samba - Jul 2019 - WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307

On Sat, Jul 6, 2019 at 3:04 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 05/07/2019 20:00, Ryan via samba wrote:
> > On Fri, Jul 5, 2019 at 2:32 PM Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On 05/07/2019 18:50, Ryan via samba wrote:
> >>> On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba <
> >>> samba at lists.samba.org> wrote:
> >>>
> >>>> On 04/07/2019 21:25, Ryan via samba wrote:
> >>>>> I am still trying to configure Samba to authenticate
users against
> >>>>> ActiveDirectory, but lookup uid and gids against a
stand-alone
> OpenLDAP
> >>>>> server. Related to a previous recommendation, I found
the
> idmap_rfc2307
> >>>>> capability, which seems likely exactly what I what.
> >>>>>
> >>>>> Unfortunately, it does not seem to work. Users are not
permitted to
> >>>> access
> >>>>> shares for which they are in the group.
> >>>>>
> >>>>> Tests I found online of the idmapping using wbinfo,
fail as follows.
> >>>>>
> >>>>> $>wbinfo -n user1
> >>>>> THE_SID SID_USER (1)
> >>>>>
> >>>>> $>net cache flush
> >>>>>
> >>>>> $>wbinfo -S THE_SID
> >>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> >>>>> Could not convert sid THE_SID to uid
> >>>>>
> >>>>> I do not see any indication in the log files that the
LDAP server is
> >>>> being
> >>>>> contacted, though winbind startup shows that it is
processing the
> idmap
> >>>>> directives.
> >>>>>
> >>>>> And I have done the following:
> >>>>>
> >>>>> net idmap set secret 'MYDOMAIN'
'password'
> >>>>>
> >>>>> Here is the smb.conf file:
> >>>>>
> >>>>> [global]
> >>>>> strict locking = no
> >>>>> workgroup = MYDOMAIN
> >>>>> server string = Samba Server Version %v
> >>>>> disable netbios = yes
> >>>>> interfaces = lo eth0
> >>>>> log file = /var/log/samba/log.%m
> >>>>> log level = 5
> >>>>> max log size = 64
> >>>>> security = ads
> >>>>> realm = MYDOMAIN.FULL
> >>>>> kerberos method = secrets and keytab
> >>>>> load printers = no
> >>>>> printcap name = /dev/null
> >>>>> printing = bsd
> >>>>> disable spoolss = yes
> >>>>> ldap ssl = off
> >>>>>
> >>>>> idmap config * : backend = tdb
> >>>>> idmap config * : range = 65536-4294967296
> >>>>>
> >>>>> idmap config MYDOMAIN : backend = rfc2307
> >>>>> idmap config MYDOMAIN : range = 1000-65535
> >>>>> idmap config MYDOMAIN : ldap_server = stand-alone
> >>>>> idmap config MYDOMAIN : bind_path_user =
ou=users,dc=myldap,dc=org
> >>>>> idmap config MYDOMAIN : bind_path_group =
ou=groups,dc=myldap,dc=org
> >>>>> idmap config MYDOMAIN : user_cn = no
> >>>>> idmap config MYDOMAIN : ldap_url =
ldaps://ldap.myldap.org:636
> >>>>> idmap config MYDOMAIN : ldap_user_dn >
>>>> cn=samba,ou=agents,dc=myldap,dc=org
> >>>>> [home]
> >>>>> comment = Home Directories
> >>>>> path = /home/%U
> >>>>> browseable = no
> >>>>> writable = yes
> >>>>> create mask = 0600
> >>>>> directory mask = 0700
> >>>>> valid users = MYDOMAIN\%U
> >>>>> preexec = ls /home/%U
> >>>>>
> >>>>> [share]
> >>>>> path = /home/share
> >>>>> writable = yes
> >>>>> valid users = @share
> >>>>> force group = share
> >>>>> create mask = 0660
> >>>>> directory mask = 0770
> >>>>> preexec = ls /home/share
> >>>> Try changing 'security = ADS' to 'security =
domain'
> >>>>
> >>> When I do this, I receive the following error both for
'net ads
> testjoin'
> >>> (maybe this only works with ads, though) and on the Windows
clients
> that
> >>> try to connect to shares (the real problem).
> >>>
> >>> ads_connect: No logon servers are currently available to
service the
> >> logon
> >>> request.
> >>> Join to domain is not valid: No logon servers are currently
available
> to
> >>> service the logon request.
> >>>
> >>> When I restore 'security = ads' then 'net ads
testjoin' works and
> clients
> >>> can again connect to shares (only without the right group
information
> for
> >>> access, as is the subject of this thread).
> >>>
> >>>
> >>>> Read 'man idmap_ldap', your 'idmap config'
lines don't seeem to be
> >> correct.
> >>> I read 'idmap_ldap' and 'idmap_rfc2307'. The
RFC2307 backend can just
> >> use a
> >>> stand-alone LDAP for read-only lookups of UID and GIDs,
correct? It
> looks
> >>> like the 'idmap_ldap' backend is mainly for also
allowing Samba to
> store
> >>> mappings, though I do see in the man page a provision for
read-only
> >> lookups
> >>> with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307?
Also,
> >> perhaps
> >>> importantly, my OpenLDAP server does use the RFC2307 schema
rather than
> >>> RFC2307bis, so I need that functionality.
> >>>
> >>> Some other information, in case it's helpful:
> >>>
> >>> Samba version 4.8.3
