On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 04/07/2019 21:25, Ryan via samba wrote: > > I am still trying to configure Samba to authenticate users against > > ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP > > server. Related to a previous recommendation, I found the idmap_rfc2307 > > capability, which seems likely exactly what I what. > > > > Unfortunately, it does not seem to work. Users are not permitted to > access > > shares for which they are in the group. > > > > Tests I found online of the idmapping using wbinfo, fail as follows. > > > > $>wbinfo -n user1 > > THE_SID SID_USER (1) > > > > $>net cache flush > > > > $>wbinfo -S THE_SID > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not convert sid THE_SID to uid > > > > I do not see any indication in the log files that the LDAP server is > being > > contacted, though winbind startup shows that it is processing the idmap > > directives. > > > > And I have done the following: > > > > net idmap set secret 'MYDOMAIN' 'password' > > > > Here is the smb.conf file: > > > > [global] > > strict locking = no > > workgroup = MYDOMAIN > > server string = Samba Server Version %v > > disable netbios = yes > > interfaces = lo eth0 > > log file = /var/log/samba/log.%m > > log level = 5 > > max log size = 64 > > security = ads > > realm = MYDOMAIN.FULL > > kerberos method = secrets and keytab > > load printers = no > > printcap name = /dev/null > > printing = bsd > > disable spoolss = yes > > ldap ssl = off > > > > idmap config * : backend = tdb > > idmap config * : range = 65536-4294967296 > > > > idmap config MYDOMAIN : backend = rfc2307 > > idmap config MYDOMAIN : range = 1000-65535 > > idmap config MYDOMAIN : ldap_server = stand-alone > > idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org > > idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org > > idmap config MYDOMAIN : user_cn = no > > idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636 > > idmap config MYDOMAIN : ldap_user_dn > cn=samba,ou=agents,dc=myldap,dc=org > > > > [home] > > comment = Home Directories > > path = /home/%U > > browseable = no > > writable = yes > > create mask = 0600 > > directory mask = 0700 > > valid users = MYDOMAIN\%U > > preexec = ls /home/%U > > > > [share] > > path = /home/share > > writable = yes > > valid users = @share > > force group = share > > create mask = 0660 > > directory mask = 0770 > > preexec = ls /home/share > > Try changing 'security = ADS' to 'security = domain' >When I do this, I receive the following error both for 'net ads testjoin' (maybe this only works with ads, though) and on the Windows clients that try to connect to shares (the real problem). ads_connect: No logon servers are currently available to service the logon request. Join to domain is not valid: No logon servers are currently available to service the logon request. When I restore 'security = ads' then 'net ads testjoin' works and clients can again connect to shares (only without the right group information for access, as is the subject of this thread).> Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be correct. >I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can just use a stand-alone LDAP for read-only lookups of UID and GIDs, correct? It looks like the 'idmap_ldap' backend is mainly for also allowing Samba to store mappings, though I do see in the man page a provision for read-only lookups with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also, perhaps importantly, my OpenLDAP server does use the RFC2307 schema rather than RFC2307bis, so I need that functionality. Some other information, in case it's helpful: Samba version 4.8.3 net ads testjoin returns "Join is OK" testparm shows no errors or warnings What part of the configuration file might not be correct, here? I double-checked all the info (e.g. URI, base DN, user DN) for the LDAP server and gave it the appropriate credentials with the 'net idmap set secret' command. In 'log.winbindd-idmap', I do see the following: [2019/07/05 10:51:26.448651, 1] ../source3/winbindd/idmap.c:435(idmap_init_domain) Error: invalid idmap range detected: 65536 - 0 I realized the idmap range line for my TDB included 2^32, and this apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that problem and left me with: [2019/07/05 10:56:41.047022, 3] ../source3/winbindd/idmap.c:397(idmap_init_domain) idmap backend rfc2307 not found [2019/07/05 10:56:41.049427, 3] ../lib/util/modules.c:167(load_module_absolute_path) load_module_absolute_path: Module '/usr/lib64/samba/idmap/rfc2307.so' loaded [2019/07/05 10:56:41.049512, 1] ../source3/winbindd/idmap.c:447(idmap_init_domain) idmap initialization returned NT_STATUS_ACCESS_DENIED [2019/07/05 10:56:41.049541, 3] ../source3/winbindd/idmap.c:270(idmap_found_domain_backend) idmap_found_domain_backend: Could not init idmap domain campus But idmap_rfc2307 should be a valid module, and it gets loaded. https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I double checked all the LDAP parameters in the smb.conf. Finally, at debug level 10, I get: [2019/07/05 13:47:00.092653, 5, pid=26399, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online) msg_try_to_go_online: domain MYDOMAIN already online. in the log.winbindd-idmap, as if it has come up correctly?> > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 05/07/2019 18:50, Ryan via samba wrote:> On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba < > samba at lists.samba.org> wrote: > >> On 04/07/2019 21:25, Ryan via samba wrote: >>> I am still trying to configure Samba to authenticate users against >>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP >>> server. Related to a previous recommendation, I found the idmap_rfc2307 >>> capability, which seems likely exactly what I what. >>> >>> Unfortunately, it does not seem to work. Users are not permitted to >> access >>> shares for which they are in the group. >>> >>> Tests I found online of the idmapping using wbinfo, fail as follows. >>> >>> $>wbinfo -n user1 >>> THE_SID SID_USER (1) >>> >>> $>net cache flush >>> >>> $>wbinfo -S THE_SID >>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND >>> Could not convert sid THE_SID to uid >>> >>> I do not see any indication in the log files that the LDAP server is >> being >>> contacted, though winbind startup shows that it is processing the idmap >>> directives. >>> >>> And I have done the following: >>> >>> net idmap set secret 'MYDOMAIN' 'password' >>> >>> Here is the smb.conf file: >>> >>> [global] >>> strict locking = no >>> workgroup = MYDOMAIN >>> server string = Samba Server Version %v >>> disable netbios = yes >>> interfaces = lo eth0 >>> log file = /var/log/samba/log.%m >>> log level = 5 >>> max log size = 64 >>> security = ads >>> realm = MYDOMAIN.FULL >>> kerberos method = secrets and keytab >>> load printers = no >>> printcap name = /dev/null >>> printing = bsd >>> disable spoolss = yes >>> ldap ssl = off >>> >>> idmap config * : backend = tdb >>> idmap config * : range = 65536-4294967296 >>> >>> idmap config MYDOMAIN : backend = rfc2307 >>> idmap config MYDOMAIN : range = 1000-65535 >>> idmap config MYDOMAIN : ldap_server = stand-alone >>> idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org >>> idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org >>> idmap config MYDOMAIN : user_cn = no >>> idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636 >>> idmap config MYDOMAIN : ldap_user_dn >> cn=samba,ou=agents,dc=myldap,dc=org >>> [home] >>> comment = Home Directories >>> path = /home/%U >>> browseable = no >>> writable = yes >>> create mask = 0600 >>> directory mask = 0700 >>> valid users = MYDOMAIN\%U >>> preexec = ls /home/%U >>> >>> [share] >>> path = /home/share >>> writable = yes >>> valid users = @share >>> force group = share >>> create mask = 0660 >>> directory mask = 0770 >>> preexec = ls /home/share >> Try changing 'security = ADS' to 'security = domain' >> > When I do this, I receive the following error both for 'net ads testjoin' > (maybe this only works with ads, though) and on the Windows clients that > try to connect to shares (the real problem). > > ads_connect: No logon servers are currently available to service the logon > request. > Join to domain is not valid: No logon servers are currently available to > service the logon request. > > When I restore 'security = ads' then 'net ads testjoin' works and clients > can again connect to shares (only without the right group information for > access, as is the subject of this thread). > > >> Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be correct. >> > I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can just use a > stand-alone LDAP for read-only lookups of UID and GIDs, correct? It looks > like the 'idmap_ldap' backend is mainly for also allowing Samba to store > mappings, though I do see in the man page a provision for read-only lookups > with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also, perhaps > importantly, my OpenLDAP server does use the RFC2307 schema rather than > RFC2307bis, so I need that functionality. > > Some other information, in case it's helpful: > > Samba version 4.8.3 > net ads testjoin returns "Join is OK" > testparm shows no errors or warnings > > What part of the configuration file might not be correct, here? I > double-checked all the info (e.g. URI, base DN, user DN) for the LDAP > server and gave it the appropriate credentials with the 'net idmap set > secret' command. > > In 'log.winbindd-idmap', I