samba - Feb 2014 - Samba 4.1.4 nsswitch/winbind issues

The two domain controllers (Debian) and the member server (CentOS) are all
running Samba 4.1.4 from the sernet packages.  The member server I am
testing from was fully patched as of this morning.

Things that work:

   - wbinfo -u
   - wbifno -g
   - getent group {ad_group}

Things that don't work:

   - getent passwd {any_ad_user}
   - getent group
   - getent passwd

I jacked up the winbindd debug level to 9, and did some testing.

# wbinfo -n doug
S-1-5-21-1317801521-1647347728-1419337603-1104 SID_USER (1)

# wbinfo -S S-1-5-21-1317801521-1647347728-1419337603-1104
20001

This is the correct UID that is set in AD (RFC-2307).

# getent passwd doug

This gives no output and returns a status of 2.  The winbindd log file
indicates " Could not convert sid
S-1-5-21-1317801521-1647347728-1419337603-1104: NT_STATUS_NONE_MAPPED".

I've done quite a bit of googling with no luck.  I'm stumped on where to
go
next.  Any help would be appreciated.

Doug

On Sat, 2014-02-15 at 11:42 -0400, Doug Meredith wrote:
>  The member server I am
> testing from was fully patched as of this morning.
>  Any help would be appreciated.
I'm afraid that without smb.conf on your member server we've no chance.
Cheers,
Steve

On 14-02-15 10:42 AM, Doug Meredith wrote:
> Things that don't work:
>
>    - getent passwd {any_ad_user}
>    - getent group
>    - getent passwd
Exactly the problem I'm struggling with. (update: have solved since I
started writing this!)

Centos/samba-3.6.9-168.el6_5.x86_64 and SciLinux/samba-3.6.3-78.el6.1.x86_64

Same symptoms, same things that work, same things that don't. I've
simplified my idmap configuration down to:

       idmap config * : backend = tdb2
       idmap config * : range = 1000000-1999999
       idmap config NETDIRECT:backend = ad
       idmap config NETDIRECT:schema_mode = rfc2307
       idmap config NETDIRECT:range = 100-999999

I get in my log:
Could not convert sid S-1-5-21-2070472328-935435760-1634736958-11032:
NT_STATUS_NONE_MAPPED

yet:
# wbinfo -n michael
S-1-5-21-2070472328-935435760-1634736958-11032 SID_USER (1)
# wbinfo -S S-1-5-21-2070472328-935435760-1634736958-11032
5016

which is within the configured range for the domain.

Near as I can tell I'm getting a complete user structure out of winbind:
wbint_QueryUser: struct wbint_QueryUser
   out: struct wbint_QueryUser
       info                     : *
           info: struct wbint_userinfo
               acct_name                : *
                   acct_name                : 'michael'
               full_name                : NULL
               homedir                  : *
                   homedir                  :
'/net/nfshome/home/michael'
               shell                    : *
                   shell                    : '/bin/bash'
               primary_gid              : 0x0000000000000fa0 (4000)
               user_sid                 :
S-1-5-21-2070472328-935435760-1634736958-11032
               group_sid                :
S-1-5-21-2070472328-935435760-1634736958-513
       result                   : NT_STATUS_OK

but:

[2014/06/04 16:17:53.793013, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
  idmap_cache_find_sid2uid found 5016
[2014/06/04 16:17:53.793144, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
  idmap_cache_find_sid2gid found -1
[2014/06/04 16:17:53.793254,  5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-2070472328-935435760-1634736958-11032:
NT_STATUS_NONE_MAPPED

Damn. Now that I write that after cranking up the debug levels I wonder
if that line might be misleading. It was sid2gid that failed, but it
reported the user sid as unmappable.

Yes! It is misleading!

https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
"Please note that primary group membership is currently always
calculated via the "primaryGroupID" LDAP attribute."

winbind (unlike the other similar nss providers) will convert the
primary Windows group to the primary Unix group. Thus, when using the ad
backend you must have a gidNumber attribute on 'Domain Users'.

All of a sudden it works:
# id michael
uid=5016(michael) gid=4001(domain users) groups=4001(domain
users),4000(staff)

I suspect you have the same problem.

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
?: +1 519 883 1172 x5106    | termination of their C programs.' - Firth