On Thu, Jun 27, 2019 at 02:52:41PM -0000, Carwyn Edwards wrote: > I _think_ I've found an issue with the combination of sssd and samba on > RHEL/CentOS 7.6. There are a few threads in the list history about how to get > these two to play nice despite the current "unsupported" status from RH. The > gist of the issues are: > > * Need to make sure only samba or nothing are updating the machine passwords > as if sssd is doing it it won't update the secrets in samba's database. > * Have to allocate an idmap range for the sss backend _and_ give a bit of > space for a default backend to do its thing. > > This seems to be as simple as: > > Remove sssd-libwbclient and only use libwbclient (RPMs) > > # /etc/samba.smb.conf: > > [global] > workgroup = AD > security = ads > realm = ad.mydomain.com > kerberos method = system keytab > > idmap config AD : backend = sss > idmap config AD : range = 10000-1999999999 > > idmap config * : backend = tdb > idmap config * : range = 9000-9999 > > # /etc/sssd/sssd.conf seems to need to contain (along with whatever realmd > generates): > > ldap_id_mapping = True # use sssd mastered uids/gids > ad_maximum_machine_account_password_age = 0 # stop sssd messing with host > password > > We also have: > > ignore_group_members = True # for speed > ldap_idmap_range_size = 2000000 # we have lots of users > > Then join making sure to use net join not adcli > > $ realm join --membership-software=samba -U mydomain_admin ad.mydomain.com > > On Fedora 30 the above works perfectly with all wbinfo commands working as > expected and samba shares behave. > > Fedora 30: > $ rpm -q sssd samba > sssd-2.2.0-1.fc30.x86_64 > samba-4.10.4-1.fc30.x86_64 > > BUT (big but) > > On CentOS 7.6 with exactly the same configuration .. it only sometimes works.
Yes, we missed a change in Samba's idmap interface https://bugzilla.redhat.com/show_bug.cgi?id=1707759 / https://pagure.io/SSSD/sssd/issue/4005 which affects Centos 7.6. It is already fixed in Fedora and will be fixed in 7.7 as well. bye, Sumit > > $ rpm -q sssd samba > sssd-1.16.2-13.el7_6.8.x86_64 > samba-4.8.3-4.el7.x86_64 > > I end up with behaviour along these lines: > > # Config and domain join as above, then try some lookups. > > $ wbinfo -n user086 > S-1-5-21-*-*-*-39092 SID_USER (1) > $ wbinfo -S S-1-5-21-*-*-*-39092 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-*-*-*-39092 to uid > > $ systemctl stop smb > $ systemctl restart winbind > > $ wbinfo -S S-1-5-21-*-*-*-39092 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-*-*-*-39092 to uid > > $ systemctl restart sssd > > $ wbinfo -S S-1-5-21-*-*-*-39092 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-*-*-*-39092 to uid > > $ systemctl restart sssd > > $ wbinfo -S S-1-5-21-*-*-*-39092 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-*-*-*-39092 to uid > > # Wait around 30 seconds ... ****** THIS BIT ****** > > $ wbinfo -S S-1-5-21-*-*-*-39092 > 42239092 > > > Another run after scrubbing all config and tdb files, then after rejoin: > > $ wbinfo -n user21b > S-1-5-21-*-*-*-179094 SID_USER (1) > $ wbinfo -n user20b > S-1-5-21-*-*-*-153534 SID_USER (1) > > $ wbinfo -s S-1-5-21-*-*-*-179094 > AD\user21b 1 > $ wbinfo -s S-1-5-21-*-*-*-153534 > AD\user20b 1 > > $ wbinfo -S S-1-5-21-*-*-*-153534 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-*-*-*-153534 to uid > $ wbinfo -S S-1-5-21-*-*-*-179094 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-*-*-*-179094 to uid > > $ systemctl restart winbind > $ systemctl restart sssd > > # wbinfo -n user21b > S-1-5-21-*-*-*-179094 SID_USER (1) > # wbinfo -n user20b > S-1-5-21-*-*-*-153534 SID_USER (1) > # wbinfo -s S-1-5-21-*-*-*-179094 > AD\user21b 1 > # wbinfo -s S-1-5-21-*-*-*-153534 > AD\user20b > # wbinfo -S S-1-5-21-*-*-*-179094 > 42379094 > # wbinfo -S S-1-5-21-*-*-*-153534 > 42353534 > > I'm still trying to nail down what's going on here, but it feels very timing > orientated. Left for a few hours a working config suddenly doesn't seem to > want to resolve the sss based id resolution. The wbinfo -S queries are the > ones that stop working (sid to uid), all the -s, -i -n queries still work and > -t and -D AD still say sensible things. > > Importantly I can't get any of this to break on Fedora 30 though with the > sssd and samba versions noted above. > > Not sure if this is on the samba side or sssd-winbind-idmap .. or if I'm > simply losing my mind here :) > > Are there any known bugs or re-workings to the sss or winbind bits between > sssd 1.16 and 2.2 or samba 4.8 and 4.10 that would account for this? > > Carwyn > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org