Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
On 16 May 2012 16:50, Javier Conti javier.co...@gmail.com wrote: On 16 May 2012 13:19, Michael Adam ob...@samba.org wrote: Hi Javier, Javier Conti wrote: On 15 May 2012 23:29, Michael Adam ob...@samba.org wrote: Hi Javier, Javier Conti wrote: Dear list, upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. Although I tried many changes to the config, according to some hints found on the web, this is what I was using with Samba 3.4.3: [global] workgroup = MYDOMAIN realm = MYREALM security = ADS idmap backend = idmap_ad idmap uid = 64000 - 64999 idmap gid = 64000 - 64999 idmap config MYDOMAIN : default = yes idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema_mode = rfc2307 winbind use default domain = yes winbind nss info = rfc2307 winbind offline logon = yes winbind refresh tickets = yes [...] Any hints on what has changed with Samba 3.6.3 and/or what to change to adapt the configuration to 3.6.3 (if necessary)? Some comments: The above config makes no real sense for me, neither for 3.4 nor for 3.6: * The parameter idmap config DOMAIN : default = yes/no has been removed in samba 3.3. It only existed from 3.0.25 to 3.2. (http://www.samba.org/samba/history/samba-3.3.0.html) * You are using the backend ad (or idmap_ad which is a deprecated synonym) both in idmap config MYDOMAIN : backend and in idmap backend. Both with different ranges. This does not seem to make sense to me. It is necessary to specify a writable backend for the catch all default idmap configuration, e.g. tdb or ldap. In 3.6, the idmap backend has been replaced by idmap config * : backend, etc. A valid config for 3.4 would be: ~ [global] workgroup = MYDOMAIN idmap backend = tdb idmap uid = x-y idmap gid = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ The corresponding for 3.6: ~ [global] workgroup = MYDOMAIN idmap config * : backend = tdb idmap config * : range = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ Hi Michael, thanks for your input. The latter is indeed the configuration I'm running lately. Ok, so you _are_ running the default domain with the tdb idmap backend. -- Good. Could you please check with the more low level wbinfo commands the results of the commands for id mapping: wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794 == should give a uid That works and gives me 10106. wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794 == should fail That fails with WBC_ERR_DOMAIN_NOT_FOUND. wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513 == should fail That fails with WBC_ERR_DOMAIN_NOT_FOUND. wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513 == should give a gid That fails with WBC_ERR_DOMAIN_NOT_FOUND. Ok, the error messages seem to be bogus. But from what you have written below, the behaviour is correct. I don't know if it's related to that, but in the RFC2307 fields of the 10106 user I put as primary group 1, which is not Domain Users, but S-1-5-21-828208052-1092558876-1846952604-51 is actually Domain Users. The group Domain Users has no RFC2307 gid attribute. We didn't populate it since it's not used at all in the Unix environment. Ah! That explains the above results. If I get the SID of the user primary group (i.e. the one I see using id(1) on a 3.4.3 client) and then perform a sid-to-gid (wbinfo -Y) it works. If you don't have a gid associated to the domain users group in AD, but you configured the idmap backend ad for this domain, then you should get no gid for this group out of winbindd: If the older version 3.4 falls back to allocating one from the default range, then this is a bug in 3.4, and 3.6 is correct. In 3.4 I don't have a gid for Domain Users. This has never been a problem since the Domain Users group is not used at all on Unix machines. If I perform a getent(1) on group Domain Users I get nothing, if I perform a
Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
On 15 May 2012 23:29, Michael Adam ob...@samba.org wrote: Hi Javier, Javier Conti wrote: Dear list, upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. Although I tried many changes to the config, according to some hints found on the web, this is what I was using with Samba 3.4.3: [global] workgroup = MYDOMAIN realm = MYREALM security = ADS idmap backend = idmap_ad idmap uid = 64000 - 64999 idmap gid = 64000 - 64999 idmap config MYDOMAIN : default = yes idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema_mode = rfc2307 winbind use default domain = yes winbind nss info = rfc2307 winbind offline logon = yes winbind refresh tickets = yes [...] Any hints on what has changed with Samba 3.6.3 and/or what to change to adapt the configuration to 3.6.3 (if necessary)? Some comments: The above config makes no real sense for me, neither for 3.4 nor for 3.6: * The parameter idmap config DOMAIN : default = yes/no has been removed in samba 3.3. It only existed from 3.0.25 to 3.2. (http://www.samba.org/samba/history/samba-3.3.0.html) * You are using the backend ad (or idmap_ad which is a deprecated synonym) both in idmap config MYDOMAIN : backend and in idmap backend. Both with different ranges. This does not seem to make sense to me. It is necessary to specify a writable backend for the catch all default idmap configuration, e.g. tdb or ldap. In 3.6, the idmap backend has been replaced by idmap config * : backend, etc. A valid config for 3.4 would be: ~ [global] workgroup = MYDOMAIN idmap backend = tdb idmap uid = x-y idmap gid = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ The corresponding for 3.6: ~ [global] workgroup = MYDOMAIN idmap config * : backend = tdb idmap config * : range = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ Hi Michael, thanks for your input. The latter is indeed the configuration I'm running lately. I checked everything (I know) from the Samba point of view, and it almost seems ok, but wbinfo -i fails as follows: # wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user myuser Using the same user, for example, I can do: # wbinfo -n myuser S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1) # wbinfo -n Domain Users S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2) # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794 MYDOMAIN\myuser 1 # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513 MYDOMAIN\Domain Users # net -Uadminuser user info myuser |head Enter adminuser's password: domain users [...] # net -Uadminuser ads user |grep myuser Enter adminuser's password: myuser Obviously, id(1) and getent(1) fail. What I get is: [2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection) accepted socket 25 [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request) process_request: request fn INTERFACE_VERSION [2012/05/14 16:50:47.958644, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 5756]: request interface version [2012/05/14 16:50:47.958705, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:INTERFACE_VERSION]: delivered response to client [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/05/14 16:50:47.958808, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 5756]: request location of privileged pipe [2012/05/14 16:50:47.958870, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection) accepted socket 26 [2012/05/14 16:50:47.958995, 6] winbindd/winbindd.c:840(winbind_client_request_read) closing socket 25, client exited [2012/05/14 16:50:47.959058, 10]
Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Hi Javier, Javier Conti wrote: On 15 May 2012 23:29, Michael Adam ob...@samba.org wrote: Hi Javier, Javier Conti wrote: Dear list, upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. Although I tried many changes to the config, according to some hints found on the web, this is what I was using with Samba 3.4.3: [global] workgroup = MYDOMAIN realm = MYREALM security = ADS idmap backend = idmap_ad idmap uid = 64000 - 64999 idmap gid = 64000 - 64999 idmap config MYDOMAIN : default = yes idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema_mode = rfc2307 winbind use default domain = yes winbind nss info = rfc2307 winbind offline logon = yes winbind refresh tickets = yes [...] Any hints on what has changed with Samba 3.6.3 and/or what to change to adapt the configuration to 3.6.3 (if necessary)? Some comments: The above config makes no real sense for me, neither for 3.4 nor for 3.6: * The parameter idmap config DOMAIN : default = yes/no has been removed in samba 3.3. It only existed from 3.0.25 to 3.2. (http://www.samba.org/samba/history/samba-3.3.0.html) * You are using the backend ad (or idmap_ad which is a deprecated synonym) both in idmap config MYDOMAIN : backend and in idmap backend. Both with different ranges. This does not seem to make sense to me. It is necessary to specify a writable backend for the catch all default idmap configuration, e.g. tdb or ldap. In 3.6, the idmap backend has been replaced by idmap config * : backend, etc. A valid config for 3.4 would be: ~ [global] workgroup = MYDOMAIN idmap backend = tdb idmap uid = x-y idmap gid = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ The corresponding for 3.6: ~ [global] workgroup = MYDOMAIN idmap config * : backend = tdb idmap config * : range = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ Hi Michael, thanks for your input. The latter is indeed the configuration I'm running lately. Ok, so you _are_ running the default domain with the tdb idmap backend. -- Good. Could you please check with the more low level wbinfo commands the results of the commands for id mapping: wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794 == should give a uid That works and gives me 10106. wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794 == should fail That fails with WBC_ERR_DOMAIN_NOT_FOUND. wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513 == should fail That fails with WBC_ERR_DOMAIN_NOT_FOUND. wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513 == should give a gid That fails with WBC_ERR_DOMAIN_NOT_FOUND. Ok, the error messages seem to be bogus. But from what you have written below, the behaviour is correct. I don't know if it's related to that, but in the RFC2307 fields of the 10106 user I put as primary group 1, which is not Domain Users, but S-1-5-21-828208052-1092558876-1846952604-51 is actually Domain Users. The group Domain Users has no RFC2307 gid attribute. We didn't populate it since it's not used at all in the Unix environment. Ah! That explains the above results. If I get the SID of the user primary group (i.e. the one I see using id(1) on a 3.4.3 client) and then perform a sid-to-gid (wbinfo -Y) it works. If you don't have a gid associated to the domain users group in AD, but you configured the idmap backend ad for this domain, then you should get no gid for this group out of winbindd: If the older version 3.4 falls back to allocating one from the default range, then this is a bug in 3.4, and 3.6 is correct. The other thing is what is to be done with the primary gid field from the ad unix schema extensions, can be a bug in samba. I am personally not certain that it is a good idea to use this at all. I'd rather suggest to use the primary group sid and give it a mapping. Then you have the same view under windows and under linux/samba. To be perfectly clear:
Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
On 16 May 2012 13:19, Michael Adam ob...@samba.org wrote: Hi Javier, Javier Conti wrote: On 15 May 2012 23:29, Michael Adam ob...@samba.org wrote: Hi Javier, Javier Conti wrote: Dear list, upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. Although I tried many changes to the config, according to some hints found on the web, this is what I was using with Samba 3.4.3: [global] workgroup = MYDOMAIN realm = MYREALM security = ADS idmap backend = idmap_ad idmap uid = 64000 - 64999 idmap gid = 64000 - 64999 idmap config MYDOMAIN : default = yes idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema_mode = rfc2307 winbind use default domain = yes winbind nss info = rfc2307 winbind offline logon = yes winbind refresh tickets = yes [...] Any hints on what has changed with Samba 3.6.3 and/or what to change to adapt the configuration to 3.6.3 (if necessary)? Some comments: The above config makes no real sense for me, neither for 3.4 nor for 3.6: * The parameter idmap config DOMAIN : default = yes/no has been removed in samba 3.3. It only existed from 3.0.25 to 3.2. (http://www.samba.org/samba/history/samba-3.3.0.html) * You are using the backend ad (or idmap_ad which is a deprecated synonym) both in idmap config MYDOMAIN : backend and in idmap backend. Both with different ranges. This does not seem to make sense to me. It is necessary to specify a writable backend for the catch all default idmap configuration, e.g. tdb or ldap. In 3.6, the idmap backend has been replaced by idmap config * : backend, etc. A valid config for 3.4 would be: ~ [global] workgroup = MYDOMAIN idmap backend = tdb idmap uid = x-y idmap gid = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ The corresponding for 3.6: ~ [global] workgroup = MYDOMAIN idmap config * : backend = tdb idmap config * : range = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ Hi Michael, thanks for your input. The latter is indeed the configuration I'm running lately. Ok, so you _are_ running the default domain with the tdb idmap backend. -- Good. Could you please check with the more low level wbinfo commands the results of the commands for id mapping: wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794 == should give a uid That works and gives me 10106. wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794 == should fail That fails with WBC_ERR_DOMAIN_NOT_FOUND. wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513 == should fail That fails with WBC_ERR_DOMAIN_NOT_FOUND. wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513 == should give a gid That fails with WBC_ERR_DOMAIN_NOT_FOUND. Ok, the error messages seem to be bogus. But from what you have written below, the behaviour is correct. I don't know if it's related to that, but in the RFC2307 fields of the 10106 user I put as primary group 1, which is not Domain Users, but S-1-5-21-828208052-1092558876-1846952604-51 is actually Domain Users. The group Domain Users has no RFC2307 gid attribute. We didn't populate it since it's not used at all in the Unix environment. Ah! That explains the above results. If I get the SID of the user primary group (i.e. the one I see using id(1) on a 3.4.3 client) and then perform a sid-to-gid (wbinfo -Y) it works. If you don't have a gid associated to the domain users group in AD, but you configured the idmap backend ad for this domain, then you should get no gid for this group out of winbindd: If the older version 3.4 falls back to allocating one from the default range, then this is a bug in 3.4, and 3.6 is correct. In 3.4 I don't have a gid for Domain Users. This has never been a problem since the Domain Users group is not used at all on Unix machines. If I perform a getent(1) on group Domain Users I get nothing, if I perform a getent(1) on group unixgroup I get the expected results. The other thing is
Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
On 14 May 2012 18:58, David Disseldorp dd...@suse.de wrote: Hi Javier, On Mon, 14 May 2012 17:48:09 +0200 Javier Conti javier.co...@gmail.com wrote: upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. I checked everything (I know) from the Samba point of view, and it almost seems ok, but wbinfo -i fails as follows: # wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user myuser Thanks for your report. As this version of Samba is vendor supported, I'd encourage you to raise this issue at bugzilla.novell.com. Do you also encounter this error with winbind use default domain = no configured, running wbinfo -i MYDOMAIN\\myuser? Hi David, as you suggested, I filed a bug there. I also tried configuring winbind use default domain = no but all the symptoms seems the same (I obviously restarted winbindd). Thanks, Javier Cheers, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
