samba - May 2012 - idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3

Dear list,

upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3
to 3.6.3. I was successfully using idmap_ad to authenticate users but
after the upgrade it stopped working and users are not seen by the OS.
Obviously the users I want to see on the Linux server have all RFC2307
attributes populated and are seen by all other SLES11 SP1 servers.

I checked everything (I know) from the Samba point of view, and it almost
seems ok, but "wbinfo -i" fails as follows:

  # wbinfo -i myuser
  failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
  Could not get info for user myuser

Using the same user, for example, I can do:

  # wbinfo -n myuser
  S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1)
  # wbinfo -n "Domain Users"
  S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2)

  # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794
  MYDOMAIN\myuser 1
  # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513
  MYDOMAIN\Domain Users

  # net -Uadminuser user info myuser |head
  Enter adminuser's password:
  domain users
  [...]
  # net -Uadminuser ads user  |grep myuser
  Enter adminuser's password:
  myuser

Obviously, id(1) and getent(1) fail. What I get is:

[2012/05/14 16:50:47.958484,  6] winbindd/winbindd.c:792(new_connection)
  accepted socket 25
[2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request)
  process_request: request fn INTERFACE_VERSION
[2012/05/14 16:50:47.958644,  3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
  [ 5756]: request interface version
[2012/05/14 16:50:47.958705, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
  winbind_client_response_written[5756:INTERFACE_VERSION]: delivered
response to client
[2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/05/14 16:50:47.958808,  3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
  [ 5756]: request location of privileged pipe
[2012/05/14 16:50:47.958870, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
  winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]:
delivered response to client
[2012/05/14 16:50:47.958939,  6] winbindd/winbindd.c:792(new_connection)
  accepted socket 26
[2012/05/14 16:50:47.958995,  6]
winbindd/winbindd.c:840(winbind_client_request_read)
  closing socket 25, client exited
[2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request)
  process_request: Handling async request 5756:GETPWNAM
[2012/05/14 16:50:47.959097,  3]
winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam myuser
[2012/05/14 16:50:47.959135,  1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          in: struct wbint_LookupName
              domain                   : *
                  domain                   : 'MYDOMAIN'
              name                     : *
                  name                     : 'MYUSER'
              flags                    : 0x00000008 (8)
[2012/05/14 16:50:47.959276,  1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          out: struct wbint_LookupName
              type                     : *
                  type                     : SID_NAME_USER (1)
              sid                      : *
                  sid                      :
S-1-5-21-828208052-1092558876-1846952604-22794
              result                   : NT_STATUS_OK
[2012/05/14 16:50:47.959404,  1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_QueryUser: struct wbint_QueryUser
          in: struct wbint_QueryUser
              sid                      : *
                  sid                      :
S-1-5-21-828208052-1092558876-1846952604-22794
[2012/05/14 16:50:47.959499,  1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_QueryUser: struct wbint_QueryUser
          out: struct wbint_QueryUser
              info                     : *
                  info: struct wbint_userinfo
                      acct_name                : *
                          acct_name                : 'myuser'
                      full_name                : *
                          full_name                : 'Lastname
Firstname'
                      homedir                  : *
                          homedir                  : '/home/myuser'
                      shell                    : *
                          shell                    : '/bin/bash'
                      primary_gid              : 0x0000000000002710 (10000)
                      user_sid                 :
S-1-5-21-828208052-1092558876-1846952604-22794
                      group_sid                :
S-1-5-21-828208052-1092558876-1846952604-513
              result                   : NT_STATUS_OK
[2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
  idmap_cache_find_sid2uid found 10106
[2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
  idmap_cache_find_sid2gid found -1
[2012/05/14 16:50:47.959763,  5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid
S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED
[2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done)
  wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED
[2012/05/14 16:50:47.959843, 10]
winbindd/winbindd.c:738(winbind_client_response_written)
  winbind_client_response_written[5756:GETPWNAM]: delivered response to client
[2012/05/14 16:50:47.959937,  6]
winbindd/winbindd.c:840(winbind_client_request_read)
  closing socket 26, client exited

Although I tried many changes to the config, according to some hints found
on the web, this is what I was using with Samba 3.4.3:

  [global]
    workgroup = MYDOMAIN
    realm = MYREALM
    security = ADS

    log level = 10

    passdb backend = tdbsam
    idmap backend = idmap_ad
    idmap uid = 64000 - 64999
    idmap gid = 64000 - 64999

    idmap config MYDOMAIN : default = yes
    idmap config MYDOMAIN : backend = ad
    idmap config MYDOMAIN : range = 1000-50000
    idmap config MYDOMAIN : schema_mode = rfc2307

    winbind use default domain = yes
    winbind nss info = rfc2307
    winbind offline logon = yes
    winbind refresh tickets = yes

    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    usershare allow guests = No
    template homedir = /home/%D/%U
    template shell = /bin/bash

    kerberos method         = secrets and keytab
    dedicated keytab file   = /etc/krb5.keytab

Any hints on what has changed with Samba 3.6.3 and/or what to
change to adapt the configuration to 3.6.3 (if necessary)?

