Bug 12284 - winbind and active directory id mapping broken
winbind and active directory id mapping broken
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
x64 Linux
: P5 critical
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-09-21 14:23 UTC by heapifyman
Modified: 2017-01-04 09:24 UTC (History)
8 users (show)

See Also:

Debug level 10 logs and config file (8.45 KB, application/gzip)
2016-12-12 00:52 UTC, Johan
no flags Details
Actual level 10 debug log (143.94 KB, application/x-gzip)
2016-12-12 10:45 UTC, Johan
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description heapifyman 2016-09-21 14:23:53 UTC
After upgrading from version 4.4.5 to version 4.5.0 Active Directory integration is broken.

Downgrading to version 4.4.4 as suggested in https://bugs.archlinux.org/task/50787 does remedy the situation.

I can not login via graphical login any more and when logging in via the terminal, the prompt shows "[I have no name!@my-box]"

"id $username" does show all correct ids for all groups but cannot map ids to user and group names.
Also "ls -al" in my home dir only shows ids instead of user and group names as owner information.

As far as I can tell, the config files (krb5.conf, smb.conf, etc.) haven't changed and neither have the Active Directory settings.

In "/var/log/samba/log.winbindd-idmap" I see messages like this:
[2016/09/15 16:07:24.411226, 3] ../source3/winbindd/idmap_rid.c:146(idmap_rid_unixids_to_sids)
Unexpected error resolving an ID (16208)

Running "wbinfo -g" or "wbinfo -u" works as expected and shows all the correct group and user names.
So do "getent group" and "getent passwd"

Additional info:
* libwbclient 4.5.0-2
* I followed the Active Directory Integration manual from the Arch Linux wiki: https://wiki.archlinux.org/index.php/Active_Directory_Integration

Steps to reproduce:
1. Follow: https://wiki.archlinux.org/index.php/Active_Directory_Integration
2. Install latest updates up to 14th September, 2016
3. Try to login as Domain user

See also: https://bugs.archlinux.org/task/50787
Comment 1 heapifyman 2016-10-06 16:18:38 UTC
Correction: I downgraded to version 4.4.5 not 4.4.4 as the original description says.
Comment 2 Stefan Metzmacher 2016-10-06 16:26:51 UTC
(In reply to heapifyman from comment #1)

Would it be possible that you also check if the problem exists in
4.4.6, then the problem might be the patches from
Comment 3 heapifyman 2016-10-11 10:58:10 UTC
(In reply to Stefan Metzmacher from comment #2)

Hi, I tried version 4.4.6 and did not experience any issues. Works as good as 4.4.5.

Seems like the problem was introduced from 4.4.6 to 4.5.0 then.

see https://bugs.archlinux.org/task/50787#comment151609 for what I did.
Comment 4 heapifyman 2016-11-08 09:17:47 UTC
The problem still exists in version 4.5.1.

Any news when this will be solved?
Comment 5 Johan 2016-12-09 15:36:41 UTC
I can confirm the issue exists today in version 4.5.2 (with Archlinux). A downgrade to version 4.4.5 also resolves the issue for me.

Reporters symptoms are equal to mine.

I'd like to add that when running 'id <user>' with version 4.5.2 it does not show the AD user, with the old version it does.

Let me know if I can help.
Comment 6 Volker Lendecke 2016-12-11 18:43:01 UTC
Can you upload your smb.conf and a debug level 10 log of winbind of this failure? Please upload all log.w* files, in particular log.winbindd-idmap
Comment 7 Johan 2016-12-12 00:52:50 UTC
Created attachment 12760 [details]
Debug level 10 logs and config file

Here you go :)

My plan of action was:
1. Moved /var/log/samba to samba-old
2. Upgrade samba to 4.5.2-1 (including the rest of the system)
3. Reboot (for new kernel)
4. Login with local user
5. Execute "getent passwd", result is correct, including domain users
6. Execute "id johan", result is: "id: 'johan': no such user"
7. Compressed /var/log/samba/* and smb.conf
Comment 8 Volker Lendecke 2016-12-12 04:57:55 UTC
(In reply to Johan from comment #7)
> Created attachment 12760 [details]
> Debug level 10 logs and config file
Unfortunately further down in your smb.conf you have "log level = 3", so this is only level 3. We need level 10.
Comment 9 Johan 2016-12-12 10:45:45 UTC
Created attachment 12762 [details]
Actual level 10 debug log

Ah yes, i see. Unfortunate mistake.
This time there is indeed a lot more output.
Comment 10 Johan 2016-12-13 09:50:33 UTC
I found out that it works when I hardcode my domain name in samba-4.5.2/source3/winbindd/idmap_rid.c on line 83. The value of dom->name is '*' if not hardcoded. For 4.4.x branch it seems to use the actual domain name at that point instead of '*'.
Comment 11 Volker Lendecke 2016-12-14 11:05:37 UTC
Hmm. "idmap config * : backend = rid": I don't think "rid" was ever meant to be used as a default backend. Can you try to change that to "idmap config GIELENS : backend = rid" and retry?
Comment 12 Johan 2016-12-14 12:23:46 UTC
Yes it seems to work if the following idmap configuration is used, where <DOMAIN_NAME> is the actual domain name:

  idmap config <DOMAIN_NAME> : backend = rid
  idmap config <DOMAIN_NAME> : range = 10000-1999999
  idmap config * : range = 10000-1999999

Both the range for * as for the domain name are required, otherwise it complains:

[2016/12/14 12:58:29.608500, 10, pid=7577, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_xids2sids.c:60(wb_xids2sids_add_dom)
  wb_xids2sids_add_dom: No range for domain * found

[2016/12/14 13:15:00.228943, 10, pid=8094, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_xids2sids.c:60(wb_xids2sids_add_dom)
  wb_xids2sids_add_dom: No range for domain gielens found

Is the above configuration to be expected?

This at least leaves us with a working environment. Can other subscribers to this bug please try this solution?
Comment 13 Manuel Pelayo 2016-12-14 18:29:34 UTC
Thanks, this solution resolves the problem with my Fedora 25.
Comment 14 heapifyman 2016-12-15 17:04:31 UTC
(In reply to Johan from comment #12)
With <DOMAIN_NAME> you mean "workgroup" from smb.conf? Or "realm" from smb.conf?
Comment 15 Volker Lendecke 2016-12-15 20:34:18 UTC
(In reply to heapifyman from comment #14)
> (In reply to Johan from comment #12)
> With <DOMAIN_NAME> you mean "workgroup" from smb.conf? Or "realm" from
> smb.conf?

"workgroup" from smb.conf
Comment 16 heapifyman 2017-01-04 09:24:27 UTC
(In reply to Johan from comment #12)
Thanks. This change in smb.conf seems to be working on my Antergos system, as well.