On 05/15/2012 1:12 AM, Javier Conti wrote: On 14 May 2012 18:58, David Disseldorpdd...@suse.de wrote: Hi Javier, On Mon, 14 May 2012 17:48:09 +0200 Javier Contijavier.co...@gmail.com wrote: upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. I checked everything (I know) from the Samba point of view, and it almost seems ok, but wbinfo -i fails as follows: # wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user myuser Thanks for your report. As this version of Samba is vendor supported, I'd encourage you to raise this issue at bugzilla.novell.com. Do you also encounter this error with winbind use default domain = no configured, running wbinfo -i MYDOMAIN\\myuser? Hi David, as you suggested, I filed a bug there. I also tried configuring winbind use default domain = no but all the symptoms seems the same (I obviously restarted winbindd). Thanks, Javier Cheers, David Javier, It is possible that you are seeing this: https://bugzilla.samba.org/show_bug.cgi?id=8676 I can confirm that it is still present in 3.6.5. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Hi Javier, Javier Conti wrote: Dear list, upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. Although I tried many changes to the config, according to some hints found on the web, this is what I was using with Samba 3.4.3: [global] workgroup = MYDOMAIN realm = MYREALM security = ADS idmap backend = idmap_ad idmap uid = 64000 - 64999 idmap gid = 64000 - 64999 idmap config MYDOMAIN : default = yes idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema_mode = rfc2307 winbind use default domain = yes winbind nss info = rfc2307 winbind offline logon = yes winbind refresh tickets = yes [...] Any hints on what has changed with Samba 3.6.3 and/or what to change to adapt the configuration to 3.6.3 (if necessary)? Some comments: The above config makes no real sense for me, neither for 3.4 nor for 3.6: * The parameter idmap config DOMAIN : default = yes/no has been removed in samba 3.3. It only existed from 3.0.25 to 3.2. (http://www.samba.org/samba/history/samba-3.3.0.html) * You are using the backend ad (or idmap_ad which is a deprecated synonym) both in idmap config MYDOMAIN : backend and in idmap backend. Both with different ranges. This does not seem to make sense to me. It is necessary to specify a writable backend for the catch all default idmap configuration, e.g. tdb or ldap. In 3.6, the idmap backend has been replaced by idmap config * : backend, etc. A valid config for 3.4 would be: ~ [global] workgroup = MYDOMAIN idmap backend = tdb idmap uid = x-y idmap gid = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ The corresponding for 3.6: ~ [global] workgroup = MYDOMAIN idmap config * : backend = tdb idmap config * : range = x-y idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-5 idmap config MYDOMAIN : schema mode = rfc2370 ~ I checked everything (I know) from the Samba point of view, and it almost seems ok, but wbinfo -i fails as follows: # wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user myuser Using the same user, for example, I can do: # wbinfo -n myuser S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1) # wbinfo -n Domain Users S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2) # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794 MYDOMAIN\myuser 1 # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513 MYDOMAIN\Domain Users # net -Uadminuser user info myuser |head Enter adminuser's password: domain users [...] # net -Uadminuser ads user |grep myuser Enter adminuser's password: myuser Obviously, id(1) and getent(1) fail. What I get is: [2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection) accepted socket 25 [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request) process_request: request fn INTERFACE_VERSION [2012/05/14 16:50:47.958644, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 5756]: request interface version [2012/05/14 16:50:47.958705, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:INTERFACE_VERSION]: delivered response to client [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/05/14 16:50:47.958808, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 5756]: request location of privileged pipe [2012/05/14 16:50:47.958870, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection) accepted socket 26 [2012/05/14 16:50:47.958995, 6] winbindd/winbindd.c:840(winbind_client_request_read) closing socket 25, client exited [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request) process_request: Handling async request 5756:GETPWNAM [2012/05/14 16:50:47.959097, 3]
[Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Dear list, upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. I checked everything (I know) from the Samba point of view, and it almost seems ok, but wbinfo -i fails as follows: # wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user myuser Using the same user, for example, I can do: # wbinfo -n myuser S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1) # wbinfo -n Domain Users S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2) # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794 MYDOMAIN\myuser 1 # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513 MYDOMAIN\Domain Users # net -Uadminuser user info myuser |head Enter adminuser's password: domain users [...] # net -Uadminuser ads user |grep myuser Enter adminuser's password: myuser Obviously, id(1) and getent(1) fail. What I get is: [2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection) accepted socket 25 [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request) process_request: request fn INTERFACE_VERSION [2012/05/14 16:50:47.958644, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 5756]: request interface version [2012/05/14 16:50:47.958705, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:INTERFACE_VERSION]: delivered response to client [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/05/14 16:50:47.958808, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 5756]: request location of privileged pipe [2012/05/14 16:50:47.958870, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection) accepted socket 26 [2012/05/14 16:50:47.958995, 6] winbindd/winbindd.c:840(winbind_client_request_read) closing socket 25, client exited [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request) process_request: Handling async request 5756:GETPWNAM [2012/05/14 16:50:47.959097, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam myuser [2012/05/14 16:50:47.959135, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName domain : * domain : 'MYDOMAIN' name : * name : 'MYUSER' flags: 0x0008 (8) [2012/05/14 16:50:47.959276, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName out: struct wbint_LookupName type : * type : SID_NAME_USER (1) sid : * sid : S-1-5-21-828208052-1092558876-1846952604-22794 result : NT_STATUS_OK [2012/05/14 16:50:47.959404, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser in: struct wbint_QueryUser sid : * sid : S-1-5-21-828208052-1092558876-1846952604-22794 [2012/05/14 16:50:47.959499, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser out: struct wbint_QueryUser info : * info: struct wbint_userinfo acct_name: * acct_name: 'myuser' full_name: * full_name: 'Lastname Firstname' homedir : * homedir : '/home/myuser' shell: * shell: '/bin/bash' primary_gid : 0x2710 (1) user_sid : S-1-5-21-828208052-1092558876-1846952604-22794 group_sid: S-1-5-21-828208052-1092558876-1846952604-513 result : NT_STATUS_OK [2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send) idmap_cache_find_sid2uid found 10106 [2012/05/14
Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Hi Javier, On Mon, 14 May 2012 17:48:09 +0200 Javier Conti javier.co...@gmail.com wrote: upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. I checked everything (I know) from the Samba point of view, and it almost seems ok, but wbinfo -i fails as follows: # wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user myuser Thanks for your report. As this version of Samba is vendor supported, I'd encourage you to raise this issue at bugzilla.novell.com. Do you also encounter this error with winbind use default domain = no configured, running wbinfo -i MYDOMAIN\\myuser? Cheers, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Idmap_ad not working correctly under samba 3.5.2
