Thomas Dorsch
2006-May-30 11:08 UTC
[Samba] Samba 3.0.22 w2k3 ad+sfu working but ls shows only uidNumber and not uid
Hi Guys, i have a problem getting id mapping to work as it should. My setup is as follows: Samba 3.0.22 on Debian Sarge 3.1 . I 've got SFU 3.5 installed on a W2K3 DC with SP1. I 'm using winbindd in "idmap proxy only" mode. Here 's my generic smb.conf: workgroup = METADS realm = META.XXX.XX "it 's not the real realm, of course !" security = ADS server string = %h server (Samba %v) wins support = no wins proxy = no wins server = nbns dns proxy = no name resolve order = wins bcast log file = /var/log/samba/log.%m max log size = 1000 syslog only = no syslog = 0 loglevel = 3 passdb:5 auth:5 winbind:10 idmap:10 panic action = /usr/share/samba/panic-action %d unix charset = ISO8859-1 display charset = ISO8859-1 load printers = no encrypt passwords = true preferred master = no enable privileges = yes idmap uid = 30000-40000 idmap gid = 30000-40000 idmap backend = ad winbind nss info = template sfu winbind use default domain = yes winbind nested groups = yes template shell = /bin/bash [profiles] path = /var/profiles browseable = no read only = no create mask = 0600 directory mode = 0700 profile acls = yes csc policy = disable force user = %U [homes] comment = Home Directories path = /home/%U browseable = no writable = yes create mask = 0600 directory mask = 0700 # root preexec = /usr/sbin/mkhomedir %U %G [server] comment = Test Share path = /var/server browseable = yes read only = no create mask = 0660 directory mode = 0770 Ok, let 's get to the point. Winbind -u/g returns all the user and group information out of the AD as expected. Getent passwd/group works fine also. I have access to the shares and can view the ownership/rights via the security tab in windoof. Doing a "chown dmg" (this group exists only in AD !!) is also possible. But if i do a "ls -la" i only get the gidNumber (6000) of this group !! The same happens to the owner of the file, for example Administrator with uidNumber (37). I tried to get around this problem using "idmap uid = 999-1000" and "idmap gid 999-1000" as a workaround described in bug 3289 but this doesn 't fix my problem. Here is some debugging output: test:/var/server# ls -la total 3 drwxrwx--- 3 6340 6000 1024 May 23 17:01 . drwxr-xr-x 17 root root 1024 May 16 11:12 .. drwxrwx--- 3 37 6000 1024 May 24 08:49 test winbind output: [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: getgrgid 6000 Doing a "chown administrator.dmg test/" gives: [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: getgrgid 6000 [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: getgroups root [ 2113]: lookupname METADS\root string_to_sid: Sid S-0-0 is not in a valid format. [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: getpwnam administrator.dmg [ 2113]: lookupname METADS\administrator.dmg rpc: name_to_sid name=METADS\administrator.dmg name_to_sid [rpc] administrator.dmg for domain METADS [ 0]: getpwnam administrator [ 2113]: lookupname METADS\administrator rpc: name_to_sid name=METADS\administrator name_to_sid [rpc] administrator for domain METADS [ 2113]: lookupsid S-1-5-21-2857693109-2026923775-3634067142-500 ads: query_user ads query_user gave Administrator [ 2113]: lookupsid S-1-5-21-2857693109-2026923775-3634067142-500 [ 2113]: sid to uid S-1-5-21-2857693109-2026923775-3634067142-500 Connected to LDAP server 10.33.8.108 got ldap server name ewt-master@META.EWT.DE, using bind path: dc=META,dc=XXX,dc=XX ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 ads_sasl_spnego_bind: got server principal name =ewt-master$@META.XXX.XX ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) Ticket in ccache[MEMORY:winbind_ccache] expiration Tue, 30 May 2006 19:17:30 CEST ad_idmap_get_id_from_sid mapped SID [S-1-5-21-2857693109-2026923775-3634067142-500] to POSIX UID 37 [ 0]: getgrnam dmg rpc: name_to_sid name=METADS\dmg name_to_sid [rpc] dmg for domain METADS No nmbd found " Ok, only winbind is running !" cm_get_ipc_userpass: No auth-user defined Doing spnego session setup (blob length=111) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=ewt-master$@META.EWT.DE Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Tue, 30 May 2006 19:17:30 CEST rpc_pipe_bind: Remote machine EWT-MASTER pipe \lsarpc fnum 0xc00a bind request returned ok. Got challenge flags: Got NTLMSSP neg_flags=0x62890235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080235 lsa_io_sec_qos: length c does not match size 8 Connected to LDAP server 10.33.x.xxx got ldap server name ewt-master@META.XXX.XX, using bind path: dc=META,dc=XXX,dc=XX ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 ads_sasl_spnego_bind: got server principal name =ewt-master$@META.XXX.XX ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) Ticket in ccache[MEMORY:winbind_ccache] expiration Tue, 30 May 2006 19:17:30 CEST ads lookup_groupmem for sid=S-1-5-21-2857693109-2026923775-3634067142-1366 And a wbinfo -s S-1-5-21-2857693109-2026923775-3634067142-1366 gives: test:/var/server# wbinfo -s S-1-5-21-2857693109-2026923775-3634067142-1366 METADS\dmg 2 As you can see, the conversion sid to gid works ! I 've also tried playing with the idmapping ranges, but no go. test:/var/server# getent passwd administrator administrator:x:37:6000:Administrator:/home/Administrator:/bin/bash This information is also correct (The Unix attributes are set for Administrator) Please, could someone shed some light on this strange behaviour. Regards Tom
Apparently Analagous Threads
- File sharing is ok, but new ADS user validation is not ok
- net ads join fails on W2K3 server with latest MS patches
- Member server - winbind unable to resolve users/groups
- Trouble joining a W2K3 Native Mode Domain
- Member server - winbind unable to resolve users/groups