the many other GIDs. It subsequently tries
to map them back to SIDs (which fails, because there is no mapping, but
it's cheap, so whatever).

So a few follow-ups, and then I'll be out of your hair:

1. By what mechanism does Samba/winbind go from seeing the UID/GID of the
user from the lookup to becoming aware of the other GIDs of the user? I am
uncomfortable not knowing this, because it seems like it could break.
2. This mechanism *works*. Users can mount shares based on their UNIX group
membership in the OpenLDAP server. *Thank you!* Now...is there any better
way to do this? I love that such a hacky back-end exists, but is this what
RFC 2307 is supposed to do, but it's truly broken code right now? It seems
like looking people up by username in a separate LDAP directory after
authenticating them with their Kerberos credentials against an AD server is
quite a common use case (I know many people who do it with older versions
of Samba that use the fallback mechanism; I wonder if you are going to get
lots of questions about this as people transition to EL 7 or 8 with 6 going
EOL).

Regards,

Ryan

#! /bin/bash
printf "%s: %s\n" "$(date '+%Y-%m-%d %H:%M:%S')" "$*" >>
/var/log/samba/idmap_script.bash.log
if [ "$1" == "SIDTOID" ] ; then
  unset _NO_WINBINDD
  username="$(<<< "$(wbinfo -s "$2")" cut -d ' ' -f 1 | cut -d "$(wbinfo
--separator)" -f 2)"
  _NO_WINBINDD=1
  printf "\t'%s' => '%s'\n" "$2" "$username" >>
/var/log/samba/idmap_script.bash.log
  ldap_info="$(ldapsearch -LLL -H ldaps://ldap.ldapdomain.org:636/ -b
"ou=users,dc=ldapdomain,dc=org" -D
"cn=samba,ou=agents,dc=ldapdomain,dc=org" -w 'BIND_PASSWORD'
"(uid=$username)")"
  xid="$(<<< "$ldap_info" grep '^uidNumber: ' | cut -d ' ' -f 2)"
  printf "\t'%s' => '%s'\n" "$username" "$xid" >>
/var/log/samba/idmap_script.bash.log
  if [ ! -z "$xid" ] ; then
    printf "XID:%s\n" "$xid"
    exit 0
  else
    printf "ERR: Unmapped SID\n"
    exit 1
  fi
else
  printf "ERR: No idea what to do\n"
  exit 1
fi


>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list