I have investigated further and compared the behaviour of samba 3.3 and samba 3.5 on 2 identical SLES9 VM's. Samba 3.3 is working as expected with our Win2k3 SFU Domain and idmap_ad module. Samba 3.5 is not. I noticed that there are a few kerberos params that have changed in 3.5 but I just can't get 3.5 to work as expected: sles9test3:~ # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Unknown parameter encountered: use kerberos keytab Ignoring unknown parameter use kerberos keytab Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions For example I can run getent passwd and getent group fine under 3.3 but not under 3.5. Also I created a user in AD tuser2 this user is visible within 1 minute under 3.3 under 3.5 it's not even visible after a reboot. Also group memberships of AD users are not updated under 3.5.2. I'm not sure if this is a bug. I tried a lot of things in smb.conf but it just doesn't work. At the moment I have to consider going back to 3.3. I googled a lot in the past days to find a correct smb.conf for 3.5 and idmap_ad but it's really hard to find a well documented howto. I would really appreciate if someone has a look on this. Here is my smb.conf: [global] netbios name = sles9test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = dc.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap_ad not returning correct UID under 3.3.1
I'm testing winbind 3.3.1-1ubuntu1 (jaunty) and my user stored in AD is consistently being returned with a UID of 1000, rather than 10031, which is whats stored in LDAP/AD under uidNumber. If I install the 3.2.3-1ubuntu3.4 packages from intrepid, 'id bryanm' correctly returns 10031, but when upgrading back to 3.3.1-1ubuntu1, I get the wrong UID again. I did an install from source as well and experience the same conditions, but can't guarantee it was setup correctly since it was in an error state. I see some interesting errors about being unable to find domain '*' which I'll attach to the end. Perhaps this is part of the new support of idmap_ad for multiple domains? Has configuration changed and the man pages not been updated perhaps, where one has to specify a domain to use specifically due to this feature? From winbindd -i -s /etc/samba/smb.conf -d10 -n 3.3.1: idmap_sid_to_uid: sid = [S-1-5-21-1659249844-2332029812-1458590236-1419], domain = '' Returning valid cache entry: key = IDMAP/SID2UID/S-1-5-21-1659249844-2332029812-1458590236-1419, value = 1000, timeout = Fri Mar 13 17:01:56 2009 idmap_cache_find_sid2uid found 1000 Returning positive cache entry 3.2.3: idmap_sid_to_uid: sid = [S-1-5-21-1659249844-2332029812-1458590236-1419] Returning valid cache entry: key = IDMAP/SID/S-1-5-21-1659249844-2332029812-1458590236-1419, value = IDMAP/UID/10031, timeout = Fri Mar 6 19:52:16 2009 current smb.conf (lots of tinkering): [global] security = ADS workgroup = WM realm = CORP.WIDEMILE.COM server string = %h server (Samba %v) idmap backend = ad idmap config CORP.WIDEMILE.COM : schema_mode = rfc2307 idmap uid = 1000-2 idmap gid = 1000-2 winbind enum users = Yes winbind enum groups = Yes winbind nss info = sfu winbind use default domain = Yes winbind nested groups = Yes template shell = /bin/bash template homedir = /home/%U allow trusted domains = No domain master = no ldap ssl = off domain '*' errors: ad_idmap_cached_connection: called for domain '*' Cache entry with key = SAFJOIN/DOMAIN/* couldn't be found Cache entry with key = SAF/DOMAIN/* couldn't be found saf_fetch: failed to find server for * domain ldap_server from saf cache: '' find_domain_from_name_noinit did not find domain '*' get_sorted_dc_list: attempting lookup for name * (sitename NULL) using [lmhosts wins host bcast] Cache entry with key = SAFJOIN/DOMAIN/* couldn't be found Cache entry with key = SAF/DOMAIN/* couldn't be found saf_fetch: failed to find server for * domain get_dc_list: preferred server list: , * internal_resolve_name: looking up *#1c (sitename (null)) Cache entry with key = NBT/*#1C couldn't be found no entry for *#1C found. resolve_lmhosts: Attempting lmhosts lookup for name *0x1c startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory resolve_wins: Attempting wins lookup for name *0x1c resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type 0x1c name_resolve_bcast: Attempting broadcast lookup for name *0x1c Hefty -d10 logs at: http://serenity.ninjr.org/~btm/winbind/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap_ad - winbind - Wrong $HOME
Hi, my winbind installation lists the wrong $HOME for my users. While ldapsearch shows the correct $HOME, getent does not. ### ldapsearch ### $ ldapsearch -x -LLL -H ldaps://ad.domain.de -D [EMAIL PROTECTED] -S dn -s sub -W ((objectCategory=user)(sAMAccountName=aba)) unixHomeDirectory Enter LDAP Password: dn: CN=Aiko Barz,OU=Users,DC=domain,DC=local unixHomeDirectory: /net/homeserver.domain.de/home/aba ### ldapsearch ### ### getent ### $ getent passwd aba aba:*:12345:1024:Aiko Barz:/home/DOMAIN/aba:/bin/false ### getent ### = /net/homeserver.domain.de/home/aba != /home/DOMAIN/aba ### smb.conf ### [global] netbios name = SERVER workgroup = DOMAIN realm = DOMAIN.LOCAL preferred master = no domain master = No server string = %h security = ADS log level = 3 log file = /var/log/samba/%m max log size = 50 syslog = 0 panic action = /usr/share/samba/panic-action %d wins server = 10.11.12.13 winbind separator = + printcap name = cups printing = cups nt acl support = yes idmap domains = DOMAIN idmap config DOMAIN:backend = ad idmap config DOMAIN:default = yes idmap config DOMAIN:range = 1024-100 idmap config DOMAIN:schema_mode = rfc2307 winbind enum users = Yes winbind cache time = 86400 winbind enum groups = Yes winbind nss info = rfc2307 winbind use default domain = Yes [data] comment = Data path = /data/samba read only = No read list = @DOMAIN+Workgroup write list = @DOMAIN+Workgroup hide dot files = Yes create mask = 0666 fstype = Samba ### smb.conf ### I use Debian/Lenny at the moment: ii winbind 2:3.2.3-1 Thanks in advance, Aiko -- :wq ✉ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad - Unix attributes vs. Windows attributes vs. Winbind
On Sat, Jun 21, 2008 at 06:05:36PM +0200, Aiko Barz wrote: On Fri, Jun 20, 2008 at 08:26:45AM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aiko Barz wrote: Hi, I'm using Debian Stable with Samba from SerNet (3.0.28-21). Most of it is working, but there is one issue: filer01 ~ # getent passwd user user:*:1024:1:Aiko Barz:/home/DOMAIN/user:/bin/false filer01 ~ # getent passwd | grep user user:*:1024:1:Aiko Barz:/net/server.domain.local/home/user:/bin/bash filer01 ~ # getent passwd user user:*:1024:100:Aiko Barz:/net/server.domain.local/home/user:/bin/bash 5 minutes later: filer01 ~ # getent passwd user user:*:1024:1:Aiko Barz:/home/DOMAIN/user:/bin/false nscd running ? Nope, Aiko FYI: The SerNet samba/winbind in version 3.0.31-22 stopped acting weird and fixed the issues. So long, Aiko -- :wq ✉ signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap_ad - GID
Hi, what is the GID of an Active Directory user? a) Is it the GID, you can see within the Active Directory UNIX Tab? b) Is it the GID of the primary windows group? So long, Aiko PS.: Using sernet-samba-3.0.28-21 on Debian. -- :wq ✉ signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad - GID
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Aiko Barz wrote:
Hi,
what is the GID of an Active Directory user?
a) Is it the GID, you can see within the Active Directory UNIX Tab?
Set winbind nss info = {sfu,rfc2307} depending on your supported
schema
b) Is it the GID of the primary windows group?
This is the default behavior.
cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software - http://www.likewisesoftware.com
What man is a man who does not make the world better? --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIY5gmIR7qMdg1EfYRAsoCAJ9N7M2RWan+d/1nbPF73tUwDkR6LgCcD/Bi
hoAbfIb0WmV/a0b7VVMkKnI=
=xHv3
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad - GID
On Thu, Jun 26, 2008 at 09:25:41AM -0400, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Aiko Barz wrote:
Hi,
what is the GID of an Active Directory user?
a) Is it the GID, you can see within the Active Directory UNIX Tab?
Set winbind nss info = {sfu,rfc2307} depending on your supported
schema
idmap domains = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:range = 0-100 ; I know, it's a bad thing
idmap config DOMAIN:schema_mode = rfc2307
winbind enum users = Yes
winbind cache time = 86400
winbind enum groups = Yes
winbind nss info = rfc2307
;winbind trusted domains only = yes
;winbind nested groups = yes
winbind use default domain = Yes
; winbind normalize names = yes
b) Is it the GID of the primary windows group?
