samba - Apr 2015 - Member server - winbind unable to resolve users/groups

On 04/04/15 18:28, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>> # cat /etc/resolv.conf
>>> nameserver 192.168.17.4
>>> search ads.ccenter.lan
>>>
>>> # host -t SRV _ldap._tcp.ads.ccenter.lan.
>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389
dc1.ads.ccenter.lan.
>>>
>>> # nslookup dc1
>>> Server:         192.168.17.4
>>> Address:        192.168.17.4#53
>>>
>>> Name:   dc1.ads.ccenter.lan
>>> Address: 192.168.17.4
>>>
>>> # ping dc1 -c 1
>>> PING dc1.ads.ccenter.lan (192.168.17.4) 56(84) bytes of data.
>>> 64 bytes from dc1.ccenter.lan (192.168.17.4): icmp_req=1 ttl=64
time=0.487 ms
>>>
>>> --- dc1.ads.ccenter.lan ping statistics ---
>>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
>>> rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms
>>>
>>> root at userl:~# wbinfo -t
>>> checking the trust secret for domain CCENTER via RPC calls
succeeded
>>> root at userl:~# wbinfo -u | wc -l
>>> 19
>>> root at userl:~# getent passwd domainuser
>>> root at userl:~# smbclient -L localhost -U domainuser
>>> Enter domainuser's password:
>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>>
>>> [2015/04/04 05:20:55.239144, 10, pid=1179, effective(0, 0), real(0,
0), class=winbind] ../source3/winbindd/winbindd.c:693(process_request)
>>>     process_request: Handling async request 2811:GETPWNAM
>>> [2015/04/04 05:20:55.239176,  3, pid=1179, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>>>     getpwnam CCENTER\domainuser
>>> [2015/04/04 05:20:55.239256, 10, pid=1179, effective(0, 0), real(0,
0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send)
>>>     SID 0: S-1-5-21-1031481445-3291699540-3997755762-61000
>>> [2015/04/04 05:20:55.239303, 10, pid=1179, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid)
>>>    
find_lookup_domain_from_sid(S-1-5-21-1031481445-3291699540-3997755762-513)
>>> [2015/04/04 05:20:55.239335, 10, pid=1179, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid)
>>>     calling find_our_domain
>>> [2015/04/04 05:20:55.239381, 10, pid=1179, effective(0, 0), real(0,
0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send)
>>>     SID 0: S-1-5-21-1031481445-3291699540-3997755762-513
>>> [2015/04/04 05:20:55.239422,  5, pid=1179, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>>>     Could not convert sid
S-1-5-21-1031481445-3291699540-3997755762-61000: NT_STATUS_NONE_MAPPED
>>> [2015/04/04 05:20:55.239469, 10, pid=1179, effective(0, 0), real(0,
0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
>>>     wb_request_done[2811:GETPWNAM]: NT_STATUS_NONE_MAPPED
>>> [2015/04/04 05:20:55.239510, 10, pid=1179, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd.c:816(winbind_client_response_written)
>>>     winbind_client_response_written[2811:GETPWNAM]: delivered
response to client
>>>
>>>>> 127.0.0.1#35321: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN IN SRV +
(127.0.0.1)
>>>>> ;; ANSWER SECTION:
>>>>>
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN. 503 IN SRV
0 100 389 dc1.ads.ccenter.lan.
>>>>>
>>>>> 127.0.0.1#55300: query: dc1.ads.ccenter.lan IN AAAA +
(127.0.0.1)
>>>>> 127.0.0.1#36282: query: dc1.ads.ccenter.lan.ccenter.lan IN
AAAA + (127.0.0.1)
>>>>> (no answer - IPv6 resolution disabled)
>>>>>
>>>>> 127.0.0.1#47102: query: dc1.ads.ccenter.lan IN A +
(127.0.0.1)
>>>>> ;; ANSWER SECTION:
>>>>> dc1.ads.ccenter.lan.    373     IN      A      
192.168.17.4
>>>>>
>>>>> 127.0.0.1#58461: query: _kerberos._udp.ADS.CCENTER.LAN IN
SRV + (127.0.0.1)
>>>>> ;; ANSWER SECTION:
>>>>> _kerberos._udp.ADS.CCENTER.LAN. 324 IN  SRV     0 100 88
dc1.ads.ccenter.lan.
>>>>>
>>>>>> can you ping from each machine to the other, both by ip
and hostname ?
>>>>>> what does 'host -t SRV
_ldap._tcp.ads.ccenter.lan.' show ?
>>>>> root at dc1:~# host -t SRV _ldap._tcp.ads.ccenter.lan.
>>>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389
dc1.ads.ccenter.lan.
>>>>>
>>>>> root at userl:~# host -t SRV _ldap._tcp.ads.ccenter.lan.
>>>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389
dc1.ads.ccenter.lan.
>>>>>
>>>>>> does the 'container' have all the required
ports open ?
>>>>> If logs are to be trusted, it even able to list users and
groups.
>>>>>
>>>>> log.wb-CCENTER
>>>>> [2015/04/03 22:55:59.314002,  3, effective(0, 0), real(0,
0)] ../source3/libsmb/namequery.c:3102(get_dc_list)
>>>>>      get_dc_list: preferred server list:
"dc1.ads.ccenter.lan, *"
>>>>> [2015/04/03 22:55:59.318397,  3, effective(0, 0), real(0,
