samba - Apr 2008 - Problems with winbind, idmap and usrmgr.exe

I am trying to get two Samba PDC/Domains setup with a trust between
them.  They are separate domains because they are separate companies
(one is a subsidiary of the other) located in different cites.

I am using Centos 5.1 x86_64 and Samba 3.0.28a packages built by me from
Fedora 8 source RPMs.

Based on what I have read, in order to do the trust thing I need to use
Winbind/idmap to handle the non local SIDS (not that I have got to the
point of trying to do the trust yet).  Correct?

I have set up DOMAs PDC with the following idmap/winbind configuration.
There doesn't seem to be any up to date documentation on this stuff, so
I admit that I have been guessing at this, so it is probably is
completely wrong.

        idmap domains = OTHERDOMAINS DOMA DOMB

        idmap config OTHERDOMAINS:default = yes
        idmap config OTHERDOMAINS:backend = tdb
        idmap config OTHERDOMAINS:range   = 10000 - 20000

        idmap config DOMA:default = no
        idmap config DOMA:backend = tdb
        idmap config DOMA:range   = 20001 - 30000

        idmap config DOMB:default = no
        idmap config DOMB:backend = tdb
        idmap config DOMB:range   = 30001 - 40000

        idmap alloc backend = tdb
        idmap alloc config:range = 40001 - 50000

        winbind separator = \
        winbind enum users = yes
        winbind enum groups = Yes
        winbind nested groups = yes

Are the ranges all supposed to be separate like that?  I was just
following and example that I found some where.

The domain "works" in that the PDC comes up, I can join XP clients to
the domain, login, access shares, Roaming profiles are saved to the
server, etc.  But when I try to use usrmgr.exe to manage users I just
get a "The specified local group does not exist" error.  Not a very
helpful error message, but after setting the log level to 10 in Samba
and searching through the logs I found that windbind seems to be failing
to resolve the Builtin groups to a gid, so am assuming that the Builtin
groups are the "local group" being referred to.

[2008/04/22 17:42:52, 10]
passdb/lookup_sid.c:check_dom_sid_to_level(681)
  Accepting SID S-1-5-32 in level 1
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:lookup_sid(959)
  Sid S-1-5-32-549 -> BUILTIN\Server Operators(4)
[2008/04/22 17:42:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/04/22 17:42:52, 10] passdb/lookup_sid.c:sid_to_gid(1468)
  winbind failed to find a gid for sid S-1-5-32-549
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_debug(84)
  000000 samr_io_r_open_alias
[2008/04/22 17:42:52, 6] rpc_parse/parse_prs.c:prs_debug(84)
      000000 smb_io_pol_hnd pol
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710)
          0000 handle_type: 00000000
[2008/04/22 17:42:52, 7] rpc_parse/parse_prs.c:prs_debug(84)
          000004 smb_io_uuid uuid
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint32(710)
              0004 data   : 00000000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681)
              0008 data   : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint16(681)
              000a data   : 0000
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857)
              000c data   : 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_uint8s(857)
              000e data   : 00 00 00 00 00 00
[2008/04/22 17:42:52, 5] rpc_parse/parse_prs.c:prs_ntstatus(769)
      0014 status: NT_STATUS_NO_SUCH_ALIAS

The Builtin groups all exist and show up in net groupmap list output
correctly.  

[root@domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> BUILTIN server operators
Replicator (S-1-5-32-552) -> BUILTIN replicator
Guests (S-1-5-32-546) -> BUILTIN guests
RAS Servers (S-1-5-32-553) -> BUILTIN ras servers
Power Users (S-1-5-32-547) -> BUILTIN power users
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> BUILTIN print operators
Administrators (S-1-5-32-544) -> BUILTIN administrators
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> BUILTIN pre-windows
2000 compatible access
Account Operators (S-1-5-32-548) -> BUILTIN account operators
Backup Operators (S-1-5-32-551) -> BUILTIN backup operators
Users (S-1-5-32-545) -> BUILTIN users
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

The Administrators and Users Builtins were created automatically by
winbind.  The others were created with net sam createbuiltingroup.

If I stop the winbind service, with out any other changes, usrmgr.exe
starts correctly and I can add users, change group memberships, etc.

net groupmap list with winbind stopped shows:

[root@domapdc samba]# net groupmap list
Server Operators (S-1-5-32-549) -> 10083
Replicator (S-1-5-32-552) -> 10110
Guests (S-1-5-32-546) -> 10080
RAS Servers (S-1-5-32-553) -> 10111
Power Users (S-1-5-32-547) -> 10081
Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
Print Operators (S-1-5-32-550) -> 10084
Administrators (S-1-5-32-544) -> 10000
Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> 10112
Account Operators (S-1-5-32-548) -> 10082
Backup Operators (S-1-5-32-551) -> 10085
Users (S-1-5-32-545) -> 10001
Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

Let me know if any other information is required.  Any help with this
will be appreciated.

