Gaiseric Vandal
2010-May-05 21:40 UTC
[Samba] samba 3.4.5 idmap alloc broken - more details
There may be several parts to the problem: 1. Winbind on Samba 3.4.x seems unable to allocate idmap entries (UID/SID or GID/SID) , whether or not the backend is LDAP or TDB. Winbind on Samba 3.0.x is able to create idmap allocation mappings with an LDAP backend. The two problems with Samba 3.0.x are as follows - "getent" would stop showing trusted users once the cache period expired. - it can't talk to domains in "native" mode. However, when I run "wbinfo -u" and "getent passwd" on my 3.0.x machine it will add or update idmap entries in LDAP. 2. Samba 3.4 can read some of the idmap entries from LDAP. Domain_A is Windows 2003 in mixed-mode. Samba 3.0.x is able to populate idmap allocation entries in ldap. Samba 3.4 when running "getent passwd" can see the users from that domain. Domain_B is a Windows 2003 Native domain. Samba 3.4 can not handle those entries. If I manually create the entry in ldap, it does get added to gencache.tdb with the uid (e.g. 4000.) e.g. --------------------------------------------------------------------------------- key(61) = "IDMAP/SID2UID/S-1-5-21-xxxx-1111\00" data(16) = " 1273070774/40000\00" key(20) = "IDMAP/UID2SID/40000\00" data(60) = " 1272981160/S-1-5-21-xxxx-1111\00" --------------------------------------------------------------------------------- But "getent passwd" will not show the user. If the entry was not predefined in LDAP, a negative entry gets added to gencache.tdb --------------------------------------------------------------------------------- key(60) = "IDMAP/SID2UID/S-1-5-21-xxxx-1112\00" data(16) = " 1273080966/-1\00" --------------------------------------------------------------------------------- 3. Samba 3.4 has idmap allocation issues even with TDB backend. If I change DomainB to use TDB backend for idmap allocation, gencache.tdb file will get a valid uid2sid but not sid2uid entry. e.g. --------------------------------------------------------------------------------- key(61) = "IDMAP/SID2UID/S-1-5-21-xxxx-1113\00" data(16) = " 1273070774/-1\00" key(20) = "IDMAP/UID2SID/30580\00" data(60) = " 1272981160/S-1-5-21-xxxx-1113\00" --------------------------------------------------------------------------------- So in summary it looks like idmap has issues with both allocating new id mappings and using existing ones. I compiled samba 3.4.5 from source. Config.log shows it was compiled against the openldap and kerberos packages from sunfreeware.com (not the sun ldap and kerberos packages bundled with the OS.) Help is appreciated. Thanks -------- Original Message -------- Subject: samba 3.4.5 idmap alloc broken Date: Tue, 04 May 2010 16:36:21 -0400 From: Gaiseric Vandal <gaiseric.vandal at gmail.com> Reply-To: gaiseric.vandal at gmail.com To: Samba <samba at lists.samba.org> Some time back I upgraded a domain controller (Solaris 10) from samba 3.0.x to 3.4.5 In order to support interdomain trusts I am using winbind and idmap allocation with a samba backend. Since the upgrade it appears that samba is no allocating uid and gid's for trusted domain. my smb.conf looks something like: ---------------------------------------------------------------------------------------------------------------------------- winbind enum users = Yes winbind enum groups = Yes winbind use default domain = no winbind trusted domains only = no # The "idmap domains" has been deprecated in 3.4 # idmap domains = DOMAIN_A DOMAIN_B DOMAIN_C # Next two lines restored in 3.4 - but prob don't need idmap uid = 30000-59999 idmap gid = 30000-59999 idmap config DOMAIN_A:backend = ldap idmap config DOMAIN_A:readonly = no idmap config DOMAIN_A:default=no idmap config DOMAIN_A:ldap_base_dn = ou=domain_a,ou=idmap,o=mydomain.com idmap config DOMAIN_A:ldap_user_dn = cn=Directory Manager idmap config DOMAIN_A:ldap_url = ldap://ldap1.domain.com idmap config DOMAIN_A:range = 30000-39999 idmap config DOMAIN_B:backend = ldap idmap config DOMAIN_B:readonly = no idmap config DOMAIN_B:default=no idmap config DOMAIN_B:ldap_base_dn = ou=domain_b,ou=idmap,o=mydomain.com idmap config DOMAIN_B:ldap_user_dn = cn=Directory Manager idmap config DOMAIN_B:ldap_url = lldap://ldap1.domain.com idmap config DOMAIN_B:range = 40000-45999 .... ---------------------------------------------------------------------------------------------------------------------------- Domain_A (Windows 2003 AD in Mixed mode) has entries from prior to the upgrade and hasn't had new accounts added recently. Domain_B (Windows 2008 in Windows 2003 mode) is a new addition. No idmap entries ever populated. They should have populated after I ran "wbinfo -u" and "getent passwd" on the samba PDC. Any ideas? Thanks
Gaiseric Vandal
2010-May-05 21:44 UTC
[Samba] samba 3.4.5 idmap alloc broken - more details