0)] ../source3/libads/ldap.c:680(ads_connect)
>>>>>      Successfully contacted LDAP server 192.168.17.4
>>>>> [2015/04/03 22:55:59.320717,  3, effective(0, 0), real(0,
0)] ../source3/libads/ldap.c:723(ads_connect)
>>>>>      Connected to LDAP server dc1.ads.ccenter.lan
>>>>> [2015/04/03 22:55:59.325436,  3, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
>>>>>      ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>>>>> [2015/04/03 22:55:59.325466,  3, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
>>>>>      ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>>>>> [2015/04/03 22:55:59.325498,  3, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
>>>>>      ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>>>>> [2015/04/03 22:55:59.325527,  3, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind)
>>>>>      ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
>>>>> [2015/04/03 22:55:59.325655,  3, effective(0, 0), real(0,
0)] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)
>>>>>      ads_krb5_mk_req: krb5_cc_get_principal failed (No such
file or directory)
>>>>> [2015/04/03 22:55:59.333493,  3, effective(0, 0), real(0,
0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>>      ads_cleanup_expired_creds: Ticket in
ccache[MEMORY:winbind_ccache] expiration Sat, 04 Apr 2015 08:55:59 MSK
>>>>> [2015/04/03 22:55:59.373034,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_ads.c:378(query_user_list)
>>>>>      ads query_user_list gave 19 entries
>>>>>
>>>>> This is about right.
>>>>> root at dc1:~# wbinfo -u | wc -l
>>>>> 19
>>>>>
>>>>> [2015/04/03 22:55:59.374070,  3, effective(0, 0), real(0,
0)] ../source3/lib/util_sock.c:585(open_socket_out_send)
>>>>>      Connecting to 192.168.17.4 at port 135
>>>>> [2015/04/03 22:55:59.375923,  3, effective(0, 0), real(0,
0)] ../source3/lib/util_sock.c:585(open_socket_out_send)
>>>>>      Connecting to 192.168.17.4 at port 1024
>>>>> [2015/04/03 22:55:59.516885,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name)
>>>>>      msrpc_sid_to_name:
S-1-5-21-1031481445-3291699540-3997755762-513 for domain CCENTER
>>>>> [2015/04/03 22:56:13.713563,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_ads.c:403(enum_dom_groups)
>>>>>      ads: enum_dom_groups
>>>>> [2015/04/03 22:56:13.763644,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_ads.c:501(enum_dom_groups)
>>>>>      ads enum_dom_groups gave 216 entries
>>>>>
>>>>> This is a bit off, but still close.
>>>>> root at dc1:~# wbinfo -g | wc -l
>>>>> 211
>>>>>
>>>>> [2015/04/03 22:56:13.765824,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name)
>>>>>      msrpc_sid_to_name:
S-1-5-21-1031481445-3291699540-3997755762-571 for domain CCENTER
>>>>> [2015/04/03 22:59:42.388144,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
>>>>>      [13765]: list trusted domains
>>>>> [2015/04/03 22:59:42.388330,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_ads.c:1419(trusted_domains)
>>>>>      ads: trusted_domains
>>>>> [2015/04/03 23:00:59.189216,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
>>>>>      msrpc_name_to_sid: name=CCENTER\DOMAINUSER
>>>>> [2015/04/03 23:00:59.189271,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
>>>>>      name_to_sid [rpc] CCENTER\DOMAINUSER for domain
CCENTER
>>>>> [2015/04/03 23:00:59.195301,  3, effective(0, 0), real(0,
0)] ../source3/winbindd/winbindd_ads.c:597(query_user)
>>>>>      ads: query_user
>>>>>
>>>>> But in the end, it just doesn't work. getent
doesn't list anything sensible,
>>>>> not from explicit request, nor from enumeration.
>>>>>
>>>>>
>>>
>> OK, what does running this command on the DC show:
>> ldbsearch -H /var/lib/samba/private/sam.ldb
>> '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' |
grep
>> 'uidNumber'
>> This relies on ldb-tools being installed and sam.ldb being in
>> '/var/lib/samba/private' if yours is somewhere else, change the
path.
> I have the urge to say "nothing" before even checking first, as I
have no
> RID's that high. But it appears the RID's were all changed after
migration.
>
> ldbsearch -H /var/lib/samba/private/sam.ldb
'(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber
>
> # record 1
> dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan
> uidNumber: 30000
>
> Before migration, all users had RID=uidNumber, except one.
> Why they have been changed?
>
>
I have no idea why they have changed, but it is there and it is inside 
the range set in your member server smb.conf, so getent should fetch the 
users info.