Thanks

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20080422/84b234ed/attachment.bin

First of all apologies for replying to my own query, but I have run out
of things to try and really need to make some progress on this.

I have done a clean install and am now using the configuration file
below for my Samba PDC.  This has made no difference to the issue with
usrmgr.exe.  As before this is Samba 3.0.28a on Centos 5.1 x86_64 and
nsswitch is configured to use winbind.

[global]
        log level = 5
        workgroup = domb
        server string = Samba Server Version %v
        interfaces = lo, eth0
        passdb backend = tdbsam:/etc/samba/passdb.tdb
        username map = /etc/samba/smbusers
        log file = /var/log/samba/%m.log
        max log size = 50

        # Stuff that makes this machine a PDC.
        add user script = /usr/sbin/useradd "%u" -n -g domusers
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u"
"%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation
(%u)"
-M -d /nohome -s /bin/false -g machines "%u"
        logon path = \\%L\Profiles\%U
        logon home = \\%L\%U\.profiles
        logon drive = H:
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        wins proxy = Yes
        wins support = Yes

        # Equivalent of old behaviour.
        idmap domains = ALLDOMAINS
        idmap config ALLDOMAINS:default = yes
        idmap config ALLDOMAINS:backend = tdb
        idmap config ALLDOMAINS:range   = 10000 - 50000

        idmap alloc backend = tdb
        idmap alloc config:range = 10000 - 50000

        winbind enum users = yes
        winbind enum groups = Yes
        winbind nested groups = yes
        hosts allow = 127., 192.168.42., 192.168.43.
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes
        browseable = No
        share modes = No
        read only = yes

[profiles]
        path = /var/lib/samba/profiles
        read only = no
        create mask = 0600
        directory mask = 0700

At this stage I believe there to be a problem with winbind as I have
also tried the following.

Creating a local group with "net -U root%xxxxxxx sam createlocalgroup
local1", which succeeds.

A portion of the output from "net groupmap list verbose" shows:
local1
        SID       : S-1-5-21-2991776595-4262790192-2958925130-1004
        Unix gid  : 10053
        Unix group: local1
        Group type: Local Group
        Comment   :

Testing winbind with the following:
[root@dombpdc ~]# wbinfo -G 10053
S-1-5-21-2991776595-4262790192-2958925130-1004
[root@dombpdc ~]# wbinfo -s
"S-1-5-21-2991776595-4262790192-2958925130-1004"
Could not lookup sid S-1-5-21-2991776595-4262790192-2958925130-1004

Shouldn't both these commands work or am missing something?   I tried it
both with and without the quotes around the SID.

Also

[root@dombpdc ~]# wbinfo -D .
Name              : DOMB
Alt_Name          :
SID               : S-1-5-21-2991776595-4262790192-2958925130
Active Directory  : No
Native            : No
Primary           : Yes
Sequence          : -1

[root@dombpdc ~]# wbinfo -u
Error looking up domain users

[root@dombpdc ~]# wbinfo -g
BUILTIN\server operators
BUILTIN\guests
BUILTIN\power users
BUILTIN\print operators
BUILTIN\administrators
BUILTIN\account operators
BUILTIN\backup operators
BUILTIN\users
local1

These are only the local groups.  Shouldn't this list the domain groups
as well?

[root@dombpdc ~]# wbinfo --getdcname domb
Could not get dc name for domb

Which may well be the root of the problem?

I am happy to supply which ever logs are required, just let me know.

Thanks

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20080423/79a89fc7/attachment.bin

