13322 – wbinfo -i fails but wbinfo -S and wbinfo -n are ok

Bug 13322 - wbinfo -i fails but wbinfo -S and wbinfo -n are ok

Summary: wbinfo -i fails but wbinfo -S and wbinfo -n are ok

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.7.5
Hardware:	All Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-03-07 13:25 UTC by Francesco
Modified:	2018-04-03 08:33 UTC (History)
CC List:	1 user (show)

See Also:	9837

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Francesco 2018-03-07 13:25:01 UTC

Name resolution on domain member samba-4.7.5 on Debian GNU/Linux 9 (stretch) fails with:

francesco@pod:~$ wbinfo -i malvezzi
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user malvezzi

but:
francesco@pod:~$ wbinfo -n malvezzi
S-1-5-21-1685816022-1009459589-2082273856-8044 SID_USER (1)
francesco@pod:~$ wbinfo -S S-1-5-21-1685816022-1009459589-2082273856-8044
41312

41312 is the correct user's uidnumber.

ldapsearch -N -Y GSSAPI -b dc=ad,dc=example,dc=org -H ldap://ateneo.ad.unimore.it 'cn=malvezzi' uidnumber givenName sn unixHomeDirectory loginShell
SASL/GSSAPI authentication started
SASL username: francesco@AD.EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=example,dc=org> with scope subtree
# filter: cn=malvezzi
# requesting: uidnumber givenName sn unixHomeDirectory loginShell
#

# malvezzi, people, ad.unimore.it
dn: CN=malvezzi,OU=people,DC=ad,DC=example,DC=org
sn: MALVEZZI
givenName: Francesco
uidNumber: 41312
unixHomeDirectory: /home/malvezzi
loginShell: /bin/bash

smb.conf is:
[global]
   security = ADS
   workgroup = examplead
   realm = AD.EXAMPLE.ORG
   preferred master = no
   domain master = no
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   idmap config * : range = 3000-4999
   idmap config examplead:backend = ad
   idmap config examplead:schema_mode = rfc2307
   idmap config examplead:range = 5000-999999
   idmap config examplead:unix_nss_info = yes
   # this is the default
   idmap config examplead:unix_primary_group = no
   username map = /etc/samba/user.map
   winbind refresh tickets = yes
   winbind nss info = rfc2307
   winbind use default domain = yes
   winbind enum users  = no
   winbind enum groups = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   log level = 10
   panic action = /usr/share/samba/panic-action %d
   server role = member server
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
[share]
     comment = Share
     path = /srv/share
     browseable = no
     read only = no

The ADDC is samba-4.8.0rc4 where I have the expected behaviour:

francesco@ateneo:~$ wbinfo -i malvezzi
ATENEOAD\malvezzi:*:41312:100::/home/malvezzi:/bin/bash
francesco@ateneo:~$ wbinfo -n malvezzi
S-1-5-21-1685816022-1009459589-2082273856-8044 SID_USER (1)
francesco@ateneo:~$ wbinfo -S S-1-5-21-1685816022-1009459589-2082273856-8044
41312

Comment 1 Björn Jacke 2018-03-09 22:12:51 UTC

this is not a bug but you ran into the pitfall of not good idmap default values for root and users, see bug #9837

Comment 2 Francesco 2018-04-03 08:33:19 UTC

Just as a confirm.

The working setup [1] is:

# Default idmap config for local BUILTIN accounts and groups
##   idmap config * : backend = tdb
   idmap config * : range = 1000000-3000000

# idmap config for the EXAMPLEAD domain
   idmap config examplead:backend = nss
   idmap config examplead:range = 1-999999

and (critical): add gidNumber to 'Domain users'.

regards,

Francesco

[1] if you prefer to setup nsswitch with sssd, which is just one of the choices.