Bug 14967 - Samba autorid fails to map AD users if id rangesize fits in the id range only once
Summary: Samba autorid fails to map AD users if id rangesize fits in the id range only...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-01 08:12 UTC by Andreas Schneider
Modified: 2022-03-15 13:22 UTC (History)
2 users (show)

See Also:

Attachments
patch for 4.16 (7.07 KB, patch)
2022-02-17 11:19 UTC, Andreas Schneider 		gd: review+
Details
patch for 4.15 (7.07 KB, patch)
2022-02-17 11:22 UTC, Andreas Schneider 		gd: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2022-02-01 08:12:43 UTC 
If you set up a config like this:

[root@client78 ~]# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        debug pid = Yes
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 250000
        realm = WIN23.LOCAL
        security = ADS
        template homedir = /home/%U@%D
        template shell = /bin/bash
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        workgroup = WIN23
        idmap config * :        rangesize = 100000
        idmap config * :        range = 100000-200000
        idmap config * : backend = autorid

Samba will fail to get ID for domain user:

[root@client78 ~]# wbinfo -u | grep winuser
WIN23\winuser
[root@client78 ~]# wbinfo -i WIN23\\winuser
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user WIN23\winuser

The reason is that the autorid range is too small. We need twice the amount. Also the manpage is wrong.
Comment 1 Andreas Schneider 2022-02-01 08:15:57 UTC 
/var/log/samba/log.winbindd-idmap:  High uid-low uid difference of 100001 is not a multiple of the rangesize 100000, limiting ranges to lower boundary number of 1

The range needs to be twice as big as the rangesize. We need to map BUILTIN too!
Comment 2 Andreas Schneider 2022-02-01 08:16:18 UTC 
Patch will follow ...
Comment 3 Andreas Schneider 2022-02-15 11:26:31 UTC 
    $ ./bin/testparm -s | grep "idmap config"
            idmap config * : rangesize = 10000
            idmap config * : range = 10000-19999
            idmap config * : backend = autorid
    
    $ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
    S-1-5-32-544 SID_ALIAS (4)
    
    $ ./bin/wbinfo --sid-to-gid S-1-5-32-544
    10000
    
    $ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
    S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
    
    $ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
    failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
    Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
    
    If only one range is configured we are either not able to map users/groups
    from our primary *and* the BUILTIN domain. We need at least two ranges to also
    cover the BUILTIN domain!
Comment 4 Samba QA Contact 2022-02-16 17:05:03 UTC 
This bug was referenced in samba master:

fe84ae5547313e482ea0eba8ddca5b38a033dc8f
db6d4da3411a910e7ce45fe1fecfabf2864eb9f4
7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de
Comment 5 Andreas Schneider 2022-02-17 11:19:41 UTC 
Created attachment 17167 [details]
patch for 4.16
Comment 6 Andreas Schneider 2022-02-17 11:22:11 UTC 
Created attachment 17168 [details]
patch for 4.15
Comment 7 Guenther Deschner 2022-02-17 12:49:28 UTC 
Comment on attachment 17167 [details]
patch for 4.16

LGTM, RB+
Comment 8 Guenther Deschner 2022-02-17 12:49:49 UTC 
Comment on attachment 17168 [details]
patch for 4.15

LGTM, RB+
Comment 9 Guenther Deschner 2022-02-17 12:50:34 UTC 
Jule, please add to v4.15 and v4.16, thanks!
Comment 10 Jule Anger 2022-02-18 08:04:46 UTC 
Pushed to autobuild-v4-{16,15}-test.
Comment 11 Samba QA Contact 2022-02-18 09:07:04 UTC 
This bug was referenced in samba v4-15-test:

25778ada3ad60391f72206ff5dc43fc82f814547
8d35177370c869cf5f6bc7a750fa430a7378b1e9
49779a9f86fa933397fb1fb5dd5f02b65631ca81
Comment 12 Samba QA Contact 2022-02-18 09:08:03 UTC 
This bug was referenced in samba v4-16-test:

0d27228e75c6cb30394306dff1d5764e8183ae4c
be4e42f01fb958a0b7dbcd2d4ebc89991773ce49
48929ba6634c93174f9f863d9e9f59d2add4d720
Comment 13 Jule Anger 2022-02-18 09:34:15 UTC 
Closing out bug report.

Thanks!
Comment 14 Samba QA Contact 2022-03-01 08:55:54 UTC 
This bug was referenced in samba v4-16-stable (Release samba-4.16.0rc4):

0d27228e75c6cb30394306dff1d5764e8183ae4c
be4e42f01fb958a0b7dbcd2d4ebc89991773ce49
48929ba6634c93174f9f863d9e9f59d2add4d720
Comment 15 Samba QA Contact 2022-03-15 13:22:14 UTC 
This bug was referenced in samba v4-15-stable (Release samba-4.15.6):

25778ada3ad60391f72206ff5dc43fc82f814547
8d35177370c869cf5f6bc7a750fa430a7378b1e9
49779a9f86fa933397fb1fb5dd5f02b65631ca81