> >>> net ads testjoin returns "Join is OK"
> >>> testparm shows no errors or warnings
> >>>
> >>> What part of the configuration file might not be correct,
here? I
> >>> double-checked all the info (e.g. URI, base DN, user DN) for
the LDAP
> >>> server and gave it the appropriate credentials with the
'net idmap set
> >>> secret' command.
> >>>
> >>> In 'log.winbindd-idmap', I do see the following:
> >>>
> >>> [2019/07/05 10:51:26.448651,  1]
> >>> ../source3/winbindd/idmap.c:435(idmap_init_domain)
> >>>     Error: invalid idmap range detected: 65536 - 0
> >>>
> >>> I realized the idmap range line for my TDB included 2^32, and
this
> >>> apparently gets wrapped around to 0. Changing this to 2^32-1
fixed that
> >>> problem and left me with:
> >>>
> >>> [2019/07/05 10:56:41.047022,  3]
> >>> ../source3/winbindd/idmap.c:397(idmap_init_domain)
> >>>     idmap backend rfc2307 not found
> >>> [2019/07/05 10:56:41.049427,  3]
> >>> ../lib/util/modules.c:167(load_module_absolute_path)
> >>>     load_module_absolute_path: Module
> '/usr/lib64/samba/idmap/rfc2307.so'
> >>> loaded
> >>> [2019/07/05 10:56:41.049512,  1]
> >>> ../source3/winbindd/idmap.c:447(idmap_init_domain)
> >>>     idmap initialization returned NT_STATUS_ACCESS_DENIED
> >>> [2019/07/05 10:56:41.049541,  3]
> >>> ../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
> >>>     idmap_found_domain_backend: Could not init idmap domain
campus
> >>>
> >>> But idmap_rfc2307 should be a valid module, and it gets
loaded.
> >>>
> >>>
https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html
> >>>
> >>> What does this NT_STATUS_ACCESS_DENIED indicate in the above
log? I
> >> double
> >>> checked all the LDAP parameters in the smb.conf.
> >>>
> >>> Finally, at debug level 10, I get:
> >>>
> >>> [2019/07/05 13:47:00.092653,  5, pid=26399, effective(0, 0),
real(0,
> 0),
> >>> class=winbind]
> >> ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online)
> >>>     msg_try_to_go_online: domain MYDOMAIN already online.
> >>>
> >>> in the log.winbindd-idmap, as if it has come up correctly?
> >>>
> >> Sorry, I should have been a bit more precise, change the
'security'
> >> parameter after the join.
> >>
> > I'm sorry. I may still be misunderstanding. Even after I
successfully
> > execute the join, setting 'security = domain' breaks file
sharing
> > functionality. Clients cannot connect and 'net ads testjoin'
report the
> > error. As soon as I again set it back to 'security = ads',
clients can
> > connect again without any further actions or commands.
> >
> >
> >> Yes, you are correct 'idmap_rfc2307' does exist, but it
isn't used very
> >> much, if at all. It was introduced back in 2012.
> >>
> > Hmm. The reason I hesitated to use idmap_ldap is that is sounds like
> > idmap_ldap looks for existing SID-to-UID/GIDs mappings in the LDAP
> > database, whereas idmap_rfc2307 consults an LDAP database (with RFC
2307
> > schema) based only on the username , which is *exactly* what I want .
In
> > fact, I was even using idmap_ldap previously, and it didn't seem
to work,
> > but likely I made some error.
> >
> >  From the man page for idmap_ldap:
> >
> >>>> Defines the directory base suffix to use for
***SID/uid/gid mapping
> > entries.***
> >
> > And from the man page for idmap_rfc2307:
> >
> >>>> An AD server is always required to provide the mapping
between name
> and
> > SID, and ***the LDAP server is queried for the mapping between name
and
> > uid/gid.***
> >
> > Is there a way to make idmap_ldap work the same way, ignoring the SID
> that
> > comes back from the AD server and querying the independent LDAP
database
> > for uid and gids based on username? Can idmap_ldap query groups from
> > OpenLDAP in RFC 2307?
> >
> >
> >> I have tried it and I cannot make it work, either with
'security = ADS'
> >> or 'security = domain'
> >>
> >> Rowland
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
> 'idmap_rfc2307' got me thinking about the other rarely used
backends and
> I wonder if you could use 'idmap_script', see 'man
idmap_script' for
> (limited) info
>
> Rowland
>
> Hi Rowland,
Indeed, I switched to using the idmap_script back end. For posterity (in
case it could ever help you or others), I have included the simple script
below. It correctly returns the UID and primary GID, which in our LDAP
system is the same, so it gets returned as XID per the man page. Then, and
this part I don't understand but I verified it in the idmap logs, somehow
Samba/winbind becomes aware of the many other GIDs. It subsequently tries
to map them back to SIDs (which fails, because there is no mapping, but
it's cheap, so whatever).

