samba - Mar 2009 - Problems with idmap_adex module

Hi Guys,

I'm having problems getting the new idmap_adex module to work.

When using the idmap_adex plugin I get the following:

# wbinfo -n administrator
S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500 User (1)
# wbinfo -i administrator
Could not get info for user administrator

As expected attempting to lookup user & group info via commands which use
libnss also fail.

The "administrator" account is setup with all the necessary rfc2307
attributes and works fine with the idmap_ad plugin. The uidNumber, gidNumber,
and uid attributes have been added to the forests partial attribute set, as
recommended by then idmap_adex man page.

Idmap log throws up a couple of interesting lines (full log below):
1) "NT_STATUS_NO_LOGON_SERVERS"; although wbinfo --online-status says
domain is online and name to sid lookups work ok.
2) "could not find idmap alloc module adex"; idmap module is installed
at /usr/lib/samba/idmap/adex.so, ad.so is in the same folder.

Domain & forest functional level are both Windows Server 2003. Running
Samba/Winbind 3.3.1 on RHEL5, built from Fedora rawhide SRPM.

Here is my smb.conf
[global]
        workgroup = LOCAL
        disable netbios = yes
        log file = /var/log/samba/%m.log
        max log size = 50
        ldap timeout = 10
        realm = LOCAL.DOM
        ldap ssl = off
        security = ads
        winbind use default domain = true
        log level = idmap:10
        winbind offline logon = true
        winbind enum groups = no
        winbind enum users = no
        use kerberos keytab = yes
        winbind refresh tickets = true
        template homedir = /home/%U
        idmap backend = adex
        idmap uid = 100-4000000000
        idmap gid = 100-4000000000
        winbind nss info = adex
        winbind normalize names = yes

And here is log-winbindd-idmap at debug level 10:

[2009/03/26 09:12:45, 10] winbindd/idmap_util.c:idmap_sid_to_uid(143)
  idmap_sid_to_uid: sid = [S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500], domain
= ''
[2009/03/26 09:12:45, 10] winbindd/idmap.c:idmap_backends_sid_to_unixid(763)
  idmap_backend_sid_to_unixid: domain = '', sid =
[S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500]
[2009/03/26 09:12:45, 10] winbindd/idmap.c:idmap_find_domain(465)
  idmap_find_domain called for domain ''
[2009/03/26 09:12:45, 10] winbindd/idmap.c:idmap_init_default_domain(349)
  idmap_init_default_domain: calling static_init_idmap
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap_alloc(218)
  Successfully added idmap alloc backend 'ldap'
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'ldap'
[2009/03/26 09:12:45, 10] winbindd/idmap_tdb.c:idmap_tdb_init(1192)
  calling idmap_tdb_init
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap_alloc(218)
  Successfully added idmap alloc backend 'tdb'
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'tdb'
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'passdb'
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'nss'
[2009/03/26 09:12:45,  3] winbindd/idmap.c:idmap_init_default_domain(359)
  idmap_init: using 'adex' as remote backend
[2009/03/26 09:12:45, 10]
winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = ,  Filter =
(objectSid=\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX),
Scope = 2, GC = yes
[2009/03/26 09:12:45, 10]
winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(339)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45,  1]
winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(346)
  LWI: Failled to connect to cell "dc=LOCAL,dc=DOM"
(NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45, 10]
winbindd/idmap_adex/domain_util.c:dc_search_domains(243)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45, 10]
winbindd/idmap_adex/provider_unified.c:search_domain(254)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45,  4]
winbindd/idmap_adex/provider_unified.c:search_domain(270)
  LWI (search_domain): NT_STATUS_NO_LOGON_SERVERS
[2009/03/26 09:12:45, 10]
winbindd/idmap_adex/provider_unified.c:search_forest(523)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45,  4]
winbindd/idmap_adex/provider_unified.c:search_forest(531)
  LWI (search_forest): NT_STATUS_NO_LOGON_SERVERS
[2009/03/26 09:12:45,  3]
winbindd/idmap_adex/provider_unified.c:search_cell_list(599)
  LWI (search_cell_list): NT_STATUS_NO_LOGON_SERVERS
[2009/03/26 09:12:45, 10]
winbindd/idmap_adex/provider_unified.c:_ccp_get_id_from_sid(1003)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45, 10] winbindd/idmap.c:idmap_find_domain(465)
  idmap_find_domain called for domain 'NULL'
[2009/03/26 09:12:45,  1] winbindd/idmap.c:idmap_alloc_init(578)
  could not find idmap alloc module adex
[2009/03/26 09:12:45,  3] winbindd/idmap.c:idmap_new_mapping(693)
  Could not allocate id: NT_STATUS_INVALID_PARAMETER
[2009/03/26 09:12:45, 10] winbindd/idmap_util.c:idmap_sid_to_uid(193)
  idmap_new_mapping failed: NT_STATUS_INVALID_PARAMETER

Any help would be appreciated.

-ross

Ross McKerchar
Senior Systems Engineer 1

email: ross.mckerchar@sophos.com

Sophos - simply secure



Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United
Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Ross,
> I'm having problems getting the new idmap_adex module to work.
Sorry about that.
> When using the idmap_adex plugin I get the following:
> 
> # wbinfo -n administrator
> S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500 User (1)
> # wbinfo -i administrator
> Could not get info for user administrator
> 
> As expected attempting to lookup user & group info 
> via commands which use libnss also fail.
> 
> The "administrator" account is setup with all the necessary 
> rfc2307 attributes and works fine with the idmap_ad plugin.
> The uidNumber, gidNumber, and uid attributes have been added
> to the forests partial attribute set, as recommended by then
> idmap_adex man page.
> 
> Idmap log throws up a couple of interesting lines (full log below):
> 1) "NT_STATUS_NO_LOGON_SERVERS"; although wbinfo --online-status 
>  says domain is online and name to sid lookups work ok.
> 2) "could not find idmap alloc module adex"; idmap module is 
> installed at /usr/lib/samba/idmap/adex.so, ad.so is in the same
> folder.
idmap_adex doesn't do uid/gid allocation so this is a normal
message.
> Domain & forest functional level are both Windows Server 2003. 
> Running Samba/Winbind 3.3.1 on RHEL5, built from Fedora
> rawhide SRPM.
> 
> Here is my smb.conf
> [global]
>         workgroup = LOCAL
...

The conf file looks fine.
> And here is log-winbindd-idmap at debug level 10:
> 
...
> [2009/03/26 09:12:45, 10]
winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
>   cell_do_search: Base = ,  Filter = (objectSid=\XX\....), Scope = 2, GC =
yes
> [2009/03/26 09:12:45, 10]
winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(339)
>   Failed! (NT_STATUS_NO_LOGON_SERVERS)
Any chance i could get you to send me a network sniff of the failure
(off list)?   E.g.

  $ tcpdump -s 0 -w /tmp/dump.pcap \
    port 88 or port 53 or port 3268 or port 389




cheers, jerry
- --
====================================================================Samba       
------- http://www.samba.org
Likewise Software                  ---------  http://www.likewise.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknLpngACgkQIR7qMdg1Efbn/ACfSlhx2g6hTXABULtMMtB3JcvA
5cMAn3f5XdUwzgJtVd0AoLsiqPYh932R
=w1qw
-----END PGP SIGNATURE-----