This is the default behavior.
How do I switch this behavior? Sometimes getent passwd $USER and
getent passwd | grep $USER are showing different GIDs. (nscd is not
installed.)
Removing the GID from primary windows group does not seem to be an option,
because of this hard dependency here:
https://bugzilla.samba.org/show_bug.cgi?id=3546
So long,
Aiko
--
:wq ✉
signature.asc
Description: Digital signature
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad - Unix attributes vs. Windows attributes vs. Winbind
On Fri, Jun 20, 2008 at 08:26:45AM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aiko Barz wrote: Hi, I'm using Debian Stable with Samba from SerNet (3.0.28-21). Most of it is working, but there is one issue: filer01 ~ # getent passwd user user:*:1024:1:Aiko Barz:/home/DOMAIN/user:/bin/false filer01 ~ # getent passwd | grep user user:*:1024:1:Aiko Barz:/net/server.domain.local/home/user:/bin/bash filer01 ~ # getent passwd user user:*:1024:100:Aiko Barz:/net/server.domain.local/home/user:/bin/bash 5 minutes later: filer01 ~ # getent passwd user user:*:1024:1:Aiko Barz:/home/DOMAIN/user:/bin/false nscd running ? Nope, Aiko -- :wq ✉ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad - Unix attributes vs. Windows attributes vs. Winbind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aiko Barz wrote: Hi, I'm using Debian Stable with Samba from SerNet (3.0.28-21). Most of it is working, but there is one issue: filer01 ~ # getent passwd user user:*:1024:1:Aiko Barz:/home/DOMAIN/user:/bin/false filer01 ~ # getent passwd | grep user user:*:1024:1:Aiko Barz:/net/server.domain.local/home/user:/bin/bash filer01 ~ # getent passwd user user:*:1024:100:Aiko Barz:/net/server.domain.local/home/user:/bin/bash 5 minutes later: filer01 ~ # getent passwd user user:*:1024:1:Aiko Barz:/home/DOMAIN/user:/bin/false nscd running ? jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIW7AUIR7qMdg1EfYRAi1XAKDcPxNOBua+kKFhF60qm5Vo4/nnlQCg8kRP aByb4JeIW1hBhTda4k3CaW0= =MeMA -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap_ad - Unix attributes vs. Windows attributes vs. Winbind
Hi, I'm using Debian Stable with Samba from SerNet (3.0.28-21). Most of it is working, but there is one issue: filer01 ~ # getent passwd user user:*:1024:1:Aiko Barz:/home/DOMAIN/user:/bin/false filer01 ~ # getent passwd | grep user user:*:1024:1:Aiko Barz:/net/server.domain.local/home/user:/bin/bash filer01 ~ # getent passwd user user:*:1024:100:Aiko Barz:/net/server.domain.local/home/user:/bin/bash 5 minutes later: filer01 ~ # getent passwd user user:*:1024:1:Aiko Barz:/home/DOMAIN/user:/bin/false 1) The first command uses a generated $HOME and $SHELL. The GID is the one from the main windows group. 2) The second command shows the $HOME and $SHELL from the Active Directory UNIX TAB. But the GID is the one from the main windows group. 3) The command from 1) again. The GID is now the GID from the UNIX TAB. 4) All parameters have the same values like in 1) again... During that time, nothing has been changed. I simply executed those commands. Samba/Winbind is mixing up some parameters. Is there hope? So long, Aiko -- :wq ✉ signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems with Samba(idmap_ad/sfu on AIX
Heikki Manninen wrote: I'm unabe to use idmap_ad and sfu nss info with Samba on AIX. The configuration as it is works on a Linux build. workgroup = DOMAIN realm = DOMAIN.TLD server string = SERVER security = ADS idmap domains = DOMAIN idmap config DOMAIN:default = yes idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 1000 - 6 idmap config DOMAIN:readonly = yes idmap config DOMAIN:schema_mode = sfu winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes winbind nss info = sfu map to guest = bad uid That all looks good. When run with statically built idmap_ad I get this in the log when trying to map user info (wbinfo -i): Error loading module '/opt/pware/samba/3.0.28/lib/nss_info/sfu.so': Could not load module /opt/pware/samba/3.0.28/lib/nss_info/sfu.so. Last I knew, this module can't be statically compiled. And when I build a version with shared idmap_ad (and sfu.so - idmap_ad.so), it gets back to this: lib/module.c:do_smb_load_module(49) Error loading module '/usr/local/samba/lib/nss_info/sfu.so': rtld: 0712-001 Symbol _talloc_zero_zeronull was referenced from module /usr/local/samba/lib/nss_info/sfu.so(), but a runtime definition of the symbol was not found. lib/module.c:do_smb_load_module(49) Error loading module '/usr/local/samba/lib/idmap/ad.so': rtld: 0712-001 Symbol _talloc_zero_zeronull was referenced from module /usr/local/samba/lib/idmap/ad.so(), but a runtime definition of the symbol was not found. Either the linker options need assistance or you need to add some libraries to the run time library path LIBPATH if my memory serves. I'm haven't done AIX for a while. You might have more success on samba-technical getting a response. If you post over there, don't forget to include the version of AIX and which compiler you're using, native or gnu. Also the version of samba. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problems with Samba(idmap_ad/sfu on AIX
I'm unabe to use idmap_ad and sfu nss info with Samba on AIX. The configuration as it is works on a Linux build. workgroup = DOMAIN realm = DOMAIN.TLD server string = SERVER security = ADS idmap domains = DOMAIN idmap config DOMAIN:default = yes idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 1000 - 6 idmap config DOMAIN:readonly = yes idmap config DOMAIN:schema_mode = sfu winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes winbind nss info = sfu map to guest = bad uid When run with statically built idmap_ad I get this in the log when trying to map user info (wbinfo -i): Error loading module '/opt/pware/samba/3.0.28/lib/nss_info/sfu.so': Could not load module /opt/pware/samba/3.0.28/lib/nss_info/sfu.so. And when I build a version with shared idmap_ad (and sfu.so - idmap_ad.so), it gets back to this: lib/module.c:do_smb_load_module(49) Error loading module '/usr/local/samba/lib/nss_info/sfu.so': rtld: 0712-001 Symbol _talloc_zero_zeronull was referenced from module /usr/local/samba/lib/nss_info/sfu.so(), but a runtime definition of the symbol was not found. lib/module.c:do_smb_load_module(49) Error loading module '/usr/local/samba/lib/idmap/ad.so': rtld: 0712-001 Symbol _talloc_zero_zeronull was referenced from module /usr/local/samba/lib/idmap/ad.so(), but a runtime definition of the symbol was not found. -- Heikki M -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap_ad and multiple domians
Has anyone else gotten samba functioning with idmap_ad and multiple domains? In our environment we have a domain with two child domains. There is one child domain for students, and another for faculty staff. Our servers are joined to the student domain, but need to be able to enumerate users in the staff domain. When attempting to lookup a user (wbinfo -i 'NAU\car3') that only exists in the staff domain, I see this in the log.winbindd-idmap: [2008/02/19 07:34:25, 4] nsswitch/winbindd_dual.c:fork_domain_child(1054) child daemon request 48 [2008/02/19 07:34:25, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn DUAL_SID2UID [2008/02/19 07:34:25, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374) [ 8151]: sid to uid S-1-5-21-20713206-1263413069-421607344-5886 [2008/02/19 07:34:25, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(105) idmap_sid_to_uid: sid = [S-1-5-21-20713206-1263413069-421607344-5886] [2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1115) Query backends to map sids-ids [2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1140) SID S-1-5-21-20713206-1263413069-421607344-5886 is being handled by NAU-STUDENTS [2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1161) Query