12295 – id mapping lookup through idmap_ad broken for clustered setups

Bug 12295 - id mapping lookup through idmap_ad broken for clustered setups

Summary: id mapping lookup through idmap_ad broken for clustered setups

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.5.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-09-27 19:02 UTC by Christof Schmitt
Modified:	2016-10-25 07:44 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Patches for 4.5 (3.19 KB, patch) 2016-09-30 16:39 UTC, Christof Schmitt	jra: review+ vl: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christof Schmitt 2016-09-27 19:02:52 UTC

Configuring winbindd to retrieve id mappings through idmap_ad does not
work in a clustered setup. log.winbindd-idmap shows:

[2016/09/27 20:55:51.624381,  2, pid=31988, effective(0, 0), real(0, 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
  tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory
[2016/09/27 20:55:51.624440,  3, pid=31988, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:430(db_open_tdb)
  Could not open tdb: No such file or directory
[2016/09/27 20:55:51.624474,  1, pid=31988, effective(0, 0), real(0, 0)] ../auth/credentials/credentials_secrets.c:399(cli_credentials_set_machine_account_db_ctx)
  Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: error and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2016/09/27 20:55:51.624507, 10, pid=31988, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/idmap_ad.c:314(idmap_ad_get_tldap_ctx)
  idmap_ad_get_tldap_ctx: cli_credentials_set_machine_account failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

The problem here is that idmap_ad only looks in a local tdb file for the
credential information, not a clustered tdb. A secondary problem is that
this error is incorrectly handled in the main thread.

Patches to follow.

Comment 1 Christof Schmitt 2016-09-30 16:39:07 UTC

Created attachment 12523 [details]
Patches for 4.5

Comment 2 Jeremy Allison 2016-10-03 18:48:36 UTC

Reassigning to Karolin for inclusion in 4.5.next.

Comment 3 Karolin Seeger 2016-10-19 07:53:06 UTC

(In reply to Jeremy Allison from comment #2)
Pushed to autobuild-v4-5-test.

Comment 4 Karolin Seeger 2016-10-25 07:44:35 UTC

(In reply to Karolin Seeger from comment #3)
Pushed to v4-5-test.
Closing out bug report.

Thanks!