There may be several parts to the problem: 1. Winbind on Samba 3.4.x seems unable to allocate idmap entries (UID/SID or GID/SID) , whether or not the backend is LDAP or TDB. Winbind on Samba 3.0.x is able to create idmap allocation mappings with an LDAP backend. The two problems with Samba 3.0.x are as follows - "getent" would stop showing trusted users once the cache period expired. - it can't talk to domains in "native" mode. However, when I run "wbinfo -u" and "getent passwd" on my 3.0.x machine it will add or update idmap entries in LDAP. 2. Samba 3.4 can read some of the idmap entries from LDAP. Domain_A is Windows 2003 in mixed-mode. Samba 3.0.x is able to populate idmap allocation entries in ldap. Samba 3.4 when running "getent passwd" can see the users from that domain. Domain_B is a Windows 2003 Native domain. Samba 3.4 can not handle those entries. If I manually create the entry in ldap, it does get added to gencache.tdb with the uid (e.g. 4000.) e.g. --------------------------------------------------------------------------------- key(61) = "IDMAP/SID2UID/S-1-5-21-xxxx-1111\00" data(16) = " 1273070774/40000\00" key(20) = "IDMAP/UID2SID/40000\00" data(60) = " 1272981160/S-1-5-21-xxxx-1111\00" --------------------------------------------------------------------------------- But "getent passwd" will not show the user. If the entry was not predefined in LDAP, a negative entry gets added to gencache.tdb --------------------------------------------------------------------------------- key(60) = "IDMAP/SID2UID/S-1-5-21-xxxx-1112\00" data(16) = " 1273080966/-1\00" --------------------------------------------------------------------------------- 3. Samba 3.4 has idmap allocation issues even with TDB backend. If I change DomainB to use TDB backend for idmap allocation, gencache.tdb file will get a valid uid2sid but not sid2uid entry. e.g. --------------------------------------------------------------------------------- key(61) = "IDMAP/SID2UID/S-1-5-21-xxxx-1113\00" data(16) = " 1273070774/-1\00" key(20) = "IDMAP/UID2SID/30580\00" data(60) = " 1272981160/S-1-5-21-xxxx-1113\00" --------------------------------------------------------------------------------- So in summary it looks like idmap has issues with both allocating new id mappings and using existing ones. I compiled samba 3.4.5 from source. Config.log shows it was compiled against the openldap and kerberos packages from sunfreeware.com (not the sun ldap and kerberos packages bundled with the OS.) Help is appreciated. Thanks -------- Original Message -------- Subject: samba 3.4.5 idmap alloc broken Date: Tue, 04 May 2010 16:36:21 -0400 From: Gaiseric Vandal <gaiseric.vandal at gmail.com> Reply-To: gaiseric.vandal at gmail.com To: Samba <samba at lists.samba.org> Some time back I upgraded a domain controller (Solaris 10) from samba 3.0.x to 3.4.5 In order to support interdomain trusts I am using winbind and idmap allocation with a samba backend. Since the upgrade it appears that samba is no allocating uid and gid's for trusted domain. my smb.conf looks something like: ---------------------------------------------------------------------------------------------------------------------------- winbind enum users = Yes winbind enum groups = Yes winbind use default domain = no winbind trusted domains only = no # The "idmap domains" has been deprecated in 3.4 # idmap domains = DOMAIN_A DOMAIN_B DOMAIN_C # Next two lines restored in 3.4 - but prob don't need idmap uid = 30000-59999 idmap gid = 30000-59999 idmap config DOMAIN_A:backend = ldap idmap config DOMAIN_A:readonly = no idmap config DOMAIN_A:default=no idmap config DOMAIN_A:ldap_base_dn = ou=domain_a,ou=idmap,o=mydomain.com idmap config DOMAIN_A:ldap_user_dn = cn=Directory Manager idmap config DOMAIN_A:ldap_url =ldap://ldap1.domain.com idmap config DOMAIN_A:range = 30000-39999 idmap config DOMAIN_B:backend = ldap idmap config DOMAIN_B:readonly = no idmap config DOMAIN_B:default=no idmap config DOMAIN_B:ldap_base_dn = ou=domain_b,ou=idmap,o=mydomain.com idmap config DOMAIN_B:ldap_user_dn = cn=Directory Manager idmap config DOMAIN_B:ldap_url = lldap://ldap1.domain.com idmap config DOMAIN_B:range = 40000-45999 .... ---------------------------------------------------------------------------------------------------------------------------- Domain_A (Windows 2003 AD in Mixed mode) has entries from prior to the upgrade and hasn't had new accounts added recently. Domain_B (Windows 2008 in Windows 2003 mode) is a new addition. No idmap entries ever populated. They should have populated after I ran "wbinfo -u" and "getent passwd" on the samba PDC. Any ideas? Thanks
Gaiseric Vandal
2010-May-26 22:35 UTC
[Samba] Samba 3.4.8 idmap alloc broken - more details
This is a revision of an earlier post with some futher results.