ids from domain NAU-STUDENTS [2008/02/19 07:34:25, 7] nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77) Current tickets expire in 35983 seconds (at 1203467648, time is now 1203431665) [2008/02/19 07:34:25, 10] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(543) Filter: [((|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E\4B\B0\37\21\19\FE\16\00\00)))] [2008/02/19 07:34:25, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64) Search for ((|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E\4B\B0\37\21\19\FE\16\00\00))) in dc=STUDENTS,dc=FROOT,dc=NAU,dc=EDU gave 0 replies [2008/02/19 07:34:25, 10] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(553) No IDs found [2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_can_map(918) idmap backend for SID S-1-5-21-20713206-1263413069-421607344-5886 is READONLY! [2008/02/19 07:34:25, 10] nsswitch/idmap_cache.c:idmap_cache_set_negative_sid(258) Adding cache entry with key = IDMAP/SID/S-1-5-21-20713206-1263413069-421607344-5886; value = 1203431785/IDMAP/NEGATIVE and timeout = Tue Feb 19 07:36:25 2008 (120 seconds ahead) [2008/02/19 07:34:25, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(125) sid [S-1-5-21-20713206-1263413069-421607344-5886] not mapped to an uid [2,1,0] [2008/02/19 07:34:25, 10] nsswitch/winbindd_cache.c:cache_store_response(2260) Storing response for pid 8153, len 3240 [2008/02/19 07:34:25, 10] lib/events.c:get_timed_events_timeout(295) timed_events_timeout: 277/780278 [2008/02/19 07:39:02, 10] lib/events.c:run_events(240) Running event async_request_timeout 2c6fd0 [2008/02/19 07:39:02, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(181) async_request_timeout_handler: child pid 8152 is not responding. Closing connection to it. [2008/02/19 07:39:02, 10] lib/events.c:timed_event_destructor(66) Destroying timed event 2c6fd0 async_request_timeout [2008/02/19 07:39:02, 5] nsswitch/winbindd_dual.c:async_reply_recv(263) Could not receive async reply from child pid 8152 [2008/02/19 07:39:02, 5] nsswitch/winbindd_util.c:init_child_recv(425) Received child initialization response for domain NAU-STUDENTS [2008/02/19 07:39:02, 3] nsswitch/winbindd_util.c:init_child_recv(428) Could not init child [2008/02/19 07:39:02, 5] nsswitch/winbindd_dual.c:domain_init_recv(402) Domain init returned an error [2008/02/19 07:39:02, 1] nsswitch/winbindd_util.c:trustdom_recv(235) Could not receive trustdoms log.winbindd prints out: [2008/02/19 07:34:25, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 8153 [2008/02/19 07:34:25, 5] nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347) sid2uid returned an error [2008/02/19 07:34:25, 5] nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266) Could not query uid for user NAU\car3 Both the student and faculty domains have the rfc2307 attributes set, so I am unsure as to why I am only able to lookup users in the NAU-STUDENTS domain and not the NAU domain. Any thoughts? Thanks, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad alloc to store uid/gid attributes in AD
On Fri, 2008-02-15 at 16:12 -0500, Ross S. W. Walker wrote: It would be a handy feature to have idmap_ad implement an alloc routine to write back the uid and gid mappings to AD either as SFU attributes or RFC 2307 attributes. I figure this could allow dynamic uid and gid allocation that can be easily preserved across multiple domains in a Windows environment. Has there been any attempt to provide this feature? No, this would require allowing any samba server write access to any user in AD for, at least, the posix attributes. Something, I am sure, most people wouldn't want to allow. I am open to patches in this regard but *only* if they come with very clear instructions on how to limit write access to the needed attributes and possible only to a specific identity the samba server can use. Of course both read-only and read-write mode of operation must work, with read-only being the default. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap_ad alloc to store uid/gid attributes in AD
It would be a handy feature to have idmap_ad implement an alloc routine to write back the uid and gid mappings to AD either as SFU attributes or RFC 2307 attributes. I figure this could allow dynamic uid and gid allocation that can be easily preserved across multiple domains in a Windows environment. Has there been any attempt to provide this feature? Ross S. W. Walker Information Systems Manager Medallion Financial, Corp. 437 Madison Avenue 38th Floor New York, NY 10022 Tel: (212) 328-2165 Fax: (212) 328-2125 WWW: http://www.medallion.com http://www.medallion.com/ __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2
According to our network admins, we are using the rfc2307(pre-R2) schema. Thanks, Murthy - Original Message From: simo [EMAIL PROTECTED] To: S Murthy Kambhampaty [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Friday, June 22, 2007 12:22:10 PM Subject: Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2 On Fri, 2007-06-22 at 08:42 -0700, S Murthy Kambhampaty wrote: Simo, thanks for the info on the configuration syntax. I'm still uncertain whether the rfc2307-related AD schema extensions in Windows 2003 are compatible with Samba, or the R2 schema update is needed. When I use idmap_ad in our Win2k3 environment, on `getent passwd` winbind logs an error of ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED at libads/ldap_schema.c:ads_check_posix_schema_mapping(243), which suggests that the AD schema does not have the particular uid/gid attribs that winbind is looking for. Could this be due to differences in the schema between the pre-R2 and R2 versions of the AD schema in Win 2k3? It depends, what schema are you using? We support sfu or rfc2307(R2) Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2
With 3.0.25b we support either sfu or rfc2307(R2), if neither of these work, it means you have some other schema. Simo. On Wed, 2007-06-27 at 14:17 -0700, S Murthy Kambhampaty wrote: According to our network admins, we are using the rfc2307(pre-R2) schema. Thanks, Murthy - Original Message From: simo [EMAIL PROTECTED] To: S Murthy Kambhampaty [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Friday, June 22, 2007 12:22:10 PM Subject: Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2 On Fri, 2007-06-22 at 08:42 -0700, S Murthy Kambhampaty wrote: Simo, thanks for the info on the configuration syntax. I'm still uncertain whether the rfc2307-related AD schema extensions in Windows 2003 are compatible with Samba, or the R2 schema update is needed. When I use idmap_ad in our Win2k3 environment, on `getent passwd` winbind logs an error of ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED at libads/ldap_schema.c:ads_check_posix_schema_mapping(243), which suggests that the AD schema does not have the particular uid/gid attribs that winbind is looking for. Could this be due to differences in the schema between the pre-R2 and R2 versions of the AD schema in Win 2k3? It depends, what schema are you using? We support sfu or rfc2307(R2) Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2
On Thu, 2007-06-21 at 10:55 -0700, S Murthy Kambhampaty wrote: Is then new idmap_ad module capable of getting uid/gid info from a Windows 2003 AD pre-R2 with RFC2307 Unix Identity Mapping Extensions applied? Also, is the correct syntax for specifying the schema_mode as follows: idmap config dom.example.com:schema_mode = rfc2307 Right now we support only the short domain name, not the FQDN domain name, all the rest is like you said. Simo. Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap_ad Integration with Windows 2003 pre-R2
