Bug 3661 - idmap_ad doesn't find users in trusted domains
idmap_ad doesn't find users in trusted domains
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.21c
x86 Linux
: P3 normal
: 3.0.26
Assigned To: Michael Adam
Samba QA Contact
:
: 4069 5363 5772 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-05 09:49 UTC by Bob Gautier (550 Unknown Recipient)
Modified: 2014-07-23 12:24 UTC (History)
8 users (show)

See Also:


Attachments
Enable idmap_ad to manage connections to multiple domains (10.64 KB, patch)
2006-04-05 09:57 UTC, Bob Gautier (550 Unknown Recipient)
no flags Details
Updated version of patch for 3.0.23rc2 and 3.0.23 final (9.10 KB, patch)
2006-07-28 03:41 UTC, Bob Gautier (550 Unknown Recipient)
no flags Details
Updated patch for 3.0.23b (8.91 KB, patch)
2006-08-10 04:29 UTC, Bob Gautier (550 Unknown Recipient)
no flags Details
multiple connection patch for samba 3.0.32 (8.58 KB, patch)
2008-09-05 08:20 UTC, Christina Jagodics (550 #5.1.0 Address rejected)
no flags Details
multiple connection patch for samba 3.2.2 (8.18 KB, patch)
2008-09-05 08:26 UTC, Christina Jagodics (550 #5.1.0 Address rejected)
no flags Details
New AdEx idmap/nss_info plugin for the trunk (102.01 KB, patch)
2008-09-19 12:39 UTC, Gerald (Jerry) Carter
no flags Details
log files (145.04 KB, application/x-gzip)
2008-09-23 13:42 UTC, mchugh19@yahoo.com
no flags Details
smb.conf used (986 bytes, application/octet-stream)
2008-09-23 13:51 UTC, mchugh19@yahoo.com
no flags Details
logs again (258.12 KB, application/gzip)
2008-09-24 21:57 UTC, mchugh19@yahoo.com
no flags Details
logs (188.40 KB, application/x-gzip)
2008-09-25 11:48 UTC, mchugh19@yahoo.com
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bob Gautier (550 Unknown Recipient) 2006-04-05 09:49:58 UTC
Working with winbindd 3.0.21 onwards, with idmap_ad in an AD setup with multiple domains, I noticed that 'wbinfo -u' would list users from all trusted domains whereas 'getent passwd' would only list users from the domain my machine had actually joined, although there were users in those other domains which (IMHO) were eligible to be listed.  I was able to get those users listed by moving my machine to each domain in turn.  Indeed, if I don't delete the winbindd cache as I move from domain to domain, the users from other domains start to appear in the getent listing.

On looking at the code path in idmap_ad.c and winbind_ads.c I notice that the latter (the wbinfo -u path) iterates over all domains, whereas the idmap_ad.c code does not.

I'm going to attach a patch which appears to fix my problem by making idmap_ad iterate over all domains.  But I wonder if I'm missing some detail of winbindd configuration?
Comment 1 Bob Gautier (550 Unknown Recipient) 2006-04-05 09:57:18 UTC
Created attachment 1846 [details]
Enable idmap_ad to manage connections to multiple domains

I offer this as a 'proof of concept' fix for the problem I'm seeing.  It makes idmap_ad iterate over all domains that it knows about when looking up users.

This patch was produced from a version of idmap_ad patched with my RFC2307 patch (see BZ#3345).  I'll be happy to try to decouple the two patches if anyone wants that.
Comment 2 Guenther Deschner 2006-05-30 10:56:42 UTC
Bob, can you send us a new version of your patch?
Comment 3 Mark Pröhl 2006-07-27 14:42:13 UTC
i have the same problem. here are some lines of the winbind log:

Connected to LDAP server 192.168.100.1
time offset is 46 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
ads_sasl_spnego_bind: got server principal name =dc1$@EXAMPLE.COM
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
kerberos_kinit_password: using MEMORY:winbind_ccache as ccache
ads_krb5_mk_req: Advancing clock by 46 seconds to cope with clock skew
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 28 Jul 2006 07:32:46 CEST
ads_krb5_mk_req: Ticket (dc1$@EXAMPLE.COM) in ccache (MEMORY:winbind_ccache) is valid until: (Fri, 28 Jul 2006 07:32:46 CEST - 1154064766)
Got KRB5 session key of length 16
ads_check_posix_schema_mapping
Search for (|(attributeId=1.2.840.113556.1.6.18.1.310)(attributeId=1.2.840.113556.1.6.18.1.311)(attributeId=1.2.840.113556.1.6.18.1.344)(attributeId=1.2.840.113556.1.6.18.1.312)(attributeId=1.2.84
0.113556.1.6.18.1.337)) gave 0 replies
ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED
ads_check_posix_schema_mapping failed: NT_STATUS_NONE_MAPPED
Search for (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\C7\F6\D3\1A\D1\B0\A2\BA\A4\00\FD\56\00\02\00\00) gave 0 replies
...

