On Thu, Jun 27, 2019 at 02:52:41PM -0000, Carwyn Edwards wrote:
> I _think_ I've found an issue with the combination of sssd and samba on 
> RHEL/CentOS 7.6. There are a few threads in the list history about how to get 
> these two to play nice despite the current "unsupported" status from RH. The 
> gist of the issues are:
> 
> * Need to make sure only samba or nothing are updating the machine passwords 
> as if sssd is doing it it won't update the secrets in samba's database.
> * Have to allocate an idmap range for the sss backend _and_ give a bit of 
> space for a default backend to do its thing.
> 
> This seems to be as simple as:
> 
> Remove sssd-libwbclient and only use libwbclient (RPMs)
> 
> # /etc/samba.smb.conf:
> 
> [global]
>         workgroup = AD
>         security = ads
>         realm = ad.mydomain.com
>         kerberos method = system keytab
> 
>         idmap config AD : backend        = sss
>         idmap config AD : range          = 10000-1999999999
> 
>         idmap config * : backend         = tdb
>         idmap config * : range           = 9000-9999
> 
> # /etc/sssd/sssd.conf seems to need to contain (along with whatever realmd 
> generates):
> 
> ldap_id_mapping = True # use sssd mastered uids/gids
> ad_maximum_machine_account_password_age = 0 # stop sssd messing with host 
> password
> 
> We also have:
> 
> ignore_group_members = True # for speed
> ldap_idmap_range_size = 2000000 # we have lots of users
> 
> Then join making sure to use net join not adcli
> 
> $ realm join --membership-software=samba -U mydomain_admin ad.mydomain.com
> 
> On Fedora 30 the above works perfectly with all wbinfo commands working as 
> expected and samba shares behave.
> 
> Fedora 30:
> $ rpm -q sssd samba
> sssd-2.2.0-1.fc30.x86_64
> samba-4.10.4-1.fc30.x86_64
> 
> BUT (big but)
> 
> On CentOS 7.6 with exactly the same configuration .. it only sometimes works.

Yes, we missed a change in Samba's idmap interface
https://bugzilla.redhat.com/show_bug.cgi?id=1707759 /
https://pagure.io/SSSD/sssd/issue/4005 which affects Centos 7.6. It is
already fixed in Fedora and will be fixed in 7.7 as well.

bye,
Sumit

> 
> $ rpm -q sssd samba
> sssd-1.16.2-13.el7_6.8.x86_64
> samba-4.8.3-4.el7.x86_64
> 
> I end up with behaviour along these lines:
> 
> # Config and domain join as above, then try some lookups.
> 
> $ wbinfo -n user086
> S-1-5-21-*-*-*-39092 SID_USER (1)
> $ wbinfo -S S-1-5-21-*-*-*-39092
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-39092 to uid
> 
> $ systemctl stop smb
> $ systemctl restart winbind
> 
> $ wbinfo -S S-1-5-21-*-*-*-39092
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-39092 to uid
> 
> $ systemctl restart sssd
> 
> $ wbinfo -S S-1-5-21-*-*-*-39092
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-39092 to uid
> 
> $ systemctl restart sssd
> 
> $ wbinfo -S S-1-5-21-*-*-*-39092
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-39092 to uid
> 
> # Wait around 30 seconds ... ****** THIS BIT ******
> 
> $ wbinfo -S S-1-5-21-*-*-*-39092
> 42239092
> 
> 
> Another run after scrubbing all config and tdb files, then after rejoin:
> 
> $ wbinfo -n user21b
> S-1-5-21-*-*-*-179094 SID_USER (1)
> $ wbinfo -n user20b
> S-1-5-21-*-*-*-153534 SID_USER (1)
> 
> $ wbinfo -s S-1-5-21-*-*-*-179094
> AD\user21b 1
> $ wbinfo -s S-1-5-21-*-*-*-153534
> AD\user20b 1
> 
> $ wbinfo -S S-1-5-21-*-*-*-153534
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-153534 to uid
> $ wbinfo -S S-1-5-21-*-*-*-179094
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-179094 to uid
> 
> $ systemctl restart winbind
> $ systemctl restart sssd
> 
> # wbinfo -n user21b
> S-1-5-21-*-*-*-179094 SID_USER (1)
> # wbinfo -n user20b
> S-1-5-21-*-*-*-153534 SID_USER (1)
> # wbinfo -s S-1-5-21-*-*-*-179094
> AD\user21b 1
> # wbinfo -s S-1-5-21-*-*-*-153534
> AD\user20b 
> # wbinfo -S S-1-5-21-*-*-*-179094
> 42379094
> # wbinfo -S S-1-5-21-*-*-*-153534
> 42353534
> 
> I'm still trying to nail down what's going on here, but it feels very timing 
> orientated. Left for a few hours a working config suddenly doesn't seem to 
> want to resolve the sss based id resolution. The wbinfo -S queries are the 
> ones that stop working (sid to uid), all the -s, -i -n queries still work and 
> -t and -D AD still say sensible things.
> 
> Importantly I can't get any of this to break on Fedora 30 though with the 
> sssd and samba versions noted above.
> 
> Not sure if this is on the samba side or sssd-winbind-idmap .. or if I'm 
> simply losing my mind here :)
> 
> Are there any known bugs or re-workings to the sss or winbind bits between 
> sssd 1.16 and 2.2 or samba 4.8 and 4.10 that would account for this?
> 
> Carwyn
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to