Some time back I upgraded a domain controller (Solaris 10) from samba
3.0.x (bundled with Solaris ) to 3.4.5 (and then to 3.4.8) which I had
compiled from source code. I copied nsswitch and all the idmap modules.
In order to support interdomain trusts I am using winbind and idmap
allocation with a samba backend. Samba 3.0.x was not able to configure
trusts with WIn 2003 or Win 2008 domains in Win 2003 mode. It was
able to configure trusts with Win 2003 domain in mixed (i.e. NT4
compatibility) mode. Samba does detect that the mixed-mode domain is
still Active Directory and not actually NT4.
The second problem with Samba 3.0.x was that it would initially
populate ldap with idmap entries, cache them locally and then when the
cache period expired it would not reload the mappings from ldap. (in
fact it them seemed to get negatively cached.)
upgrading to samba 3.4.x fixed the following -
- no more negative caching of idmap entries from ldap
- can establish domain trusts with Win 2003 mode domains.
However, idmap does not allocate new entries. This is not a problem
for the mix mode domain since I have a samba 3.0.x server that can do
this.) For the other domains I can manually create an idmap entry
(either with the ldap editor or the wbinfo command if I temp change the
"ldap idmap suffix" parameter to the domain specific ou .) . We
don't
add or remove accounts that frequently. "wbinfo -u" can be a little
slow to respond so I increasing the default "idmap cache time" and
"winbind cache time" from the default 300 seconds seems appropriate.
Unlike the samba 3.0.x machine, I don't see any idmap specific or domain
specific log files.
Partial smb.conf file
------------------------------------------------------------------------------------
client NTLMv2 auth = yes
client lanman auth = No
client plaintext auth = No
security = user
passdb backend = ldapsam:ldap://ldap1.domain.com
wins support = No
wins server = x.x.x.x
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = no
winbind trusted domains only = no
idmap cache time = 14400
winbind cache time = 604800
ldap suffix=o=domain.com
ldap user suffix=ou=people
ldap machine suffix=ou=people
ldap admin dn="cn=Directory Manager"
ldap ssl = no
ldap passwd sync = no
ldap idmap suffix=ou=idmap
#IDMAP DEFAULT SETTINGS
idmap backend=ldap:ldap://ldap1.domain.com
idmap uid = 70000-79999
idmap gid = 70000-79999
#IDMAP DEFAULT ALLOC
idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.domain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=domain.com
idmap alloc config:ldap_user_dn = cn=Directory Manager
idmap alloc config:range = 30000 - 79999
#following is a Win 2003 domain in mixed mode
idmap config DOMA:backend = ldap
idmap config DOMA:readonly = no
idmap config DOMA:default=no
idmap config DOMA:ldap_base_dn = ou=doma,ou=idmap,o=domain.com
idmap config DOMA:ldap_user_dn = cn=Directory Manager
idmap config DOMA:ldap_url = ldap://ldap1.domain.com
idmap config DOMA:range = 30000-35999
#following is a Win 2008 domain in Win 2003 mode
idmap config DOMB:backend = ldap
idmap config DOMB:readonly = no
idmap config DOMB:default=no
idmap config DOMB:ldap_base_dn = ou=domb,ou=idmap,o=domain.com
idmap config DOMB:ldap_user_dn = cn=Directory Manager
idmap config DOMB:ldap_url = ldap://ldap1.domain.com
idmap config DOMB:range = 40000-45999
#following is a Win 2003 domain in Win 2003 mode
idmap config DOMC:backend = ldap
idmap config DOMC:readonly = no
idmap config DOMC:default=no
idmap config DOMC:ldap_base_dn = ou=domc,ou=idmap,o=domain.com
idmap config DOMC:ldap_user_dn = cn=Directory Manager
idmap config DOMC:ldap_url = ldap://ldap1.domain.com
idmap config DOMC:range = 50000-55999
------------------------------------------------------------------------------------
The man pages indicate that the domain specific id ranges must be within
the alloc range. the ou=alloc object in ldap does not include an
mappings but does have uid and gid parameters to track the next
available one.
With samba 3.0.x, running getent would populate idmap entries in the
domain specific ou. The domain specific id would be ignored.
Any thoughts on the allocation problem?
Thanks