Bug 11123 - idmap_rid not loaded (lib/idmap/rid.so in place)
Summary: idmap_rid not loaded (lib/idmap/rid.so in place)
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 minor (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-02-26 11:10 UTC by David Mudrich
Modified: 2019-07-12 17:38 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description David Mudrich 2015-02-26 11:10:31 UTC
RID mapping is not working or not loaded and I could only find the four static loaded idmap modules.

Versions tested:
4.2.0rc5 4.3.0pre1-GIT-3e9e5e6

2015/02/26 10:55:55.706426,  5] ../source3/winbindd/idmap.c:154(smb_register_idmap)
  Successfully added idmap backend 'tdb'
[2015/02/26 10:55:55.706449,  5] ../source3/winbindd/idmap.c:154(smb_register_idmap)
  Successfully added idmap backend 'passdb'
[2015/02/26 10:55:55.706461,  5] ../source3/winbindd/idmap.c:154(smb_register_idmap)
  Successfully added idmap backend 'nss'
[2015/02/26 10:55:55.706472,  5] ../source3/winbindd/idmap.c:154(smb_register_idmap)
  Successfully added idmap backend 'ldap'

# ls /usr/local/samba/lib/idmap/
ad.so  autorid.so  hash.so  rfc2307.so  rid.so  script.so  tdb2.so

workgroup               = MSDE
realm                   = MSDE.LAN
netbios name            = DC1
server role             = active directory domain controller
dns forwarder           =
idmap_ldb:use rfc2307   = no
read only               = no
bind interfaces only    = yes
interfaces              = eth*
log level		= 5
### Linux & Windows ###
winbind separator       = .
template shell          = /bin/bash
hide files              = /*.desktop/
idmap config *:backend          = tdb
idmap config *:range            = 9000-9999
idmap config MSDE:backend       = rid
idmap config MSDE:range         = 1000-1999
winbind enum users      = yes
winbind enum groups     = yes
winbind use default domain = no
winbind refresh tickets = yes
### Stabilität ###
server services         = -nbt
smb ports               = 445
oplocks                 = no
level2 oplocks          = no
kernel oplocks          = no
#oplock contention limit= 2
locking                 = yes
posix locking           = yes
kernel share modes      = yes
### Leistung ###
use sendfile            = yes
write cache size        = 2097152
min receivefile size    = 1024
Comment 1 David Disseldorp 2015-03-17 14:34:05 UTC
/usr/local/* paths aren't normally checked for shared libraries - see http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html for details.

You generally have a few options:
- configure samba using a --libdir parameter that is suitable for your operating system.
- Use Samba packages bundled with the distribution, which should be correctly configured.
- modify /etc/ld.so.conf or LD_LIBRARY_PATH so that the /usr/local/samba/lib/idmap/ is searched.
Comment 2 David Disseldorp 2015-03-17 14:41:19 UTC
One further comment... idmap_rid uses the following formula to convert a Windows RID to a Unix UID/GID:
  ID = RID - BASE_RID (0) + LOW_RANGE_ID (1000)

With a maximum range id of 1999, any user with a Windows RID over 999 will not be mapped. Windows user RIDs normally _start_ at 1000 and go upwards, meaning that no users will be mapped!
Comment 3 David Mudrich 2015-03-17 16:12:56 UTC
Its been some time ago, but I remember that both suggestions don't help.
Regarding 1. comment this was all done before, 2. isn't it:
ID = RID - BASE_RID (0) + LOW_RANGE_ID (1000)
ID = RID - 1000 + 1000, as the base is 1000?
But this is not the reason. Mapping works, but only not the reqeusted relative but always unwanted local tdb mapping.
I started debugging and digged into source and found that the loading and initializaion mechanism does _not_even_try_to_load_other_backends_ than tdb, passdb, nss and ldap. Dynamic initialisation of other backends is broken.
Btw, initialization is so overly complex, that I consider it broken by design. I I lowered the importance since I gave up on winbind.

Comment 4 Rowland Penny 2019-07-12 17:38:31 UTC
The supplied smb.conf was from an AD DC, yet is has the 'idmap config' lines from a Unix domain member. These do not work on an AD DC, so 'RID' mapping will not work as David Mudrich expects. This is not a bug.