So a few follow-ups, and then I'll be out of your hair:

1. By what mechanism does Samba/winbind go from seeing the UID/GID of the
user from the lookup to becoming aware of the other GIDs of the user? I am
uncomfortable not knowing this, because it seems like it could break.
2. This mechanism *works*. Users can mount shares based on their UNIX group
membership in the OpenLDAP server. *Thank you!* Now...is there any better
way to do this? I love that such a hacky back-end exists, but is this what
RFC 2307 is supposed to do, but it's truly broken code right now? It seems
like looking people up by username in a separate LDAP directory after
authenticating them with their Kerberos credentials against an AD server is
quite a common use case (I know many people who do it with older versions
of Samba that use the fallback mechanism; I wonder if you are going to get
lots of questions about this as people transition to EL 7 or 8 with 6 going
EOL).

Regards,

Ryan

#! /bin/bash
printf "%s: %s\n" "$(date '+%Y-%m-%d %H:%M:%S')"
"$*" >>
/var/log/samba/idmap_script.bash.log
if [ "$1" == "SIDTOID" ] ; then
  unset _NO_WINBINDD
  username="$(<<< "$(wbinfo -s "$2")" cut -d
' ' -f 1 | cut -d "$(wbinfo
--separator)" -f 2)"
  _NO_WINBINDD=1
  printf "\t'%s' => '%s'\n" "$2"
"$username" >>
/var/log/samba/idmap_script.bash.log
  ldap_info="$(ldapsearch -LLL -H ldaps://ldap.ldapdomain.org:636/ -b
"ou=users,dc=ldapdomain,dc=org" -D
"cn=samba,ou=agents,dc=ldapdomain,dc=org" -w 'BIND_PASSWORD'
"(uid=$username)")"
  xid="$(<<< "$ldap_info" grep '^uidNumber: ' |
cut -d ' ' -f 2)"
  printf "\t'%s' => '%s'\n" "$username"
"$xid" >>
/var/log/samba/idmap_script.bash.log
  if [ ! -z "$xid" ] ; then
    printf "XID:%s\n" "$xid"
    exit 0
  else
    printf "ERR: Unmapped SID\n"
    exit 1
  fi
else
  printf "ERR: No idea what to do\n"
  exit 1
fi

>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 08/07/2019 19:03, Ryan via samba wrote:
>> 'idmap_rfc2307' got me thinking about the other rarely used
backends and
>> I wonder if you could use 'idmap_script', see 'man
idmap_script' for
>> (limited) info
>>
>> Rowland
>>
>> Hi Rowland,
> Indeed, I switched to using the idmap_script back end. For posterity (in
> case it could ever help you or others), I have included the simple script
> below. It correctly returns the UID and primary GID, which in our LDAP
> system is the same, so it gets returned as XID per the man page. Then, and
> this part I don't understand but I verified it in the idmap logs,
somehow
> Samba/winbind becomes aware of the many other GIDs. It subsequently tries
> to map them back to SIDs (which fails, because there is no mapping, but
> it's cheap, so whatever).
>
> So a few follow-ups, and then I'll be out of your hair:
>
> 1. By what mechanism does Samba/winbind go from seeing the UID/GID of the
> user from the lookup to becoming aware of the other GIDs of the user? I am
> uncomfortable not knowing this, because it seems like it could break.
> 2. This mechanism *works*. Users can mount shares based on their UNIX group
> membership in the OpenLDAP server. *Thank you!* Now...is there any better
> way to do this? I love that such a hacky back-end exists, but is this what
> RFC 2307 is supposed to do, but it's truly broken code right now? It
seems
> like looking people up by username in a separate LDAP directory after
> authenticating them with their Kerberos credentials against an AD server is
> quite a common use case (I know many people who do it with older versions
> of Samba that use the fallback mechanism; I wonder if you are going to get
> lots of questions about this as people transition to EL 7 or 8 with 6 going
> EOL).
Your setup is one that hasn't come up before and hopefully will not 
again ;-)

We have had situations where people have had an NT4-style PDC and linux 
fileservers and they have upgraded to AD without problem. You, for 
various reasons, could not, but have found a way around the problem. I 
would urge you to consider this as a reprieve and a breathing point, 
then find a better fix for your problem, it may be that this is done on 
a company basis rather than on a department basis.

Rowland

On Mon, Jul 8, 2019 at 2:32 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 08/07/2019 19:03, Ryan via samba wrote:
> >> 'idmap_rfc2307' got me thinking about the other rarely
used backends and
> >> I wonder if you could use 'idmap_script', see 'man
idmap_script' for
> >> (limited) info
> >>
> >> Rowland
> >>
> >> Hi Rowland,
> > Indeed, I switched to using the idmap_script back end. For posterity
(in
> > case it could ever help you or others), I have included the simple
script
> > below. It correctly returns the UID and primary GID, which in our LDAP
> > system is the same, so it gets returned as XID per the man page. Then,
> and
> > this part I don't understand but I verified it in the idmap logs,
somehow
> > Samba/winbind becomes aware of the many other GIDs. It subsequently
tries
> > to map them back to SIDs (which fails, because there is no mapping,
but
> > it's cheap, so whatever).
> >
> > So a few follow-ups, and then I'll be out of your hair:
> >
> > 1. By what mechanism does Samba/winbind go from seeing the UID/GID of
the
> > user from the lookup to becoming aware of the other GIDs of the user?
I
> am
> > uncomfortable not knowing this, because it seems like it could break.
> > 2. This mechanism *works*. Users can mount shares based on their UNIX
> group
> > membership in the OpenLDAP server. *Thank you!* Now...is there any
better
> > way to do this? I love that such a hacky back-end exists, but is this
> what
> > RFC 2307 is supposed to do, but it's truly broken code right now?
It
> seems
> > like looking people up by username in a separate LDAP directory after
> > authenticating them with their Kerberos credentials against an AD
server
> is
> > quite a common use case (I know many people who do it with older
versions
> > of Samba that use the fallback mechanism; I wonder if you are going to
> get
> > lots of questions about this as people transition to EL 7 or 8 with 6
> going
> > EOL).
>
> Your setup is one that hasn't come up before and hopefully will not
> again ;-)
>
The number one thing is that I am very thankful for your help.

> We have had situations where people have had an NT4-style PDC and linux
> fileservers and they have upgraded to AD without problem. You, for
> various reasons, could not, but have found a way around the problem. I
> would urge you to consider this as a reprieve and a breathing point,
> then find a better fix for your problem, it may be that this is done on
> a company basis rather than on a department basis.
>
Exactly this. But isn't this a situation that will come up any time a large
entity (universities of tens of thousands or companies of hundreds of
thousands) deploys an AD server, and the many entities within it want to
piggyback on that server for authentication (so people can use their
institutional accounts) but need to manage their own authorization?

It's not that I can't upgrade to this or that solution. It's that as
a
small sub-entity in my organization, I have no permissions on my
organization's AD to do anything (but fortunately join machines), and this
isn't going to change. This situation may be fairly common, being a
many-to-one per AD deployment, than what might be considered the common
case. That's why I say that, in fact, I know of several organizations where
the same thing is going on, and I think I've even read related questions on
the samba lists in the past. You can certainly argue that the organization
should give compartmentalized AD LDAP write access to its various sub-orgs,
but this is always going to be a sticky administrative issue. My only real
alternative to the current solution is to maintain my own authentication
infrastructure, which I already do in parallel for externals to the
university, and which would be vastly easier on me but harder on my users.

Ryan

>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>