On 15 May 2012 23:29, Michael Adam <[email protected]> wrote: > Hi Javier, > > Javier Conti wrote: >> Dear list, >> >> upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 >> to 3.6.3. I was successfully using idmap_ad to authenticate users but >> after the upgrade it stopped working and users are not seen by the OS. >> Obviously the users I want to see on the Linux server have all RFC2307 >> attributes populated and are seen by all other SLES11 SP1 servers. > > >> Although I tried many changes to the config, according to some hints found >> on the web, this is what I was using with Samba 3.4.3: >> >> [global] >> workgroup = MYDOMAIN >> realm = MYREALM >> security = ADS >> >> idmap backend = idmap_ad >> idmap uid = 64000 - 64999 >> idmap gid = 64000 - 64999 >> >> idmap config MYDOMAIN : default = yes >> idmap config MYDOMAIN : backend = ad >> idmap config MYDOMAIN : range = 1000-50000 >> idmap config MYDOMAIN : schema_mode = rfc2307 >> >> winbind use default domain = yes >> winbind nss info = rfc2307 >> winbind offline logon = yes >> winbind refresh tickets = yes >> [...] >> >> Any hints on what has changed with Samba 3.6.3 and/or what to >> change to adapt the configuration to 3.6.3 (if necessary)? > > Some comments: > The above config makes no real sense for me, > neither for 3.4 nor for 3.6: > > * The parameter "idmap config DOMAIN : default = yes/no" > has been removed in samba 3.3. It only existed from > 3.0.25 to 3.2. > (http://www.samba.org/samba/history/samba-3.3.0.html) > > * You are using the backend "ad" (or "idmap_ad" which is > a deprecated synonym) both in "idmap config MYDOMAIN : backend" > and in "idmap backend". Both with different ranges. > This does not seem to make sense to me. > > It is necessary to specify a writable backend for the > catch all default idmap configuration, e.g. tdb or ldap. > > In 3.6, the "idmap backend" has been replaced by > "idmap config * : backend", etc. > > A valid config for 3.4 would be: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > [global] > workgroup = MYDOMAIN > > idmap backend = tdb > idmap uid = xxxxx-yyyyy > idmap gid = xxxxx-yyyyy > > idmap config MYDOMAIN : backend = ad > idmap config MYDOMAIN : range = 1000-50000 > idmap config MYDOMAIN : schema mode = rfc2370 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The corresponding for 3.6: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > [global] > workgroup = MYDOMAIN > > idmap config * : backend = tdb > idmap config * : range = xxxxx-yyyyy > > idmap config MYDOMAIN : backend = ad > idmap config MYDOMAIN : range = 1000-50000 > idmap config MYDOMAIN : schema mode = rfc2370 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi Michael, thanks for your input. The latter is indeed the configuration I'm running lately. >> I checked everything (I know) from the Samba point of view, and it almost >> seems ok, but "wbinfo -i" fails as follows: >> >> # wbinfo -i myuser >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >> Could not get info for user myuser >> >> Using the same user, for example, I can do: >> >> # wbinfo -n myuser >> S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1) >> # wbinfo -n "Domain Users" >> S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2) >> >> # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794 >> MYDOMAIN\myuser 1 >> # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513 >> MYDOMAIN\Domain Users >> >> # net -Uadminuser user info myuser |head >> Enter adminuser's password: >> domain users >> [...] >> # net -Uadminuser ads user |grep myuser >> Enter adminuser's password: >> myuser >> >> Obviously, id(1) and getent(1) fail. What I get is: >> >> [2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection) >> accepted socket 25 >> [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request) >> process_request: request fn INTERFACE_VERSION >> [2012/05/14 16:50:47.958644, 3] >> winbindd/winbindd_misc.c:384(winbindd_interface_version) >> [ 5756]: request interface version >> [2012/05/14 16:50:47.958705, 10] >> winbindd/winbindd.c:738(winbind_client_response_written) >> winbind_client_response_written[5756:INTERFACE_VERSION]: delivered >> response to client >> [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request) >> process_request: request fn WINBINDD_PRIV_PIPE_DIR >> [2012/05/14 