Javier Conti
2012-May-14 15:48 UTC
[Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Dear list, upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. I checked everything (I know) from the Samba point of view, and it almost seems ok, but "wbinfo -i" fails as follows: # wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user myuser Using the same user, for example, I can do: # wbinfo -n myuser S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1) # wbinfo -n "Domain Users" S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2) # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794 MYDOMAIN\myuser 1 # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513 MYDOMAIN\Domain Users # net -Uadminuser user info myuser |head Enter adminuser's password: domain users [...] # net -Uadminuser ads user |grep myuser Enter adminuser's password: myuser Obviously, id(1) and getent(1) fail. What I get is: [2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection) accepted socket 25 [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request) process_request: request fn INTERFACE_VERSION [2012/05/14 16:50:47.958644, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 5756]: request interface version [2012/05/14 16:50:47.958705, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:INTERFACE_VERSION]: delivered response to client [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/05/14 16:50:47.958808, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 5756]: request location of privileged pipe [2012/05/14 16:50:47.958870, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection) accepted socket 26 [2012/05/14 16:50:47.958995, 6] winbindd/winbindd.c:840(winbind_client_request_read) closing socket 25, client exited [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request) process_request: Handling async request 5756:GETPWNAM [2012/05/14 16:50:47.959097, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam myuser [2012/05/14 16:50:47.959135, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName domain : * domain : 'MYDOMAIN' name : * name : 'MYUSER' flags : 0x00000008 (8) [2012/05/14 16:50:47.959276, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName out: struct wbint_LookupName type : * type : SID_NAME_USER (1) sid : * sid : S-1-5-21-828208052-1092558876-1846952604-22794 result : NT_STATUS_OK [2012/05/14 16:50:47.959404, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser in: struct wbint_QueryUser sid : * sid : S-1-5-21-828208052-1092558876-1846952604-22794 [2012/05/14 16:50:47.959499, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser out: struct wbint_QueryUser info : * info: struct wbint_userinfo acct_name : * acct_name : 'myuser' full_name : * full_name : 'Lastname Firstname' homedir : * homedir : '/home/myuser' shell : * shell : '/bin/bash' primary_gid : 0x0000000000002710 (10000) user_sid : S-1-5-21-828208052-1092558876-1846952604-22794 group_sid : S-1-5-21-828208052-1092558876-1846952604-513 result : NT_STATUS_OK [2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send) idmap_cache_find_sid2uid found 10106 [2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send) idmap_cache_find_sid2gid found -1 [2012/05/14 16:50:47.959763, 5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED [2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done) wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED [2012/05/14 16:50:47.959843, 10] winbindd/winbindd.c:738(winbind_client_response_written) winbind_client_response_written[5756:GETPWNAM]: delivered response to client [2012/05/14 16:50:47.959937, 6] winbindd/winbindd.c:840(winbind_client_request_read) closing socket 26, client exited Although I tried many changes to the config, according to some hints found on the web, this is what I was using with Samba 3.4.3: [global] workgroup = MYDOMAIN realm = MYREALM security = ADS log level = 10 passdb backend = tdbsam idmap backend = idmap_ad idmap uid = 64000 - 64999 idmap gid = 64000 - 64999 idmap config MYDOMAIN : default = yes idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-50000 idmap config MYDOMAIN : schema_mode = rfc2307 winbind use default domain = yes winbind nss info = rfc2307 winbind offline logon = yes winbind refresh tickets = yes printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No template homedir = /home/%D/%U template shell = /bin/bash kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab Any hints on what has changed with Samba 3.6.3 and/or what to change to adapt the configuration to 3.6.3 (if necessary)? Thanks, Javier
David Disseldorp
2012-May-14 16:58 UTC
[Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Hi Javier, On Mon, 14 May 2012 17:48:09 +0200 Javier Conti <javier.conti at gmail.com> wrote:> upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 > to 3.6.3. I was successfully using idmap_ad to authenticate users but > after the upgrade it stopped working and users are not seen by the OS. > Obviously the users I want to see on the Linux server have all RFC2307 > attributes populated and are seen by all other SLES11 SP1 servers. > > I checked everything (I know) from the Samba point of view, and it almost > seems ok, but "wbinfo -i" fails as follows: > > # wbinfo -i myuser > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user myuserThanks for your report. As this version of Samba is vendor supported, I'd encourage you to raise this issue at bugzilla.novell.com. Do you also encounter this error with "winbind use default domain = no" configured, running "wbinfo -i MYDOMAIN\\myuser"? Cheers, David
Michael Adam
2012-May-15 21:29 UTC
[Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
Hi Javier, Javier Conti wrote:> Dear list, > > upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 > to 3.6.3. I was successfully using idmap_ad to authenticate users but > after the upgrade it stopped working and users are not seen by the OS. > Obviously the users I want to see on the Linux server have all RFC2307 > attributes populated and are seen by all other SLES11 SP1 servers.> Although I tried many changes to the config, according to some hints found > on the web, this is what I was using with Samba 3.4.3: > > [global] > workgroup = MYDOMAIN > realm = MYREALM > security = ADS > > idmap backend = idmap_ad > idmap uid = 64000 - 64999 > idmap gid = 64000 - 64999 > > idmap config MYDOMAIN : default = yes > idmap config MYDOMAIN : backend = ad > idmap config MYDOMAIN : range = 1000-50000 > idmap config MYDOMAIN : schema_mode = rfc2307 > > winbind use default domain = yes > winbind nss info = rfc2307 > winbind offline logon = yes > winbind refresh tickets = yes > [...] > > Any hints on what has changed with Samba 3.6.3 and/or what to > change to adapt the configuration to 3.6.3 (if necessary)?Some comments: The above config makes no real sense for me, neither for 3.4 nor for 3.6: * The parameter "idmap config DOMAIN : default = yes/no" has been removed in samba 3.3. It only existed from 3.0.25 to 3.2. (http://www.samba.org/samba/history/samba-3.3.0.html) * You are using the backend "ad" (or "idmap_ad" which is a deprecated synonym) both in "idmap config MYDOMAIN : backend" and in "idmap backend". Both with different ranges. This does not seem to make sense to me. It is necessary to specify a writable backend for the catch all default idmap configuration, e.g. tdb or ldap. In 3.6, the "idmap backend" has been replaced by "idmap config * : backend", etc. A valid config for 3.4 would be: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [global] workgroup = MYDOMAIN idmap backend = tdb idmap uid = xxxxx-yyyyy idmap gid = xxxxx-yyyyy idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-50000 idmap config MYDOMAIN : schema mode = rfc2370 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The corresponding for 3.6: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [global] workgroup = MYDOMAIN idmap config * : backend = tdb idmap config * : range = xxxxx-yyyyy idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1000-50000 idmap config MYDOMAIN : schema mode = rfc2370 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~> I checked everything (I know) from the Samba point of view, and it almost > seems ok, but "wbinfo -i" fails as follows: > > # wbinfo -i myuser > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user myuser > > Using the same user, for example, I can do: > > # wbinfo -n myuser > S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1) > # wbinfo -n "Domain Users" > S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2) > > # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794 > MYDOMAIN\myuser 1 > # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513 > MYDOMAIN\Domain Users > > # net -Uadminuser user info myuser |head > Enter adminuser's password: > domain users > [...] > # net -Uadminuser ads user |grep myuser > Enter adminuser's password: > myuser > > Obviously, id(1) and getent(1) fail. What I get is: > > [2012/05/14 16:50:47.958484, 6] winbindd/winbindd.c:792(new_connection) > accepted socket 25 > [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request) > process_request: request fn INTERFACE_VERSION > [2012/05/14 16:50:47.958644, 3] > winbindd/winbindd_misc.c:384(winbindd_interface_version) > [ 5756]: request interface version > [2012/05/14 16:50:47.958705, 10] > winbindd/winbindd.c:738(winbind_client_response_written) > winbind_client_response_written[5756:INTERFACE_VERSION]: delivered > response to client > [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request) > process_request: request fn WINBINDD_PRIV_PIPE_DIR > [2012/05/14 16:50:47.958808, 3] > winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) > [ 5756]: request location of privileged pipe > [2012/05/14 16:50:47.958870, 10] > winbindd/winbindd.c:738(winbind_client_response_written) > winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]: > delivered response to client > [2012/05/14 16:50:47.958939, 6] winbindd/winbindd.c:792(new_connection) > accepted socket 26 > [2012/05/14 16:50:47.958995, 6] > winbindd/winbindd.c:840(winbind_client_request_read) > closing socket 25, client exited > [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request) > process_request: Handling async request 5756:GETPWNAM > [2012/05/14 16:50:47.959097, 3] > winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam myuser > [2012/05/14 16:50:47.959135, 1] > ../librpc/ndr/ndr.c:284(ndr_print_function_debug) > wbint_LookupName: struct wbint_LookupName > in: struct wbint_LookupName > domain : * > domain : 'MYDOMAIN' > name : * > name : 'MYUSER' > flags : 0x00000008 (8) > [2012/05/14 16:50:47.959276, 1] > ../librpc/ndr/ndr.c:284(ndr_print_function_debug) > wbint_LookupName: struct wbint_LookupName > out: struct wbint_LookupName > type : * > type : SID_NAME_USER (1) > sid : * > sid : > S-1-5-21-828208052-1092558876-1846952604-22794 > result : NT_STATUS_OK > [2012/05/14 16:50:47.959404, 1] > ../librpc/ndr/ndr.c:284(ndr_print_function_debug) > wbint_QueryUser: struct wbint_QueryUser > in: struct wbint_QueryUser > sid : * > sid : > S-1-5-21-828208052-1092558876-1846952604-22794 > [2012/05/14 16:50:47.959499, 1] > ../librpc/ndr/ndr.c:284(ndr_print_function_debug) > wbint_QueryUser: struct wbint_QueryUser > out: struct wbint_QueryUser > info : * > info: struct wbint_userinfo > acct_name : * > acct_name : 'myuser' > full_name : * > full_name : 'Lastname Firstname' > homedir : * > homedir : '/home/myuser' > shell : * > shell : '/bin/bash' > primary_gid : 0x0000000000002710 (10000) > user_sid : > S-1-5-21-828208052-1092558876-1846952604-22794 > group_sid : > S-1-5-21-828208052-1092558876-1846952604-513 > result : NT_STATUS_OK > [2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send) > idmap_cache_find_sid2uid found 10106 > [2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send) > idmap_cache_find_sid2gid found -1 > [2012/05/14 16:50:47.959763, 5] > winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > Could not convert sid > S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED > [2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done) > wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED > [2012/05/14 16:50:47.959843, 10] > winbindd/winbindd.c:738(winbind_client_response_written) > winbind_client_response_written[5756:GETPWNAM]: delivered response to client > [2012/05/14 16:50:47.959937, 6] > winbindd/winbindd.c:840(winbind_client_request_read) > closing socket 26, client exitedHmm, it finds a sid2uid mapping in the cache, but then a sid2gid lookup fails (from cache). Due to bad error message, it can not be seen which sid was the input. Could also be the ...-513 group sid. Could you please check with the more low level wbinfo commands the results of the commands for id mapping: wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794 ==> should give a uid wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794 ==> should fail wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513 ==> should fail wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513 ==> should give a gid Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20120515/11ed2a75/attachment.pgp>