do see the following: > > [2019/07/05 10:51:26.448651, 1] > ../source3/winbindd/idmap.c:435(idmap_init_domain) > Error: invalid idmap range detected: 65536 - 0 > > I realized the idmap range line for my TDB included 2^32, and this > apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that > problem and left me with: > > [2019/07/05 10:56:41.047022, 3] > ../source3/winbindd/idmap.c:397(idmap_init_domain) > idmap backend rfc2307 not found > [2019/07/05 10:56:41.049427, 3] > ../lib/util/modules.c:167(load_module_absolute_path) > load_module_absolute_path: Module '/usr/lib64/samba/idmap/rfc2307.so' > loaded > [2019/07/05 10:56:41.049512, 1] > ../source3/winbindd/idmap.c:447(idmap_init_domain) > idmap initialization returned NT_STATUS_ACCESS_DENIED > [2019/07/05 10:56:41.049541, 3] > ../source3/winbindd/idmap.c:270(idmap_found_domain_backend) > idmap_found_domain_backend: Could not init idmap domain campus > > But idmap_rfc2307 should be a valid module, and it gets loaded. > > https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html > > What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I double > checked all the LDAP parameters in the smb.conf. > > Finally, at debug level 10, I get: > > [2019/07/05 13:47:00.092653, 5, pid=26399, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online) > msg_try_to_go_online: domain MYDOMAIN already online. > > in the log.winbindd-idmap, as if it has come up correctly? >Sorry, I should have been a bit more precise, change the 'security' parameter after the join. Yes, you are correct 'idmap_rfc2307' does exist, but it isn't used very much, if at all. It was introduced back in 2012. I have tried it and I cannot make it work, either with 'security = ADS' or 'security = domain' Rowland
On Fri, Jul 5, 2019 at 2:32 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 05/07/2019 18:50, Ryan via samba wrote: > > On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba < > > samba at lists.samba.org> wrote: > > > >> On 04/07/2019 21:25, Ryan via samba wrote: > >>> I am still trying to configure Samba to authenticate users against > >>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP > >>> server. Related to a previous recommendation, I found the idmap_rfc2307 > >>> capability, which seems likely exactly what I what. > >>> > >>> Unfortunately, it does not seem to work. Users are not permitted to > >> access > >>> shares for which they are in the group. > >>> > >>> Tests I found online of the idmapping using wbinfo, fail as follows. > >>> > >>> $>wbinfo -n user1 > >>> THE_SID SID_USER (1) > >>> > >>> $>net cache flush > >>> > >>> $>wbinfo -S THE_SID > >>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > >>> Could not convert sid THE_SID to uid > >>> > >>> I do not see any indication in the log files that the LDAP server is > >> being > >>> contacted, though winbind startup shows that it is processing the idmap > >>> directives. > >>> > >>> And I have done the following: > >>> > >>> net idmap set secret 'MYDOMAIN' 'password' > >>> > >>> Here is the smb.conf file: > >>> > >>> [global] > >>> strict locking = no > >>> workgroup = MYDOMAIN > >>> server string = Samba Server Version %v > >>> disable netbios = yes > >>> interfaces = lo eth0 > >>> log file = /var/log/samba/log.%m > >>> log level = 5 > >>> max log size = 64 > >>> security = ads > >>> realm = MYDOMAIN.FULL > >>> kerberos method = secrets and keytab > >>> load printers = no > >>> printcap name = /dev/null > >>> printing = bsd > >>> disable spoolss = yes > >>> ldap ssl = off > >>> > >>> idmap config * : backend = tdb > >>> idmap config * : range = 65536-4294967296 > >>> > >>> idmap config MYDOMAIN : backend = rfc2307 > >>> idmap config MYDOMAIN : range = 1000-65535 > >>> idmap config MYDOMAIN : ldap_server = stand-alone > >>> idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org > >>> idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org > >>> idmap config MYDOMAIN : user_cn = no > >>> idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636 > >>> idmap config MYDOMAIN : ldap_user_dn > >> cn=samba,ou=agents,dc=myldap,dc=org > >>> [home] > >>> comment = Home Directories > >>> path = /home/%U > >>> browseable = no > >>> writable = yes > >>> create mask = 0600 > >>> directory mask = 0700 > >>> valid users = MYDOMAIN\%U > >>> preexec = ls /home/%U > >>> > >>> [share] > >>> path = /home/share > >>> writable = yes > >>> valid users = @share > >>> force group = share > >>> create mask = 0660 > >>> directory mask = 0770 > >>> preexec = ls /home/share > >> Try changing 'security = ADS' to 'security = domain' > >> > > When I do this, I receive the following error both for 'net ads testjoin' > > (maybe this only works with ads, though) and on the Windows clients