Thanks, Javier

Hi Javier,

On Mon, 14 May 2012 17:48:09 +0200
Javier Conti <javier.conti at gmail.com> wrote:
> upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3
> to 3.6.3. I was successfully using idmap_ad to authenticate users but
> after the upgrade it stopped working and users are not seen by the OS.
> Obviously the users I want to see on the Linux server have all RFC2307
> attributes populated and are seen by all other SLES11 SP1 servers.
> 
> I checked everything (I know) from the Samba point of view, and it almost
> seems ok, but "wbinfo -i" fails as follows:
> 
>   # wbinfo -i myuser
>   failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>   Could not get info for user myuser
Thanks for your report. As this version of Samba is vendor supported,
I'd encourage you to raise this issue at bugzilla.novell.com.

Do you also encounter this error with "winbind use default domain =
no"
configured, running "wbinfo -i MYDOMAIN\\myuser"?

Cheers, David

Hi Javier,

Javier Conti wrote:
> Dear list,
> 
> upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3
> to 3.6.3. I was successfully using idmap_ad to authenticate users but
> after the upgrade it stopped working and users are not seen by the OS.
> Obviously the users I want to see on the Linux server have all RFC2307
> attributes populated and are seen by all other SLES11 SP1 servers.
> Although I tried many changes to the config, according to some hints found
> on the web, this is what I was using with Samba 3.4.3:
> 
>   [global]
>     workgroup = MYDOMAIN
>     realm = MYREALM
>     security = ADS
> 
>     idmap backend = idmap_ad
>     idmap uid = 64000 - 64999
>     idmap gid = 64000 - 64999
> 
>     idmap config MYDOMAIN : default = yes
>     idmap config MYDOMAIN : backend = ad
>     idmap config MYDOMAIN : range = 1000-50000
>     idmap config MYDOMAIN : schema_mode = rfc2307
> 
>     winbind use default domain = yes
>     winbind nss info = rfc2307
>     winbind offline logon = yes
>     winbind refresh tickets = yes
>     [...] 
> 
> Any hints on what has changed with Samba 3.6.3 and/or what to
> change to adapt the configuration to 3.6.3 (if necessary)?
Some comments:
The above config makes no real sense for me,
neither for 3.4 nor for 3.6:

* The parameter "idmap config DOMAIN : default = yes/no"
  has been removed in samba 3.3. It only existed from
  3.0.25 to 3.2.
  (http://www.samba.org/samba/history/samba-3.3.0.html)

* You are using the backend "ad" (or "idmap_ad" which is
  a deprecated synonym) both in "idmap config MYDOMAIN : backend"
  and in "idmap backend". Both with different ranges.
  This does not seem to make sense to me.

  It is necessary to specify a writable backend for the
  catch all default idmap configuration, e.g. tdb or ldap.

  In 3.6, the "idmap backend" has been replaced by
  "idmap config * : backend", etc.

A valid config for 3.4 would be:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[global]
	workgroup = MYDOMAIN

	idmap backend = tdb
	idmap uid = xxxxx-yyyyy
	idmap gid = xxxxx-yyyyy

	idmap config MYDOMAIN : backend = ad
	idmap config MYDOMAIN : range = 1000-50000
	idmap config MYDOMAIN : schema mode = rfc2370
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The corresponding for 3.6:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[global]
	workgroup = MYDOMAIN