Have you got the winbind links in the correct place, see the member 
server wiki page
do you have 'winbind' in the 'passwd' & 'group'
lines in /etc/nsswitch.conf

Can you check that Domain Users has a 'gidNumber'

Rowland

Greetings, Rowland Penny!
>>> OK, what does running this command on the DC show:
>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>
'(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep
>>> 'uidNumber'
>>> This relies on ldb-tools being installed and sam.ldb being in
>>> '/var/lib/samba/private' if yours is somewhere else, change
the path.
>> I have the urge to say "nothing" before even checking first,
as I have no
>> RID's that high. But it appears the RID's were all changed
after migration.
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb
'(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber
>>
>> # record 1
>> dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan
>> uidNumber: 30000
>>
>> Before migration, all users had RID=uidNumber, except one.
>> Why they have been changed?
>>
>>
> I have no idea why they have changed, but it is there and it is inside 
> the range set in your member server smb.conf, so getent should fetch the 
> users info.
> Have you got the winbind links in the correct place, see the member 
> server wiki page
> do you have 'winbind' in the 'passwd' & 'group'
lines in /etc/nsswitch.conf
Since Winbind is actually trying to resolve the names from getent, the
requests are passed correctly to it.
I did not made any links, because I'm not compiling anything myself.
I'm using distributed version of Samba.
> Can you check that Domain Users has a 'gidNumber'
# ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'
objectSID gidNumber
# record 1
dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
gidNumber: 513


-- 
With best regards,
Andrey Repin
Sunday, April 5, 2015 02:50:14

Sorry for my terrible english...

On 05/04/15 00:59, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>>> OK, what does running this command on the DC show:
>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>
'(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep
>>>> 'uidNumber'
>>>> This relies on ldb-tools being installed and sam.ldb being in
>>>> '/var/lib/samba/private' if yours is somewhere else,
change the path.
>>> I have the urge to say "nothing" before even checking
first, as I have no
>>> RID's that high. But it appears the RID's were all changed
after migration.
>>>
>>> ldbsearch -H /var/lib/samba/private/sam.ldb
'(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber
>>>
>>> # record 1
>>> dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan
>>> uidNumber: 30000
>>>
>>> Before migration, all users had RID=uidNumber, except one.
>>> Why they have been changed?
>>>
>>>
>> I have no idea why they have changed, but it is there and it is inside
>> the range set in your member server smb.conf, so getent should fetch
the
>> users info.
>> Have you got the winbind links in the correct place, see the member
>> server wiki page
>> do you have 'winbind' in the 'passwd' &
'group' lines in /etc/nsswitch.conf
> Since Winbind is actually trying to resolve the names from getent, the
> requests are passed correctly to it.
> I did not made any links, because I'm not compiling anything myself.
> I'm using distributed version of Samba.
>
>> Can you check that Domain Users has a 'gidNumber'
> # ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(cn=Domain
Users)' objectSID gidNumber
> # record 1
> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
> gidNumber: 513
>
>
I think that could very well be your problem, you have these lines in 
the smb.conf on your member server:

         idmap config CCENTER : backend = ad
         idmap config CCENTER : schema_mode = rfc2307
         idmap config CCENTER : range = 1000-50000

What they mean is, use the winbind 'ad' backend with rfc2307 attributes 
and ignore any uidNumbers & gidNumbers that fall outside the range 
'1000-50000'

'513' is less than '1000' so will be ignored, and as 'Domain
Users' is
the users primary group and must have a valid gidNumber, all users are 
ignored.

Try this, give 'Domain Users' a larger gidNumber:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'

Change 'gidNumber: 513'

To 'gidNumber: 10513'

Now try 'getent passwd domainuser'

Rowland