On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 04/07/2019 21:25, Ryan via samba wrote:
> > I am still trying to configure Samba to authenticate users against
> > ActiveDirectory, but lookup uid and gids against a stand-alone
OpenLDAP
> > server. Related to a previous recommendation, I found the
idmap_rfc2307
> > capability, which seems likely exactly what I what.
> >
> > Unfortunately, it does not seem to work. Users are not permitted to
> access
> > shares for which they are in the group.
> >
> > Tests I found online of the idmapping using wbinfo, fail as follows.
> >
> > $>wbinfo -n user1
> > THE_SID SID_USER (1)
> >
> > $>net cache flush
> >
> > $>wbinfo -S THE_SID
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not convert sid THE_SID to uid
> >
> > I do not see any indication in the log files that the LDAP server is
> being
> > contacted, though winbind startup shows that it is processing the
idmap
> > directives.
> >
> > And I have done the following:
> >
> > net idmap set secret 'MYDOMAIN' 'password'
> >
> > Here is the smb.conf file:
> >
> > [global]
> > strict locking = no
> > workgroup = MYDOMAIN
> > server string = Samba Server Version %v
> > disable netbios = yes
> > interfaces = lo eth0
> > log file = /var/log/samba/log.%m
> > log level = 5
> > max log size = 64
> > security = ads
> > realm = MYDOMAIN.FULL
> > kerberos method = secrets and keytab
> > load printers = no
> > printcap name = /dev/null
> > printing = bsd
> > disable spoolss = yes
> > ldap ssl = off
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 65536-4294967296
> >
> > idmap config MYDOMAIN : backend = rfc2307
> > idmap config MYDOMAIN : range = 1000-65535
> > idmap config MYDOMAIN : ldap_server = stand-alone
> > idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org
> > idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org
> > idmap config MYDOMAIN : user_cn = no
> > idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636
> > idmap config MYDOMAIN : ldap_user_dn >
cn=samba,ou=agents,dc=myldap,dc=org
> >
> > [home]
> > comment = Home Directories
> > path = /home/%U
> > browseable = no
> > writable = yes
> > create mask = 0600
> > directory mask = 0700
> > valid users = MYDOMAIN\%U
> > preexec = ls /home/%U
> >
> > [share]
> > path = /home/share
> > writable = yes
> > valid users = @share
> > force group = share
> > create mask = 0660
> > directory mask = 0770
> > preexec = ls /home/share
>
> Try changing 'security = ADS' to 'security = domain'
>
When I do this, I receive the following error both for 'net ads
testjoin'
(maybe this only works with ads, though) and on the Windows clients that
try to connect to shares (the real problem).
ads_connect: No logon servers are currently available to service the logon
request.
Join to domain is not valid: No logon servers are currently available to
service the logon request.
When I restore 'security = ads' then 'net ads testjoin' works
and clients
can again connect to shares (only without the right group information for
access, as is the subject of this thread).
> Read 'man idmap_ldap', your 'idmap config' lines don't
seeem to be correct.
>
I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can
just use a
stand-alone LDAP for read-only lookups of UID and GIDs, correct? It looks
like the 'idmap_ldap' backend is mainly for also allowing Samba to store
mappings, though I do see in the man page a provision for read-only lookups
with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also, perhaps
importantly, my OpenLDAP server does use the RFC2307 schema rather than
RFC2307bis, so I need that functionality.
Some other information, in case it's helpful:
Samba version 4.8.3
net ads testjoin returns "Join is OK"
testparm shows no errors or warnings
What part of the configuration file might not be correct, here? I
double-checked all the info (e.g. URI, base DN, user DN) for the LDAP
server and gave it the appropriate credentials with the 'net idmap set
secret' command.
In 'log.winbindd-idmap', I do see the following:
[2019/07/05 10:51:26.448651, 1]
../source3/winbindd/idmap.c:435(idmap_init_domain)
Error: invalid idmap range detected: 65536 - 0
I realized the idmap range line for my TDB included 2^32, and this
apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that
problem and left me with:
[2019/07/05 10:56:41.047022, 3]
../source3/winbindd/idmap.c:397(idmap_init_domain)
idmap backend rfc2307 not found
[2019/07/05 10:56:41.049427, 3]
../lib/util/modules.c:167(load_module_absolute_path)
load_module_absolute_path: Module '/usr/lib64/samba/idmap/rfc2307.so'
loaded
[2019/07/05 10:56:41.049512, 1]
../source3/winbindd/idmap.c:447(idmap_init_domain)
idmap initialization returned NT_STATUS_ACCESS_DENIED
[2019/07/05 10:56:41.049541, 3]
../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
idmap_found_domain_backend: Could not init idmap domain campus
But idmap_rfc2307 should be a valid module, and it gets loaded.
https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html
What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I double
checked all the LDAP parameters in the smb.conf.
Finally, at debug level 10, I get:
[2019/07/05 13:47:00.092653, 5, pid=26399, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online)
msg_try_to_go_online: domain MYDOMAIN already online.
in the log.winbindd-idmap, as if it has come up correctly?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>