	idmap config * : backend = tdb
	idmap config * : range = xxxxx-yyyyy

	idmap config MYDOMAIN : backend = ad
	idmap config MYDOMAIN : range = 1000-50000
	idmap config MYDOMAIN : schema mode = rfc2370
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I checked everything (I know) from the Samba point of view, and it almost
> seems ok, but "wbinfo -i" fails as follows:
> 
>   # wbinfo -i myuser
>   failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>   Could not get info for user myuser
> 
> Using the same user, for example, I can do:
> 
>   # wbinfo -n myuser
>   S-1-5-21-828208052-1092558876-1846952604-22794 SID_USER (1)
>   # wbinfo -n "Domain Users"
>   S-1-5-21-828208052-1092558876-1846952604-513 SID_DOM_GROUP (2)
> 
>   # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-22794
>   MYDOMAIN\myuser 1
>   # wbinfo -s S-1-5-21-828208052-1092558876-1846952604-513
>   MYDOMAIN\Domain Users
> 
>   # net -Uadminuser user info myuser |head
>   Enter adminuser's password:
>   domain users
>   [...]
>   # net -Uadminuser ads user  |grep myuser
>   Enter adminuser's password:
>   myuser
> 
> Obviously, id(1) and getent(1) fail. What I get is:
> 
> [2012/05/14 16:50:47.958484,  6] winbindd/winbindd.c:792(new_connection)
>   accepted socket 25
> [2012/05/14 16:50:47.958604, 10] winbindd/winbindd.c:642(process_request)
>   process_request: request fn INTERFACE_VERSION
> [2012/05/14 16:50:47.958644,  3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
>   [ 5756]: request interface version
> [2012/05/14 16:50:47.958705, 10]
> winbindd/winbindd.c:738(winbind_client_response_written)
>   winbind_client_response_written[5756:INTERFACE_VERSION]: delivered
> response to client
> [2012/05/14 16:50:47.958771, 10] winbindd/winbindd.c:642(process_request)
>   process_request: request fn WINBINDD_PRIV_PIPE_DIR
> [2012/05/14 16:50:47.958808,  3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
>   [ 5756]: request location of privileged pipe
> [2012/05/14 16:50:47.958870, 10]
> winbindd/winbindd.c:738(winbind_client_response_written)
>   winbind_client_response_written[5756:WINBINDD_PRIV_PIPE_DIR]:
> delivered response to client
> [2012/05/14 16:50:47.958939,  6] winbindd/winbindd.c:792(new_connection)
>   accepted socket 26
> [2012/05/14 16:50:47.958995,  6]
> winbindd/winbindd.c:840(winbind_client_request_read)
>   closing socket 25, client exited
> [2012/05/14 16:50:47.959058, 10] winbindd/winbindd.c:615(process_request)
>   process_request: Handling async request 5756:GETPWNAM
> [2012/05/14 16:50:47.959097,  3]
> winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam myuser
> [2012/05/14 16:50:47.959135,  1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>        wbint_LookupName: struct wbint_LookupName
>           in: struct wbint_LookupName
>               domain                   : *
>                   domain                   : 'MYDOMAIN'
>               name                     : *
>                   name                     : 'MYUSER'
>               flags                    : 0x00000008 (8)
> [2012/05/14 16:50:47.959276,  1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>        wbint_LookupName: struct wbint_LookupName
>           out: struct wbint_LookupName
>               type                     : *
>                   type                     : SID_NAME_USER (1)
>               sid                      : *
>                   sid                      :
> S-1-5-21-828208052-1092558876-1846952604-22794
>               result                   : NT_STATUS_OK
> [2012/05/14 16:50:47.959404,  1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>        wbint_QueryUser: struct wbint_QueryUser
>           in: struct wbint_QueryUser
>               sid                      : *
>                   sid                      :
> S-1-5-21-828208052-1092558876-1846952604-22794
> [2012/05/14 16:50:47.959499,  1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>        wbint_QueryUser: struct wbint_QueryUser
>           out: struct wbint_QueryUser
>               info                     : *
>                   info: struct wbint_userinfo
>                       acct_name                : *
>                           acct_name                : 'myuser'
>                       full_name                : *
>                           full_name                : 'Lastname
Firstname'
>                       homedir                  : *
>                           homedir                  : '/home/myuser'
>                       shell                    : *
>                           shell                    : '/bin/bash'
>                       primary_gid              : 0x0000000000002710 (10000)
>                       user_sid                 :
> S-1-5-21-828208052-1092558876-1846952604-22794
>                       group_sid                :
> S-1-5-21-828208052-1092558876-1846952604-513
>               result                   : NT_STATUS_OK
> [2012/05/14 16:50:47.959686, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
>   idmap_cache_find_sid2uid found 10106
> [2012/05/14 16:50:47.959729, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
>   idmap_cache_find_sid2gid found -1
> [2012/05/14 16:50:47.959763,  5]
> winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>   Could not convert sid
> S-1-5-21-828208052-1092558876-1846952604-22794: NT_STATUS_NONE_MAPPED
> [2012/05/14 16:50:47.959794, 10] winbindd/winbindd.c:677(wb_request_done)
>   wb_request_done[5756:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2012/05/14 16:50:47.959843, 10]
> winbindd/winbindd.c:738(winbind_client_response_written)
>   winbind_client_response_written[5756:GETPWNAM]: delivered response to
client
> [2012/05/14 16:50:47.959937,  6]
> winbindd/winbindd.c:840(winbind_client_request_read)
>   closing socket 26, client exited
Hmm, it finds a sid2uid mapping in the cache,
but then a sid2gid lookup fails (from cache).
Due to bad error message, it can not be seen
which sid was the input. Could also be the ...-513
group sid.

Could you please check with the more low level wbinfo commands
the results of the commands for id mapping:

wbinfo -S S-1-5-21-828208052-1092558876-1846952604-22794
==> should give a uid
wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-22794
==> should fail
wbinfo -S S-1-5-21-828208052-1092558876-1846952604-513
==> should fail
wbinfo -Y S-1-5-21-828208052-1092558876-1846952604-513
==> should give a gid

Cheers - Michael


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20120515/11ed2a75/attachment.pgp>