On Wed, 2008-04-23 at 13:11 +0200, L.P.H. van Belle
wrote:
> did you add your server to the domain ? 
> eq.. net rpc join -S 'pdc-name' -U administrator%password -d 5 
> 
> check this page and review your config also.
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html 
> 
>  Louis
> 
> 
> >-----Oorspronkelijk bericht-----
> >Van: samba-bounces+belle=bazuin.nl@lists.samba.org 
> >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens 
> >Mike Brady
> >Verzonden: woensdag 23 april 2008 9:46
> >Aan: samba@lists.samba.org
> >Onderwerp: Re: [Samba] Problems with winbind, idmap and usrmgr.exe
> >
> >First of all apologies for replying to my own query, but I have run
out
> >of things to try and really need to make some progress on this.
> >
> >I have done a clean install and am now using the configuration file
> >below for my Samba PDC.  This has made no difference to the issue
with
> >usrmgr.exe.  As before this is Samba 3.0.28a on Centos 5.1 x86_64 and
> >nsswitch is configured to use winbind.
> >
> >[global]
> >        log level = 5
> >        workgroup = domb
> >        server string = Samba Server Version %v
> >        interfaces = lo, eth0
> >        passdb backend = tdbsam:/etc/samba/passdb.tdb
> >        username map = /etc/samba/smbusers
> >        log file = /var/log/samba/%m.log
> >        max log size = 50
> >
> >        # Stuff that makes this machine a PDC.
> >        add user script = /usr/sbin/useradd "%u" -n -g
domusers
> >        delete user script = /usr/sbin/userdel "%u"
> >        add group script = /usr/sbin/groupadd "%g"
> >        delete group script = /usr/sbin/groupdel "%g"
> >        delete user from group script = /usr/sbin/userdel
"%u" "%g"
> >        add machine script = /usr/sbin/useradd -n -c "Workstation
(%
u)"
> >-M -d /nohome -s /bin/false -g machines "%u"
> >        logon path = \\%L\Profiles\%U
> >        logon home = \\%L\%U\.profiles
> >        logon drive = H:
> >        domain logons = Yes
> >        os level = 33
> >        preferred master = Yes
> >        domain master = Yes
> >        wins proxy = Yes
> >        wins support = Yes
> >
> >        # Equivalent of old behaviour.
> >        idmap domains = ALLDOMAINS
> >        idmap config ALLDOMAINS:default = yes
> >        idmap config ALLDOMAINS:backend = tdb
> >        idmap config ALLDOMAINS:range   = 10000 - 50000
> >
> >        idmap alloc backend = tdb
> >        idmap alloc config:range = 10000 - 50000
> >
> >        winbind enum users = yes
> >        winbind enum groups = Yes
> >        winbind nested groups = yes
> >        hosts allow = 127., 192.168.42., 192.168.43.
> >        cups options = raw
> >
> >[homes]
> >        comment = Home Directories
> >        read only = No
> >        browseable = No
> >
> >[netlogon]
> >        comment = Network Logon Service
> >        path = /var/lib/samba/netlogon
> >        guest ok = Yes
> >        browseable = No
> >        share modes = No
> >        read only = yes
> >
> >[profiles]
> >        path = /var/lib/samba/profiles
> >        read only = no
> >        create mask = 0600
> >        directory mask = 0700
> >
> >At this stage I believe there to be a problem with winbind as I have
> >also tried the following.
> >
> >Creating a local group with "net -U root%xxxxxxx sam
createlocalgroup
> >local1", which succeeds.
> >
> >A portion of the output from "net groupmap list verbose"
shows:
> >local1
> >        SID       : S-1-5-21-2991776595-4262790192-2958925130-1004
> >        Unix gid  : 10053
> >        Unix group: local1
> >        Group type: Local Group
> >        Comment   :
> >
> >Testing winbind with the following:
> >[root@dombpdc ~]# wbinfo -G 10053
> >S-1-5-21-2991776595-4262790192-2958925130-1004
> >[root@dombpdc ~]#  
> >"S-1-5-21-2991776595-4262790192-2958925130-1004"
> >Could not lookup sid S-1-5-21-2991776595-4262790192-2958925130-1004
> >
> >Shouldn't both these commands work or am missing something?   
> >I tried it
> >both with and without the quotes around the SID.
> >
> >Also
> >
> >[root@dombpdc ~]# wbinfo -D .
> >Name              : DOMB
> >Alt_Name          :
> >SID               : S-1-5-21-2991776595-4262790192-2958925130
> >Active Directory  : No
> >Native            : No
> >Primary           : Yes
> >Sequence          : -1
> >
> >[root@dombpdc ~]# wbinfo -u
> >Error looking up domain users
> >
> >[root@dombpdc ~]# wbinfo -g
> >BUILTIN\server operators
> >BUILTIN\guests
> >BUILTIN\power users
> >BUILTIN\print operators
> >BUILTIN\administrators
> >BUILTIN\account operators
> >BUILTIN\backup operators
> >BUILTIN\users
> >local1
> >
> >These are only the local groups.  Shouldn't this list the domain
groups
> >as well?
> >
> >[root@dombpdc ~]# wbinfo --getdcname domb
> >Could not get dc name for domb
> >
> >Which may well be the root of the problem?
> >
> >I am happy to supply which ever logs are required, just let me know.
> >
> >Thanks
> >
> >Mike
> >
> 
Lois

Thanks for the response.

My server is the PDC and on the current build it has not been joined to
the domain.  I have joined it now and it has made no difference in that
the above wbinfo commands give the same results. In general is it
required that the PDC be added to itself (well sort of)?

I had to use root to do the join.  Meaning
net rpc join -S 'pdc-name' -U root%password -d 5

administrator doesn't work for the net commands, but I can login in as
administrator from a Windows client.  smbusers contains 

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest

so should 'administrator' work for the net commands?

Thanks

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20080424/04185f1c/attachment.bin