I _think_ I've found an issue with the combination of sssd and samba on
RHEL/CentOS 7.6. There are a few threads in the list history about how to get
these two to play nice despite the current "unsupported" status from RH. The
gist of the issues are:
* Need to make sure only samba or nothing are updating the machine passwords as
if sssd is doing it it won't update the secrets in samba's database.
* Have to allocate an idmap range for the sss backend _and_ give a bit of space
for a default backend to do its thing.
This seems to be as simple as:
Remove sssd-libwbclient and only use libwbclient (RPMs)
# /etc/samba.smb.conf:
[global]
workgroup = AD
security = ads
realm = ad.mydomain.com
kerberos method = system keytab
idmap config AD : backend = sss
idmap config AD : range = 10000-1999999999
idmap config * : backend = tdb
idmap config * : range = 9000-9999
# /etc/sssd/sssd.conf seems to need to contain (along with whatever realmd
generates):
ldap_id_mapping = True # use sssd mastered uids/gids
ad_maximum_machine_account_password_age = 0 # stop sssd messing with host
password
We also have:
ignore_group_members = True # for speed
ldap_idmap_range_size = 2000000 # we have lots of users
Then join making sure to use net join not adcli
$ realm join --membership-software=samba -U mydomain_admin ad.mydomain.com
On Fedora 30 the above works perfectly with all wbinfo commands working as
expected and samba shares behave.
Fedora 30:
$ rpm -q sssd samba
sssd-2.2.0-1.fc30.x86_64
samba-4.10.4-1.fc30.x86_64
BUT (big but)
On CentOS 7.6 with exactly the same configuration .. it only sometimes works.
$ rpm -q sssd samba
sssd-1.16.2-13.el7_6.8.x86_64
samba-4.8.3-4.el7.x86_64
I end up with behaviour along these lines:
# Config and domain join as above, then try some lookups.
$ wbinfo -n user086
S-1-5-21-*-*-*-39092 SID_USER (1)
$ wbinfo -S S-1-5-21-*-*-*-39092
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-*-*-*-39092 to uid
$ systemctl stop smb
$ systemctl restart winbind
$ wbinfo -S S-1-5-21-*-*-*-39092
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-*-*-*-39092 to uid
$ systemctl restart sssd
$ wbinfo -S S-1-5-21-*-*-*-39092
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-*-*-*-39092 to uid
$ systemctl restart sssd
$ wbinfo -S S-1-5-21-*-*-*-39092
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-*-*-*-39092 to uid
# Wait around 30 seconds ... ****** THIS BIT ******
$ wbinfo -S S-1-5-21-*-*-*-39092
42239092
Another run after scrubbing all config and tdb files, then after rejoin:
$ wbinfo -n user21b
S-1-5-21-*-*-*-179094 SID_USER (1)
$ wbinfo -n user20b
S-1-5-21-*-*-*-153534 SID_USER (1)
$ wbinfo -s S-1-5-21-*-*-*-179094
AD\user21b 1
$ wbinfo -s S-1-5-21-*-*-*-153534
AD\user20b 1
$ wbinfo -S S-1-5-21-*-*-*-153534
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-*-*-*-153534 to uid
$ wbinfo -S S-1-5-21-*-*-*-179094
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-*-*-*-179094 to uid
$ systemctl restart winbind
$ systemctl restart sssd
# wbinfo -n user21b
S-1-5-21-*-*-*-179094 SID_USER (1)
# wbinfo -n user20b
S-1-5-21-*-*-*-153534 SID_USER (1)
# wbinfo -s S-1-5-21-*-*-*-179094
AD\user21b 1
# wbinfo -s S-1-5-21-*-*-*-153534
AD\user20b
# wbinfo -S S-1-5-21-*-*-*-179094
42379094
# wbinfo -S S-1-5-21-*-*-*-153534
42353534
I'm still trying to nail down what's going on here, but it feels very timing
orientated. Left for a few hours a working config suddenly doesn't seem to want
to resolve the sss based id resolution. The wbinfo -S queries are the ones that
stop working (sid to uid), all the -s, -i -n queries still work and -t and -D
AD still say sensible things.
Importantly I can't get any of this to break on Fedora 30 though with the sssd
and samba versions noted above.
Not sure if this is on the samba side or sssd-winbind-idmap .. or if I'm simply
losing my mind here :)
Are there any known bugs or re-workings to the sss or winbind bits between sssd
1.16 and 2.2 or samba 4.8 and 4.10 that would account for this?
Carwyn
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