192.168.100.1 is the dc of winbinds own domain. as far as i understand that log, winbind is doing something like the following:

# ldapsearch -xLLLD cn=Administrator,cn=Users,dc=example,dc=com -w secret -H ldap://192.168.100.1 -b dc=example,dc=com '(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\C7\F6\D3\1A\D1\B0\A2\BA\A4\00\FD\56\00\02\00\00)'
# refldap://child.example.com/DC=child,DC=example,DC=com

# refldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com

# refldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com

# refldap://example.com/CN=Configuration,DC=example,DC=com


I suspect, that the problem ist winbind not following the referral

Comment 4 Bob Gautier (550 Unknown Recipient) 2006-07-28 03:41:38 UTC
Created attachment 2073 [details]
Updated version of patch for 3.0.23rc2 and 3.0.23 final

I just noticed Guenther's request for an updated patch and can find no evidence that I sent it.  So here it is (again).
Comment 5 Mark Pröhl 2006-07-28 08:32:22 UTC
Hi,

i recompiled samba-3.0.23a with patch (from attachment id=2073) on a sles9 system. I works!

Thanks,

- Mark
Comment 6 mchugh19@yahoo.com 2006-08-05 19:54:37 UTC
Patch also works on solaris. Thank you very much!
Comment 7 Bob Gautier (550 Unknown Recipient) 2006-08-10 04:29:25 UTC
Created attachment 2089 [details]
Updated patch for 3.0.23b
Comment 8 Bob Gautier (550 Unknown Recipient) 2006-10-12 02:50:39 UTC
Any chance of this getting into 3.0.23d?
Comment 9 Gerald (Jerry) Carter 2007-04-10 15:50:08 UTC
Guenther, is there a reason why this patch was never applied?
Comment 10 Gerald (Jerry) Carter 2007-04-17 16:29:55 UTC
Moving to target 3.0.26.  Too late for 3.0.25 right now.
Comment 11 Guenther Deschner 2007-05-24 16:29:12 UTC
(In reply to comment #9)
> Guenther, is there a reason why this patch was never applied?

I was waiting for the idmap rewrite to finish at that time, will take a look again now.
Comment 12 Mark Pröhl 2007-08-06 02:48:59 UTC
(In reply to comment #10)
> Moving to target 3.0.26.  Too late for 3.0.25 right now.
> 

will this be fixed in 3.2.0?
Comment 13 Matt McCormick 2008-04-01 00:29:13 UTC
I have the same problem.  Is there any status on when this patch will be included
Comment 14 mchugh19@yahoo.com 2008-08-14 13:00:52 UTC
Is this still being worked on for the 3.2 release?
Comment 15 Thorsten Hopf 2008-08-15 09:28:21 UTC
Hi,

we have the same Problem here on 3.2.0. 
All works perfect. Only the id-mapping isn't working with trusted domains

Comment 16 Jeremy Allison 2008-08-15 16:31:40 UTC
Ok, talked to Jerry and he is planning to add a connection manager into idmap_ad. This will not make the 3.2.2 release due Mon. 18th, but should make the release after that.
Assigning this one (and the two attendent ones) to Jerry.
Jeremy.
Comment 17 Jeremy Allison 2008-08-15 16:33:07 UTC
See bug #5363.
Jeremy
Comment 18 Volker Lendecke 2008-08-15 19:00:25 UTC
Hmmm. A separate connection manager in idmap_ad? Can't we find a way to re-use the already existing one?

Volker
Comment 19 Gerald (Jerry) Carter 2008-08-18 09:57:51 UTC
(In reply to comment #18)
> Hmmm. A separate connection manager in idmap_ad? Can't we find a way to re-use
> the already existing one?

