Hi Javier, Javier Conti wrote: > Dear list, > > upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 > to 3.6.3. I was successfully using idmap_ad to authenticate users but > after the upgrade it stopped working and users are not seen by the OS. > Obviously the users I want to see on the Linux server have all RFC2307 > attributes populated and are seen by all other SLES11 SP1 servers.
> Although I tried many changes to the config, according to some hints found > on the web, this is what I was using with Samba 3.4.3: > > [global] > workgroup = MYDOMAIN > realm = MYREALM > security = ADS > > idmap backend = idmap_ad > idmap uid = 64000 - 64999 > idmap gid = 64000 - 64999 > > idmap config MYDOMAIN : default = yes > idmap config MYDOMAIN : backend = ad > idmap config MYDOMAIN : range = 1000-50000 > idmap config MYDOMAIN : schema_mode = rfc2307 > > winbind use default domain = yes > winbind nss info = rfc2307 > winbind offline logon = yes > winbind refresh tickets = yes > [...] > > Any hints on what has changed with Samba 3.6.3 and/or what to > change to adapt the configuration to 3.6.3 (if necessary)? Some comments: The above config makes no real sense for me, neither for 3.4 nor for 3.6: * The parameter "idmap config DOMAIN : default = yes/no" has been removed in samba 3.3. It only existed from 3.0.25 to 3.2. (http://www.samba.org/samba/history/samba-3.3.0.html) * You are using the backend "ad" (or "idmap_ad" which is a deprecated synonym) both in "idmap config MYDOMAIN : backend" and in "idmap backend". Both with different ranges. This does not seem to make sense to me. It is necessary to specify a writable backend for the catch all default idmap configuration, e.g. tdb or ldap. In 3.6, the "idmap backend" has been replaced by "idmap config * : backend", etc. A valid config for 3.4 would be: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [global] workgroup = MYDOMAIN idmap backend = tdb idmap uid = xxxxx-yyyyy idmap gid = xxxxx-yyyyy idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-50000 idmap config MYDOMAIN : schema mode = rfc2370 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The corresponding for 3.6: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [global] workgroup = MYDOMAIN idmap config * : backend = tdb idmap config * : range = xxxxx-yyyyy idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-50000 idmap config MYDOMAIN : schema mode = rfc2370 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > I checked everything (I know) from the Samba point of view, and it almost > seems ok, but "wbinfo -i" fails as follows: > > # wbinfo -i myuser > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user myuser > > Using the same user, for example, I can do: > > # wbinfo -n myuser > S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1) > # wbinfo -n "Domain Users" > S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2) > > # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794 > MYDOMAIN\myuser 1 > # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513 > MYDOMAIN\Domain Users > > # net -Uadminuser user info myuser |head > Enter adminuser's password: > domain users > [...] > # net -Uadminuser ads user |grep myuser > Enter adminuser's password: > myuser > > Obviously, id(1) and getent(1) fail. What I get is: > > [2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection) > accepted socket 25 > [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request) > process_request: request fn INTERFACE_VERSION > [2012/05/14 16:50:47.958644, 3] > winbindd/winbindd_misc.c:384(winbindd_interface_version) > [ 5756]: request interface version > [2012/05/14 16:50:47.958705, 10] > winbindd/winbindd.c:738(winbind_client_response_written) > winbind_client_response_written[5756:INTERFACE_VERSION]: delivered > response to client > [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request) > process_request: request fn WINBINDD_PRIV_PIPE_DIR > [2012/05/14 16:50:47.958808, 3] > winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) > [ 5756]: request location of privileged pipe > [2012/05/14 16:50:47.958870, 10] > winbindd/winbindd.c:738(winbind_client_response_written) > winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]: > delivered response to client > [2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection) > accepted socket 26 > [2012/05/14 16:50:47.958995, 6] > winbindd/winbindd.c:840(winbind_client_request_read) > closing socket 25, client exited > [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request) > process_request: Handling async request 5756:GETPWNAM > [2012/05/14 16:50:47.959097, 3] > winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam myuser > [2012/05/14 16:50:47.959135, 1] > ../librpc/ndr/ndr.c:284(ndr_print_function_debug) > wbint_LookupName: struct wbint_LookupName > in: struct wbint_LookupName > domain : * > domain : 'MYDOMAIN' > name : * > name : 'MYUSER' > flags : 0x00000008 (8) > [2012/05/14 16:50:47.959276, 1] > ../librpc/ndr/ndr.c:284(ndr_print_function_debug) > wbint_LookupName: struct wbint_LookupName > out: struct wbint_LookupName > type : * > type : SID_NAME_USER (1) > sid : * > sid : > S-1-5-21-828208052-1092558876-1846952604-22794 > result : NT_STATUS_OK > [2012/05/14 16:50:47.959404, 1] > ../librpc/ndr/ndr.c:284(ndr_print_function_debug) > wbint_QueryUser: struct wbint_QueryUser > in: struct wbint_QueryUser > sid : * > sid : > S-1-5-21-828208052-1092558876-1846952604-22794 > [2012/05/14 16:50:47.959499, 1] > ../librpc/ndr/ndr.c:284(ndr_print_function_debug) > wbint_QueryUser: struct wbint_QueryUser > out: struct wbint_QueryUser > info : * > info: struct wbint_userinfo > acct_name : * > acct_name : 'myuser' > full_name : * > full_name : 'Lastname Firstname' > homedir : * > homedir : '/home/myuser' > shell : * > shell : '/bin/bash' > primary_gid : 0x0000000000002710 (10000) > user_sid : > S-1-5-21-828208052-1092558876-1846952604-22794 > group_sid : > S-1-5-21-828208052-1092558876-1846952604-513 > result : NT_STATUS_OK > [2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send) > idmap_cache_find_sid2uid found 10106 > [2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send) > idmap_cache_find_sid2gid found -1 > [2012/05/14 16:50:47.959763, 5] > winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > Could not convert sid > S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED > [2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done) > wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED > [2012/05/14 16:50:47.959843, 10] > winbindd/winbindd.c:738(winbind_client_response_written) > winbind_client_response_written[5756:GETPWNAM]: delivered response to client > [2012/05/14 16:50:47.959937, 6] > winbindd/winbindd.c:840(winbind_client_request_read) > closing socket 26, client exited Hmm, it finds a sid2uid mapping in the cache, but then a sid2gid lookup fails (from cache). Due to bad error message, it can not be seen which sid was the input. Could also be the ...-513 group sid. Could you please check with the more low level wbinfo commands the results of the commands for id mapping: wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794 ==> should give a uid wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794 ==> should fail wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513 ==> should fail wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513 ==> should give a gid Cheers - Michael
pgpipLwhPYywF.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba