On Tue, Oct 12, 2010 at 4:03 PM, Haven <ha...@thehavennet.org.uk> wrote: > Hi Andrew, > > On 10/12/10 08:26, Andrew Lyon wrote: >> >> I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap >> working in rfc2307 mode, wbinfo -u and -g return users and groups, but >> wbinfo -i<user> fails, other test I tried is: >> >> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory >> sAMAccountName uidNumber gidNumber -P >> >> Which shows that I have 3 users and 2 groups which have rfc2307 >> attributes, however mapping is not working, files owned by the mapped >> uid/gid do not show the username or group when listed, and users are >> unable to authenticate to the samba server. >> >> I've noticed some errors in winbindd log: >> >> [2010/10/12 08:24:53.276576, 3] >> winbindd/winbindd_misc.c:352(winbindd_interface_version) >> [ 8296]: request interface version >> [2010/10/12 08:24:53.276748, 3] >> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) >> [ 8296]: request location of privileged pipe >> [2010/10/12 08:24:53.276975, 3] >> winbindd/winbindd_list_users.c:58(winbindd_list_users_send) >> list_users >> [2010/10/12 08:24:56.764312, 3] >> winbindd/winbindd_misc.c:352(winbindd_interface_version) >> [ 8381]: request interface version >> [2010/10/12 08:24:56.764473, 3] >> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) >> [ 8381]: request location of privileged pipe >> [2010/10/12 08:24:56.794828, 3] >> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) >> getpwnam test >> [2010/10/12 08:24:56.927925, 3] >> libads/ldap_schema.c:324(ads_check_posix_schema_mapping) >> ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED >> [2010/10/12 08:24:56.927999, 2] >> winbindd/idmap_ad.c:185(ad_idmap_cached_connection) >> ad_idmap_cached_connection: Failed to obtain schema details! > > Your errors look different but the symptoms are the same. I've another > person with the same issue, the link below explains the exact problem I > have: > > http://www.spinics.net/lists/samba/msg92328.html > > A snippet from one of my logs shows the issue: >> >> [2010/10/12 12:54:42.931329, 5] >> winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) >> Could not convert sid S-1-5-21-4140011924-985775245-1159988818-1608: >> NT_STATUS_NONE_MAPPED >> [2010/10/12 12:54:42.931436, 10] winbindd/winbindd.c:655(wb_request_done) >> wb_request_done[25718:GETPWNAM]: NT_STATUS_NONE_MAPPED > > If I "wbinfo -S S-1-5-21-4140011924-985775245-1159988818-1608" then I get > the right UID returned. > > When I type "id" I get "No such user" > > wbinfo -u and -g show all my users and groups fine. > > I've found an odd hack that gets me up and running for a short while but I'm > not entirely sure why its working, I've described it below. > >> > Old broken: >> > >> > idmap backend = ad >> > winbind nss info = rfc2307 >> > >> > New working: >> > >> > idmap uid = 10000-20000 >> > idmap gid = 10000-20000 >> > >> Doesn't that change work around the problem by disabling idmap >> altogether? it may work but the mappings will not be consistent if you >> have multiple samba servers. > > If I replace my standard smb.conf with the changes above and then "net ads > join" and restart winbind I can get an id for any of my users. I only need > to do this for one user. > > Then I switch back to the original "idmap backend = ad" smb.conf and restart > winbind again. > > At this point all my user id's work once again with the exception of the > test user that I used which now has an invalidly cached uid. > > If I "net cache flush" then this breaks the id mapping once again. > > So basically something is screwy and somehow cache files are involved, I'm > pretty sure its /var/run/samba/gencache* that is storing this data but that > could be a symptom and not the cause. I've not had chance to start decoding > cache files and examining their contents yet. > > An alternative option that I've tried is to switch to an rid back end across > all of our systems, this is obviously going to take some more verification > and planning before going into effect but I've included my test rid config > below in-case it is of use to you. The few test cases I've run so far gave > good results. > > If you manage to get any further then let me know as curiosity has long > since moved onto frustration :) > >> [global] >> dos charset = 850 >> workgroup = DOMAIN >> realm = DOMAIN.NET >> server string = Samba Server Version %v >> security = ADS >> password server = 192.168.1.2, 192.168.1.3, * >> client NTLMv2 auth = Yes >> kerberos method = system keytab >> log level = 10 >> debug timestamp = No >> disable netbios = Yes >> name resolve order = host lmhosts >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >> SO_RCVBUF=8192 SO_SNDBUF=8192 >> local master = No >> domain master = No >> dns proxy = No >> idmap uid = 9000-9999 >> idmap gid = 9000-9999 >> template homedir = /home/%U >> template shell = /bin/bash >> winbind separator = + >> winbind use default domain = Yes >> winbind refresh tickets = Yes >> winbind offline logon = Yes >> >> idmap config DOMAIN : default = yes >> idmap config DOMAIN : schema_mode = rfc2307 >> #idmap config DOMAIN : backend = ad >> #idmap config DOMAIN : range = 10000-20000 >> >> idmap config DOMAIN : backend = rid >> idmap config DOMAIN : range = 10000 - 20000 >> >> hosts allow = 127.0.0.1, 192.168.1.0/24 >> hosts deny = 0.0.0.0/0 > > Regards > > Simon >
Hi, I've made some progress on this, in order to use rfc2307/sfu id mapping you must have a writable default idmap backend and an explicit domain configuration which uses rfc2307/sfu , this has been mentioned in a bug report back in 2009 https://bugzilla.samba.org/show_bug.cgi?id=6322 but it appears nothing further was done to make it clear in the documentation. Example working config: idmap config DOMAIN : backend = ad idmap config DOMAIN : range = 10000-49999 idmap config DOMAIN : schema_mode = rfc2307 idmap backend = tdb idmap uid = 50000-99999 idmap gid = 50000-99999 There seems to be a problem with winbind nss info = rfc2307 but I'm going to start a new thread about that. So far I can list users and groups using wbinfo and also get details for a single user with wbinfo -i, I can su to an AD account and setting ownership of files and folders to mapped id's results in the AD user/group names being displayed so mapping does seems to be working ok, but getent passwd/group does not list AD users and I cannot login to the system using an AD account, so I think I've still got some nsswitch/pam issues which I'm going to work on today. Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba