The Samba-Bugzilla – Bug 12284
winbind and active directory id mapping broken
Last modified: 2017-01-04 09:24:27 UTC
After upgrading from version 4.4.5 to version 4.5.0 Active Directory integration is broken.
Downgrading to version 4.4.4 as suggested in https://bugs.archlinux.org/task/50787 does remedy the situation.
I can not login via graphical login any more and when logging in via the terminal, the prompt shows "[I have no name!@my-box]"
"id $username" does show all correct ids for all groups but cannot map ids to user and group names.
Also "ls -al" in my home dir only shows ids instead of user and group names as owner information.
As far as I can tell, the config files (krb5.conf, smb.conf, etc.) haven't changed and neither have the Active Directory settings.
In "/var/log/samba/log.winbindd-idmap" I see messages like this:
[2016/09/15 16:07:24.411226, 3] ../source3/winbindd/idmap_rid.c:146(idmap_rid_unixids_to_sids)
Unexpected error resolving an ID (16208)
Running "wbinfo -g" or "wbinfo -u" works as expected and shows all the correct group and user names.
So do "getent group" and "getent passwd"
* libwbclient 4.5.0-2
* I followed the Active Directory Integration manual from the Arch Linux wiki: https://wiki.archlinux.org/index.php/Active_Directory_Integration
Steps to reproduce:
1. Follow: https://wiki.archlinux.org/index.php/Active_Directory_Integration
2. Install latest updates up to 14th September, 2016
3. Try to login as Domain user
See also: https://bugs.archlinux.org/task/50787
Correction: I downgraded to version 4.4.5 not 4.4.4 as the original description says.
(In reply to heapifyman from comment #1)
Would it be possible that you also check if the problem exists in
4.4.6, then the problem might be the patches from
(In reply to Stefan Metzmacher from comment #2)
Hi, I tried version 4.4.6 and did not experience any issues. Works as good as 4.4.5.
Seems like the problem was introduced from 4.4.6 to 4.5.0 then.
see https://bugs.archlinux.org/task/50787#comment151609 for what I did.
The problem still exists in version 4.5.1.
Any news when this will be solved?
I can confirm the issue exists today in version 4.5.2 (with Archlinux). A downgrade to version 4.4.5 also resolves the issue for me.
Reporters symptoms are equal to mine.
I'd like to add that when running 'id <user>' with version 4.5.2 it does not show the AD user, with the old version it does.
Let me know if I can help.
Can you upload your smb.conf and a debug level 10 log of winbind of this failure? Please upload all log.w* files, in particular log.winbindd-idmap
Created attachment 12760 [details]
Debug level 10 logs and config file
Here you go :)
My plan of action was:
1. Moved /var/log/samba to samba-old
2. Upgrade samba to 4.5.2-1 (including the rest of the system)
3. Reboot (for new kernel)
4. Login with local user
5. Execute "getent passwd", result is correct, including domain users
6. Execute "id johan", result is: "id: 'johan': no such user"
7. Compressed /var/log/samba/* and smb.conf
(In reply to Johan from comment #7)
> Created attachment 12760 [details]
> Debug level 10 logs and config file
Unfortunately further down in your smb.conf you have "log level = 3", so this is only level 3. We need level 10.
Created attachment 12762 [details]
Actual level 10 debug log
Ah yes, i see. Unfortunate mistake.
This time there is indeed a lot more output.
I found out that it works when I hardcode my domain name in samba-4.5.2/source3/winbindd/idmap_rid.c on line 83. The value of dom->name is '*' if not hardcoded. For 4.4.x branch it seems to use the actual domain name at that point instead of '*'.
Hmm. "idmap config * : backend = rid": I don't think "rid" was ever meant to be used as a default backend. Can you try to change that to "idmap config GIELENS : backend = rid" and retry?
Yes it seems to work if the following idmap configuration is used, where <DOMAIN_NAME> is the actual domain name:
idmap config <DOMAIN_NAME> : backend = rid
idmap config <DOMAIN_NAME> : range = 10000-1999999
idmap config * : range = 10000-1999999
Both the range for * as for the domain name are required, otherwise it complains:
[2016/12/14 12:58:29.608500, 10, pid=7577, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_xids2sids.c:60(wb_xids2sids_add_dom)
wb_xids2sids_add_dom: No range for domain * found
[2016/12/14 13:15:00.228943, 10, pid=8094, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_xids2sids.c:60(wb_xids2sids_add_dom)
wb_xids2sids_add_dom: No range for domain gielens found
Is the above configuration to be expected?
This at least leaves us with a working environment. Can other subscribers to this bug please try this solution?
Thanks, this solution resolves the problem with my Fedora 25.
(In reply to Johan from comment #12)
With <DOMAIN_NAME> you mean "workgroup" from smb.conf? Or "realm" from smb.conf?
(In reply to heapifyman from comment #14)
> (In reply to Johan from comment #12)
> With <DOMAIN_NAME> you mean "workgroup" from smb.conf? Or "realm" from
"workgroup" from smb.conf
(In reply to Johan from comment #12)
Thanks. This change in smb.conf seems to be working on my Antergos system, as well.