Is then new idmap_ad module capable of getting uid/gid info from a Windows 2003 AD pre-R2 with RFC2307 Unix Identity Mapping Extensions applied? Also, is the correct syntax for specifying the schema_mode as follows: idmap config dom.example.com:schema_mode = rfc2307 (I am not confident that I am reading the idmap_ad manpage and the new idmap document correctly.) Thanks for the help, Murthy Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2
Simo, thanks for the info on the configuration syntax. I'm still uncertain whether the rfc2307-related AD schema extensions in Windows 2003 are compatible with Samba, or the R2 schema update is needed. When I use idmap_ad in our Win2k3 environment, on `getent passwd` winbind logs an error of ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED at libads/ldap_schema.c:ads_check_posix_schema_mapping(243), which suggests that the AD schema does not have the particular uid/gid attribs that winbind is looking for. Could this be due to differences in the schema between the pre-R2 and R2 versions of the AD schema in Win 2k3? Thanks, Murthy - Original Message From: simo [EMAIL PROTECTED] To: S Murthy Kambhampaty [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Friday, June 22, 2007 10:28:29 AM Subject: Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2 On Thu, 2007-06-21 at 10:55 -0700, S Murthy Kambhampaty wrote: Is then new idmap_ad module capable of getting uid/gid info from a Windows 2003 AD pre-R2 with RFC2307 Unix Identity Mapping Extensions applied? Also, is the correct syntax for specifying the schema_mode as follows: idmap config dom.example.com:schema_mode = rfc2307 Right now we support only the short domain name, not the FQDN domain name, all the rest is like you said. Simo. Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad Integration with Windows 2003 pre-R2
On Fri, 2007-06-22 at 08:42 -0700, S Murthy Kambhampaty wrote: Simo, thanks for the info on the configuration syntax. I'm still uncertain whether the rfc2307-related AD schema extensions in Windows 2003 are compatible with Samba, or the R2 schema update is needed. When I use idmap_ad in our Win2k3 environment, on `getent passwd` winbind logs an error of ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED at libads/ldap_schema.c:ads_check_posix_schema_mapping(243), which suggests that the AD schema does not have the particular uid/gid attribs that winbind is looking for. Could this be due to differences in the schema between the pre-R2 and R2 versions of the AD schema in Win 2k3? It depends, what schema are you using? We support sfu or rfc2307(R2) Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap_ad
I'm trying to figure out how to configure idmap_ad to *not* map anything that does not have a UID assigned by Active Directory. I do not like randomly allocated UIDs appearing on my systems and would prefer to drive these out centrally. Setting the idmap ranges to nothing seems to cause an error. How can I do this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 12:38 -0500, Jerome Haltom wrote: I'm trying to figure out how to configure idmap_ad to *not* map anything that does not have a UID assigned by Active Directory. I do not like randomly allocated UIDs appearing on my systems and would prefer to drive these out centrally. Setting the idmap ranges to nothing seems to cause an error. How can I do this? Samba version? smb.conf? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad
3.0.24-2ubuntu1 [global] smb ports = 445 workgroup = ISI realm = AD.ISILLC.COM server string = %h server (Samba, Ubuntu) security = ADS obey pam restrictions = Yes passdb backend = tdbsam passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew \sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . use kerberos keytab = Yes log level = 10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 disable netbios = Yes dns proxy = No ldap ssl = no panic action = /usr/share/samba/panic-action %d idmap backend = ad idmap uid = idmap gid = template homedir = /home/%U winbind nss info = sfu winbind refresh tickets = Yes winbind offline logon = Yes invalid users = root [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [backup] path = /srv/backup valid users = @admin, ISI\jhaltom, ISI\BackupExec, ISI\SQLServer read only = No create mask = 0770 [2007/06/13 13:27:29, 0] nsswitch/winbindd_util.c:winbindd_param_init(787) winbindd: idmap uid range missing or invalid [2007/06/13 13:27:29, 0] nsswitch/winbindd_util.c:winbindd_param_init(788) winbindd: cannot continue, exiting. I've tried various combinations of idmap. It actually seems to sort of work if I map the range 1-1, but I doubt this is appropriate. On Wed, 2007-06-13 at 14:15 -0400, simo wrote: On Wed, 2007-06-13 at 12:38 -0500, Jerome Haltom wrote: I'm trying to figure out how to configure idmap_ad to *not* map anything that does not have a UID assigned by Active Directory. I do not like randomly allocated UIDs appearing on my systems and would prefer to drive these out centrally. Setting the idmap ranges to nothing seems to cause an error. How can I do this? Samba version? smb.conf? Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 13:29 -0500, Jerome Haltom wrote: I've tried various combinations of idmap. It actually seems to sort of work if I map the range 1-1, but I doubt this is appropriate. Just map the same range you use on ad. The ad backend is read only no ids can be mapped. Otherqise switch to post 3.0.25 where we have rewritten the idmap subsystem and this kind of things are handled much better. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 14:41 -0400, simo wrote: Just map the same range you use on ad. The ad backend is read only no ids can be mapped. So, no matter what ranges I map, it will never produce local UID assignments? Okay. Somehow I was fooled into thinking it would. The question is withdrawn an irrelevant then. Otherqise switch to post 3.0.25 where we have rewritten the idmap subsystem and this kind of things are handled much better. Nice. Simo. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 13:47 -0500, Jerome Haltom wrote: On Wed, 2007-06-13 at 14:41 -0400, simo wrote: Just map the same range you use on ad. The ad backend is read only no ids can be mapped. So, no matter what ranges I map, it will never produce local UID assignments? Okay. Somehow I was fooled into thinking it would. The question is withdrawn an irrelevant then. It will not assign local UID but you will hit AD pretty hard as in 3.0.24 we don't have negative caching in idmap. I suggest you try 3.0.25a (b coming out soon as well) Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Idmap_ad troubleshooting assistance
I have Samba 3.0.7 installed and running in security = ADS mode and I've built and installed the Idmap_ad backend according to the instructions. Group lookups seem to work fine, but getent passwd and id functions fail with the message - ad_idmap_get_id_from_sid: ads_pull_uint32 : could not read attribute 'gidNumber'. If I manually run an ldap query against Active Directory the attribute shows up just fine in either root's or a user's context using GSSAPI. I've extended the AD schema using MKSADplugins and I'm using the RFC2307 schema style. Any suggestions on troubleshooting this problem would be greatly appreciated. Additional info - I'm in Active Directory 2003 in Native Mode. Samba is built with local installations of kerberos and openssl to get around deficiencies in the system versions. The platforms are Red Hat Enterprise Linux AS 3.0, Fedora Core 2 x86_64 and Sun SPARC Solaris 8. I'll gladly supply neutered copies of configuration files, log files and ldap searches, but I think the ability to crank up the logging level of the ldap retrieval functions would be more valuable. Thanks, Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] idmap_ad requires kinit of machine acccount?