16:50:47.958808, 3] >> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) >> [ 5756]: request location of privileged pipe >> [2012/05/14 16:50:47.958870, 10] >> winbindd/winbindd.c:738(winbind_client_response_written) >> winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]: >> delivered response to client >> [2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection) >> accepted socket 26 >> [2012/05/14 16:50:47.958995, 6] >> winbindd/winbindd.c:840(winbind_client_request_read) >> closing socket 25, client exited >> [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request) >> process_request: Handling async request 5756:GETPWNAM >> [2012/05/14 16:50:47.959097, 3] >> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) >> getpwnam myuser >> [2012/05/14 16:50:47.959135, 1] >> ../librpc/ndr/ndr.c:284(ndr_print_function_debug) >> wbint_LookupName: struct wbint_LookupName >> in: struct wbint_LookupName >> domain : * >> domain : 'MYDOMAIN' >> name : * >> name : 'MYUSER' >> flags : 0x00000008 (8) >> [2012/05/14 16:50:47.959276, 1] >> ../librpc/ndr/ndr.c:284(ndr_print_function_debug) >> wbint_LookupName: struct wbint_LookupName >> out: struct wbint_LookupName >> type : * >> type : SID_NAME_USER (1) >> sid : * >> sid : >> S-1-5-21-828208052-1092558876-1846952604-22794 >> result : NT_STATUS_OK >> [2012/05/14 16:50:47.959404, 1] >> ../librpc/ndr/ndr.c:284(ndr_print_function_debug) >> wbint_QueryUser: struct wbint_QueryUser >> in: struct wbint_QueryUser >> sid : * >> sid : >> S-1-5-21-828208052-1092558876-1846952604-22794 >> [2012/05/14 16:50:47.959499, 1] >> ../librpc/ndr/ndr.c:284(ndr_print_function_debug) >> wbint_QueryUser: struct wbint_QueryUser >> out: struct wbint_QueryUser >> info : * >> info: struct wbint_userinfo >> acct_name : * >> acct_name : 'myuser' >> full_name : * >> full_name : 'Lastname Firstname' >> homedir : * >> homedir : '/home/myuser' >> shell : * >> shell : '/bin/bash' >> primary_gid : 0x0000000000002710 (10000) >> user_sid : >> S-1-5-21-828208052-1092558876-1846952604-22794 >> group_sid : >> S-1-5-21-828208052-1092558876-1846952604-513 >> result : NT_STATUS_OK >> [2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send) >> idmap_cache_find_sid2uid found 10106 >> [2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send) >> idmap_cache_find_sid2gid found -1 >> [2012/05/14 16:50:47.959763, 5] >> winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) >> Could not convert sid >> S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED >> [2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done) >> wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED >> [2012/05/14 16:50:47.959843, 10] >> winbindd/winbindd.c:738(winbind_client_response_written) >> winbind_client_response_written[5756:GETPWNAM]: delivered response to >> client >> [2012/05/14 16:50:47.959937, 6] >> winbindd/winbindd.c:840(winbind_client_request_read) >> closing socket 26, client exited > > Hmm, it finds a sid2uid mapping in the cache, > but then a sid2gid lookup fails (from cache). > Due to bad error message, it can not be seen > which sid was the input. Could also be the ...-513 > group sid. > > Could you please check with the more low level wbinfo commands > the results of the commands for id mapping: > > wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794 > ==> should give a uid That works and gives me 10106. > wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794 > ==> should fail That fails with WBC_ERR_DOMAIN_NOT_FOUND. > wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513 > ==> should fail That fails with WBC_ERR_DOMAIN_NOT_FOUND. > wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513 > ==> should give a gid That fails with WBC_ERR_DOMAIN_NOT_FOUND. I don't know if it's related to that, but in the RFC2307 fields of the 10106 user I put as primary group 10000, which is not "Domain Users", but S-1-5-21-828208052-1092558876-1846952604-51 is actually "Domain Users". The group "Domain Users" has no RFC2307 gid attribute. We didn't populate it since it's not used at all in the Unix environment. If I get the SID of the user primary group (i.e. the one I see using id(1) on a 3.4.3 client) and then perform a sid-to-gid (wbinfo -Y) it works. Thanks, Javier > > Cheers - Michael > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