Nope.  I never found a way.  I'm going to try to work on this one since it is one of
the few interesting things I have sitting around.
Comment 20 Thorsten Hopf 2008-08-25 01:38:29 UTC
Hi, is there any eta on the 3.2.3 release? Would be great to have it soon! Thx

Comment 21 Christina Jagodics (550 #5.1.0 Address rejected) 2008-08-25 03:23:11 UTC
(In reply to comment #7)
> Created an attachment (id=2089) [edit]
> Updated patch for 3.0.23b
> 

Hi Bob,

just found this bug-thread and tried to build samba using the patch you provided. Unfortunately it doesn't seem to work.

'getent passwd' only fetches information about users from the domain
my machine's directly joined to.

I'm using samba version 3.0.23b on a debian etch 4.0 system.
My guess is that I do not execute the compile-command correctly.

So, could you please tell me exactly what you did to make that working?

I've also tried patching samba 3.0.24 as the 'idmap_ad.c'-file doesn't 
differ much from the one used with 3.0.23b. 
After some minor changes the patching-process succeeded 
but the issue I described above still remained. 

Generally, is there a chance to make samba 3.0.24 work with your patch
or do I have to use 3.0.23b?


Thanks in advance

Comment 22 Gerald (Jerry) Carter 2008-08-25 07:49:09 UTC
I'm working on it.  If someone gets a quciket fix in, that is fine.  But I'm working on an
overhaul of the id plugin right now anyways.
Comment 23 Christina Jagodics (550 #5.1.0 Address rejected) 2008-09-05 08:20:40 UTC
Created attachment 3528 [details]
multiple connection patch for samba 3.0.32
Comment 24 Christina Jagodics (550 #5.1.0 Address rejected) 2008-09-05 08:24:28 UTC
Comment on attachment 3528 [details]
multiple connection patch for samba 3.0.32

hi guys,

I did some research and after hours of testing I eventually came up with my own patch to make the multple-connection thing working for both samba 3.0.32 and 3.2.2 .
Comment 25 Christina Jagodics (550 #5.1.0 Address rejected) 2008-09-05 08:26:31 UTC
Created attachment 3529 [details]
multiple connection patch for samba 3.2.2
Comment 26 mchugh19@yahoo.com 2008-09-11 11:54:03 UTC
Tried out the patch on solaris 10, 3.2.3. Looks like we're part way there. 

wbinfo -u shows users from both of my domains (yay!)

But wbinfo -i 'NAU\mcm75' (domain user) dumps core

Here is the last bit of log.winbindd-idmap
[2008/09/11 23:50:15, 10] libads/kerberos.c:kerberos_kinit_password_ext(217)
  kerberos_kinit_password: as EGR214-01$@STUDENTS.FROOT.NAU.EDU using [MEMORY:winbind_ccache] as ccache and config [/usr/local/samba/var/locks/smb_krb5/krb5.conf
.NAU-STUDENTS]
[2008/09/11 23:50:15,  3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 12 Sep 2008 09:50:14 GMT-7
[2008/09/11 23:50:15, 10] libsmb/clikrb5.c:ads_krb5_mk_req(702)
  ads_krb5_mk_req: Ticket (ldap/beech.nau.froot.nau.edu@NAU.FROOT.NAU.EDU) in ccache (MEMORY:winbind_ccache) is valid until: (Fri, 12 Sep 2008 09:50:14 GMT-7 - 1
221187814)
[2008/09/11 23:50:15,  3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
  ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2008/09/11 23:50:15, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(868)
  Got KRB5 session key of length 16
[2008/09/11 23:50:15,  0] lib/fault.c:fault_report(40)
  ===============================================================
[2008/09/11 23:50:15,  0] lib/fault.c:fault_report(41)
  INTERNAL ERROR: Signal 11 in pid 9010 (3.2.3)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2008/09/11 23:50:15,  0] lib/fault.c:fault_report(43)

  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2008/09/11 23:50:15,  0] lib/fault.c:fault_report(44)
  ===============================================================
[2008/09/11 23:50:15,  0] lib/util.c:smb_panic(1663)
  PANIC (pid 9010): internal error
[2008/09/11 23:50:15,  0] lib/util.c:log_stack_trace(1817)
  unable to produce a stack trace on this platform
[2008/09/11 23:50:15,  0] lib/fault.c:dump_core(201)
  dumping core in /usr/local/samba/var/cores/winbindd


If you need anything more, let me know. I'd be happy to help make this go.
Comment 27 mchugh19@yahoo.com 2008-09-15 14:38:10 UTC
Looks like my crashing issue is not from this patch. Sorry for the noise. I've opened bug 5766 about winbind not working.
Comment 28 Gerald (Jerry) Carter 2008-09-18 07:49:51 UTC
*** Bug 5772 has been marked as a duplicate of this bug. ***
Comment 29 Gerald (Jerry) Carter 2008-09-19 12:39:25 UTC
Created attachment 3603 [details]
New AdEx idmap/nss_info plugin for the trunk