On an FC2 test server running samba-3.0.7-2.FC2 and with idmap_ad, if I start winbind normally idmap_ad fails, but if I first kinit the machine account, idmap_ad works fine. Without idmap_ad in smb.conf, winbind is fine. This problem appears not to occur with samba-3.0.5 (build from source tarball, running RedHat 8.0). I will try with samba-3.0.7-1 from samba.org on FC2 as I get a chance, but I was wondering if anyone had any clues as to what the problem may be. I have attached a little more infor in the postscript. Thanks, Murthy PS: Usage 1: [EMAIL PROTECTED] /]# net ads testjoin Join is OK [EMAIL PROTECTED] /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Restart winbind; getent passwd only gives local users logifile contains: [2004/09/28 14:54:22, 1] nsswitch/winbindd.c:main(854) winbindd version 3.0.7-2.FC2 started. Copyright The Samba Team 2000-2004 [2004/09/28 14:54:22, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) [2004/09/28 14:54:22, 1] idmap_ad.c:ad_idmap_init(43) ad_idmap_init: failed to connect to AD [2004/09/28 14:54:23, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) Usage 2: kinit host name Restart winbind; getent passwd gives local as well as domain users [2004/09/28 14:58:24, 1] nsswitch/winbindd.c:main(854) winbindd version 3.0.7-2.FC2 started. Copyright The Samba Team 2000-2004 [2004/09/28 14:58:24, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) [2004/09/28 14:58:27, 1] idmap_ad.c:ad_idmap_get_id_from_sid(214) ad_idmap_get_id_from_sid mapped SID to POSIX UID Usage 3: delete idmap backend ... from smb.conf # kdestroy Restart winbind, getent passwd gives local as well as domain users; generates no messages beyond: [2004/09/28 15:17:11, 1] nsswitch/winbindd.c:main(854) winbindd version 3.0.7-2.FC2 started. Copyright The Samba Team 2000-2004 [2004/09/28 15:17:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] idmap_ad: sid to uid conversion fails
I have two boxes on which I am trying to get idmap_ad
(from xad_oss_plugins) to provide uid/gid mapping, and
am getting the error:
Could not convert sid sid of some_user to uid
The story so far goes like this:
Without the line
idmap backend = ad:ldap://PDC's FQDN/ in smb.conf,
I can successfully do all of:
# wbinfo -S $(wbinfo -n some_user | awk '{print
$1}')
# getent passwd | grep some_user
# net ads search '(objectCategory=user)' \
sAMAccountName msSFU30GidNumber msSFU30UidNumber | \
grep -A2 some_user
However, if I add the line
idmap backend = ad:ldap://PDC's FQDN/ to smb.conf
and I do:
# wbinfo -S $(wbinfo -n some_user | awk '{print
$1}')
I get the following error:
Could not convert sid sid of some_user to uid
The winbindd log does not seem to indicate any
installation problems (I have attached the log lines
for the command wbinfo -S sid of some_user for a
failed and a successful request respectively.).
The domain is a Win2K native domain; LDAP anonymous
access is not permitted.
The two machines on which I have tried are (i) Redhat
8.0 upgraded to kernel 2.6.6 with Samba-3.0.5 (from
samba.org) and (ii) Fedora Core 2 with kernel 2.6.8
and samba-3.0.7 (from up2date). In both cases,
idmap_ad
was compiled by: downloading the samba source tarball,
compiling with options from the specfile of the
installed rpms, manually building the idmap plugin
according to the instructions in the
~/idmap_ad/README file.
I'd like to idmap_ad working, as the ldap backend is
an awfully cumbersome alternative.
Thanks,
Murthy
Lines from the winbind log for the failed request are:
[2004/09/22 12:10:32, 6]
nsswitch/winbindd.c:new_connection(343)
accepted socket 22
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 1824 bytes. Need 0 more for a full
request.
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:process_request(308)
process_request: request fn INTERFACE_VERSION
[2004/09/22 12:10:32, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[ 8303]: request interface version
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:client_write(512)
client_write: wrote 1300 bytes.
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 1824 bytes. Need 0 more for a full
request.
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:process_request(308)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2004/09/22 12:10:32, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[ 8303]: request location of privileged pipe
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:client_write(512)
client_write: wrote 1300 bytes.
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:client_write(557)
client_write: need to write 35 extra data bytes.
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:client_write(512)
client_write: wrote 35 bytes.
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:client_write(546)
client_write: client_write: complete response
written.
[2004/09/22 12:10:32, 6]
nsswitch/winbindd.c:new_connection(343)
accepted socket 25
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 0 bytes. Need 1824 more for a full
request.
[2004/09/22 12:10:32, 5]
nsswitch/winbindd.c:winbind_client_read(465)
read failed on sock 22, pid 8303: EOF
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 1824 bytes. Need 0 more for a full
request.
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:process_request(308)
process_request: request fn SID_TO_UID
[2004/09/22 12:10:32, 3]
nsswitch/winbindd_sid.c:winbindd_sid_to_uid(128)
[ 8303]: sid to uid sid of some_user
[2004/09/22 12:10:32, 1]
nsswitch/winbindd_sid.c:winbindd_sid_to_uid(200)
Could not get uid for sid sid of some_user
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:client_write(512)
client_write: wrote 1300 bytes.
[2004/09/22 12:10:32, 10]
nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 0 bytes. Need 1824 more for a full
request.
[2004/09/22 12:10:32, 5]
nsswitch/winbindd.c:winbind_client_read(465)
read failed on sock 25, pid 8303: EOF
Lines from the winbind log for the successful request
(without
the idmap backend stanza in smb.conf) are:
[2004/09/22 12:16:38, 6]
nsswitch/winbindd.c:new_connection(343)
accepted socket 19
[2004/09/22 12:16:38, 10]
nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 1824 bytes. Need 0 more for a full
request.
[2004/09/22 12:16:38, 10]
nsswitch/winbindd.c:process_request(308)
process_request: request fn INTERFACE_VERSION
[2004/09/22 12:16:38, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[ 8466]: request interface version
[2004/09/22 12:16:38, 10]
nsswitch/winbindd.c:client_write(512)
client_write: wrote 1300 bytes.
[2004/09/22 12:16:38, 10]
nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 1824 bytes. Need 0 more for a full
request.
[2004/09/22 12:16:38, 10]
[Samba] idmap_ad compile problem
I saw a message on this mailing list about compiling the idmap_ad.c, back in October of last year... and I'm having the same problem... When I try to compile it, the message I get is: gcc -I/usr/include/linux -I/root/samba/samba-3.0.4/source/ubiqx -I/root/samba/samba-3.0.4/source/popt -I/root/samba/samba-3.0.4/source/smbwrapper -I/root/samba/samba-3.0.4/source -I/root/samba/samba-3.0.4/source/include -Wall -g -shared -o ad.so idmap_ad.c In file included from /usr/include/sys/types.h:133, from /root/samba/samba-3.0.4/source/include/includes.h:76, from idmap_ad.c:12: /usr/include/linux/time.h:11: syntax error before time_t /usr/include/linux/time.h:13: syntax error before '}' token /usr/include/linux/time.h:19: syntax error before time_t /usr/include/linux/time.h:45: field `it_interval' has incomplete type /usr/include/linux/time.h:46: field `it_value' has incomplete type /usr/include/linux/time.h:47: confused by earlier errors, bailing out I tried the solution offered at the time, which was to add #include time.h to the beginning of the idmap_ad.c file, but it didn't work. Does anybody have any ideas on how to fix it? Shannon Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