that > > try to connect to shares (the real problem). > > > > ads_connect: No logon servers are currently available to service the > logon > > request. > > Join to domain is not valid: No logon servers are currently available to > > service the logon request. > > > > When I restore 'security = ads' then 'net ads testjoin' works and clients > > can again connect to shares (only without the right group information for > > access, as is the subject of this thread). > > > > > >> Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be > correct. > >> > > I read 'idmap_ldap' and 'idmap_rfc2307'. The RFC2307 backend can just > use a > > stand-alone LDAP for read-only lookups of UID and GIDs, correct? It looks > > like the 'idmap_ldap' backend is mainly for also allowing Samba to store > > mappings, though I do see in the man page a provision for read-only > lookups > > with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307? Also, > perhaps > > importantly, my OpenLDAP server does use the RFC2307 schema rather than > > RFC2307bis, so I need that functionality. > > > > Some other information, in case it's helpful: > > > > Samba version 4.8.3 > > net ads testjoin returns "Join is OK" > > testparm shows no errors or warnings > > > > What part of the configuration file might not be correct, here? I > > double-checked all the info (e.g. URI, base DN, user DN) for the LDAP > > server and gave it the appropriate credentials with the 'net idmap set > > secret' command. > > > > In 'log.winbindd-idmap', I do see the following: > > > > [2019/07/05 10:51:26.448651, 1] > > ../source3/winbindd/idmap.c:435(idmap_init_domain) > > Error: invalid idmap range detected: 65536 - 0 > > > > I realized the idmap range line for my TDB included 2^32, and this > > apparently gets wrapped around to 0. Changing this to 2^32-1 fixed that > > problem and left me with: > > > > [2019/07/05 10:56:41.047022, 3] > > ../source3/winbindd/idmap.c:397(idmap_init_domain) > > idmap backend rfc2307 not found > > [2019/07/05 10:56:41.049427, 3] > > ../lib/util/modules.c:167(load_module_absolute_path) > > load_module_absolute_path: Module '/usr/lib64/samba/idmap/rfc2307.so' > > loaded > > [2019/07/05 10:56:41.049512, 1] > > ../source3/winbindd/idmap.c:447(idmap_init_domain) > > idmap initialization returned NT_STATUS_ACCESS_DENIED > > [2019/07/05 10:56:41.049541, 3] > > ../source3/winbindd/idmap.c:270(idmap_found_domain_backend) > > idmap_found_domain_backend: Could not init idmap domain campus > > > > But idmap_rfc2307 should be a valid module, and it gets loaded. > > > > https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html > > > > What does this NT_STATUS_ACCESS_DENIED indicate in the above log? I > double > > checked all the LDAP parameters in the smb.conf. > > > > Finally, at debug level 10, I get: > > > > [2019/07/05 13:47:00.092653, 5, pid=26399, effective(0, 0), real(0, 0), > > class=winbind] > ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online) > > msg_try_to_go_online: domain MYDOMAIN already online. > > > > in the log.winbindd-idmap, as if it has come up correctly? > > > Sorry, I should have been a bit more precise, change the 'security' > parameter after the join. >I'm sorry. I may still be misunderstanding. Even after I successfully execute the join, setting 'security = domain' breaks file sharing functionality. Clients cannot connect and 'net ads testjoin' report the error. As soon as I again set it back to 'security = ads', clients can connect again without any further actions or commands.> Yes, you are correct 'idmap_rfc2307' does exist, but it isn't used very > much, if at all. It was introduced back in 2012. >Hmm. The reason I hesitated to use idmap_ldap is that is sounds like idmap_ldap looks for existing SID-to-UID/GIDs mappings in the LDAP database, whereas idmap_rfc2307 consults an LDAP database (with RFC 2307 schema) based only on the username , which is *exactly* what I want . In fact, I was even using idmap_ldap previously, and it didn't seem to work, but likely I made some error.>From the man page for idmap_ldap:>>> Defines the directory base suffix to use for ***SID/uid/gid mappingentries.*** And from the man page for idmap_rfc2307:>>> An AD server is always required to provide the mapping between name andSID, and ***the LDAP server is queried for the mapping between name and uid/gid.*** Is there a way to make idmap_ldap work the same way, ignoring the SID that comes back from the AD server and querying the independent LDAP database for uid and gids based on username? Can idmap_ldap query groups from OpenLDAP in RFC 2307?> > I have tried it and I cannot make it work, either with 'security = ADS' > or 'security = domain' > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >