Lukas Haase
2017-Jan-14 22:49 UTC
[Samba] Problems with ID mapping after upgrade to Debian jessie
Hi, I have been running a Debian 3 server without problems for a long time. Now, after upgrading to Debian jessie (Debian 4.2.14) I cannot log in any more: smbclient -U admin -L //localhost/ Enter admin's password: session setup failed: NT_STATUS_UNSUCCESSFUL In the logs: [2017/01/14 23:37:21.636022, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [admin] -> [admin] -> [admin] succeeded [2017/01/14 23:37:21.637610, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-3909901412-745783496-1225843668-500 -> getpwuid(25003) failed This is odd because the correct UID for this SID would be 1013. The relevant Samba config thus far was: passdb backend = ldapsam:ldap://ldap/ ldap ssl = Start_tls obey pam restrictions = no ldap admin dn = uid=admin,dc=intra ldap suffix = dc=intra ldap group suffix = ou=groups ldap user suffix = ou=users ldap machine suffix = ou=machines ldap idmap suffix = ou=idmap idmap uid = 25000-27000 idmap gid = 25000-27000 However, ou=idmap in the LDAP tree is empty and winbind was running. I thought maybe it is because of the deprecated idmap uid option but no matter what I set for "idmap config", wbinfo always returns the wrong UID: # wbinfo --sid-to-uid S-1-5-21-3909901412-745783496-1225843668-500 25003 For example, I tried idmap config * : backend = tdb idmap config * : range = 25000 27000 or idmap config * : backend = rid idmap config * : range = 0 1000 The output just does not change. Any help would be appreciated. Thanks! Luke
Lukas Haase
2017-Jan-15 00:03 UTC
[Samba] Problems with ID mapping after upgrade to Debian jessie
Hi, I still do not know why the problem came up, why all the idmap configuration was ignored and why wbinfo and net idmap dump returned different entries. However, after a long time I ended up doing the following: 1.) In the LDAP, changed the SID from S-1-5-21-3909901412-745783496-1225843668-500 to SID S-1-5-21-3909901412-745783496-1225843668-501. 2.) Hooray, login worked! wbinfo returned the correct result for RID 501 but not for 500. Chaning the SID entry back stopped it from working again. 3.) Grepped /var for S-1-5-21-3909901412-745783496-1225843668-501. Found it in /var/cache/samba/gencache.tdb. Deleted the file 4.) Restarted samba, works again with original SID! If somebody has an explanation for this behavior, I would still be interested to know why ... Luke On 2017-01-14 14:49, Lukas Haase via samba wrote:> Hi, > > I have been running a Debian 3 server without problems for a long time. > Now, after upgrading to Debian jessie (Debian 4.2.14) I cannot log in > any more: > > smbclient -U admin -L //localhost/ > Enter admin's password: > session setup failed: NT_STATUS_UNSUCCESSFUL > > In the logs: > > [2017/01/14 23:37:21.636022, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [admin] -> [admin] -> > [admin] succeeded > [2017/01/14 23:37:21.637610, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-3909901412-745783496-1225843668-500 -> getpwuid(25003) failed > > This is odd because the correct UID for this SID would be 1013. > > The relevant Samba config thus far was: > > passdb backend = ldapsam:ldap://ldap/ > ldap ssl = Start_tls > obey pam restrictions = no > ldap admin dn = uid=admin,dc=intra > ldap suffix = dc=intra > ldap group suffix = ou=groups > ldap user suffix = ou=users > ldap machine suffix = ou=machines > ldap idmap suffix = ou=idmap > idmap uid = 25000-27000 > idmap gid = 25000-27000 > > However, ou=idmap in the LDAP tree is empty and winbind was running. > > I thought maybe it is because of the deprecated idmap uid option but no > matter what I set for "idmap config", wbinfo always returns the wrong UID: > > # wbinfo --sid-to-uid S-1-5-21-3909901412-745783496-1225843668-500 > 25003 > > > For example, I tried > > idmap config * : backend = tdb > idmap config * : range = 25000 27000 > > or > > idmap config * : backend = rid > idmap config * : range = 0 1000 > > The output just does not change. > > Any help would be appreciated. Thanks! > > Luke > > > > > > >