Hi Andrew,
On 10/12/10 08:26, Andrew Lyon wrote:
I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap
working in rfc2307 mode, wbinfo -u and -g return users and groups, but
wbinfo -i<user> fails, other test I tried is:
net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
sAMAccountName uidNumber gidNumber -P
Which shows that I have 3 users and 2 groups which have rfc2307
attributes, however mapping is not working, files owned by the mapped
uid/gid do not show the username or group when listed, and users are
unable to authenticate to the samba server.
I've noticed some errors in winbindd log:
[2010/10/12 08:24:53.276576, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 8296]: request interface version
[2010/10/12 08:24:53.276748, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[ 8296]: request location of privileged pipe
[2010/10/12 08:24:53.276975, 3]
winbindd/winbindd_list_users.c:58(winbindd_list_users_send)
list_users
[2010/10/12 08:24:56.764312, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 8381]: request interface version
[2010/10/12 08:24:56.764473, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[ 8381]: request location of privileged pipe
[2010/10/12 08:24:56.794828, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam test
[2010/10/12 08:24:56.927925, 3]
libads/ldap_schema.c:324(ads_check_posix_schema_mapping)
ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED
[2010/10/12 08:24:56.927999, 2]
winbindd/idmap_ad.c:185(ad_idmap_cached_connection)
ad_idmap_cached_connection: Failed to obtain schema details!
Your errors look different but the symptoms are the same. I've
another person with the same issue, the link below explains the
exact problem I have:
http://www.spinics.net/lists/samba/msg92328.html
A snippet from one of my logs shows the issue:
[2010/10/12 12:54:42.931329, 5]
winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv)
Could not convert sid
S-1-5-21-4140011924-985775245-1159988818-1608: NT_STATUS_NONE_MAPPED
[2010/10/12 12:54:42.931436, 10]
winbindd/winbindd.c:655(wb_request_done)
wb_request_done[25718:GETPWNAM]: NT_STATUS_NONE_MAPPED
If I "wbinfo -S S-1-5-21-4140011924-985775245-1159988818-1608" then
I get the right UID returned.
When I type "id" I get "No such user"
wbinfo -u and -g show all my users and groups fine.
I've found an odd hack that gets me up and running for a short while
but I'm not entirely sure why its working, I've described it below.
> Old broken:
>
> idmap backend = ad
> winbind nss info = rfc2307
>
> New working:
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
Doesn't that change work around the problem by disabling idmap
altogether? it may work but the mappings will not be consistent if you
have multiple samba servers.
If I replace my standard smb.conf with the changes above and then
"net ads join" and restart winbind I can get an id for any of my
users. I only need to do this for one user.
Then I switch back to the original "idmap backend = ad" smb.conf and
restart winbind again.
At this point all my user id's work once again with the exception of
the test user that I used which now has an invalidly cached uid.
If I "net cache flush" then this breaks the id mapping once again.
So basically something is screwy and somehow cache files are
involved, I'm pretty sure its /var/run/samba/gencache* that is
storing this data but that could be a symptom and not the cause.
I've not had chance to start decoding cache files and examining
their contents yet.
An alternative option that I've tried is to switch to an rid back
end across all of our systems, this is obviously going to take some
more verification and planning before going into effect but I've
included my test rid config below in-case it is of use to you. The
few test cases I've run so far gave good results.
If you manage to get any further then let me know as curiosity has
long since moved onto frustration :)
[global]
dos charset = 850
workgroup = DOMAIN
realm = DOMAIN.NET
server string = Samba Server Version %v
security = ADS
password server = 192.168.1.2, 192.168.1.3, *
client NTLMv2 auth = Yes
kerberos method = system keytab
log level = 10
debug timestamp = No
disable netbios = Yes
name resolve order = host lmhosts
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
domain master = No
dns proxy = No
idmap uid = 9000-9999
idmap gid = 9000-9999
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap config DOMAIN : default = yes
idmap config DOMAIN : schema_mode = rfc2307
#idmap config DOMAIN : backend = ad
#idmap config DOMAIN : range = 10000-20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000 - 20000
hosts allow = 127.0.0.1, 192.168.1.0/24
hosts deny = 0.0.0.0/0
Regards
Simon
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