Includes support for RFC2307, trusted domains, name aliasing, global catalog searches, etc...
Patch sent to the samba-technical ml.
Comment 30 Christina Jagodics (550 #5.1.0 Address rejected) 2008-09-22 09:07:41 UTC
Hi Jerry,

thanks for your quick response and the patch which hopefully will solve my problem.
Applying the patch wasn't a problem either but when trying to compile the source code I always get the following error:

---------
[...]
Compiling winbindd/idmap_adex/idmap_adex.c
winbindd/idmap_adex/idmap_adex.c:405: warning: initialization from incompatible pointer type
winbindd/idmap_adex/idmap_adex.c:416: error: unknown field 'map_to_alias' specified in initializer
winbindd/idmap_adex/idmap_adex.c:416: warning: initialization from incompatible pointer type
winbindd/idmap_adex/idmap_adex.c:417: error: unknown field 'map_from_alias' specified in initializer
winbindd/idmap_adex/idmap_adex.c:417: warning: excess elements in struct initializer
winbindd/idmap_adex/idmap_adex.c:417: warning: (near initialization for 'adex_nss_methods')
The following command failed:
gcc -I. -I/root/build/samba-3.2.4/source  -O -D_SAMBA_BUILD_=3 -I/root/build/samba-3.2.4/source/popt -I/root/build/samba-3.2.4/source/iniparser/src -Iinclude -I./include  -I. -I. -I./lib/replace -I./lib/talloc -I./lib/tdb/include -I./libaddns -I./librpc -DHAVE_CONFIG_H  -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Iinclude -I./include -I. -I. -I./lib/replace -I./lib/talloc -I./lib/tdb/include -I./libaddns -I./librpc -I./popt -DLDAP_DEPRECATED   -I/include -I/root/build/samba-3.2.4/source/lib -D_SAMBA_BUILD_=3 -fPIC -c winbindd/idmap_adex/idmap_adex.c -o winbindd/idmap_adex/idmap_adex.o
make: *** [winbindd/idmap_adex/idmap_adex.o] Error 1
-----------

Tried this patch with 3.2.2 as well as 3.2.4 .
Would be very nice if you could take a look at this.

Thanks
Christina
Comment 31 mchugh19@yahoo.com 2008-09-22 11:21:04 UTC
I noticed that the patch seemed to depend on the name mapping infrastructure in samba.git, so I tried grabbing and patching the samba source from git. However, I'm also getting compile errors on solaris 10 (seems limited to winbind though) 

Compiling nsswitch/pam_winbind.c
nsswitch/pam_winbind.c: In function '_pam_error_code_str':
nsswitch/pam_winbind.c:74: error: 'PAM_MODULE_UNKNOWN' undeclared (first use in this function)
nsswitch/pam_winbind.c:74: error: (Each undeclared identifier is reported only once
nsswitch/pam_winbind.c:74: error: for each function it appears in.)
nsswitch/pam_winbind.c:76: error: 'PAM_BAD_ITEM' undeclared (first use in this function)
nsswitch/pam_winbind.c:78: error: 'PAM_CONV_AGAIN' undeclared (first use in this function)
nsswitch/pam_winbind.c:80: error: 'PAM_INCOMPLETE' undeclared (first use in this function)
nsswitch/pam_winbind.c: In function '_pam_get_item':
nsswitch/pam_winbind.c:115: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type
nsswitch/pam_winbind.c: In function '_pam_log_state_datum':
nsswitch/pam_winbind.c:251: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type
nsswitch/pam_winbind.c: In function 'converse':
nsswitch/pam_winbind.c:575: warning: passing argument 2 of 'conv->conv' from incompatible pointer type
nsswitch/pam_winbind.c: In function 'pam_sm_authenticate':
nsswitch/pam_winbind.c:2039: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type
nsswitch/pam_winbind.c: In function 'pam_sm_acct_mgmt':
nsswitch/pam_winbind.c:2242: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type
nsswitch/pam_winbind.c: In function 'pam_sm_close_session':
nsswitch/pam_winbind.c:2376: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type
nsswitch/pam_winbind.c: In function 'pam_sm_chauthtok':
nsswitch/pam_winbind.c:2518: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type
The following command failed:
gcc -I/opt/csw/include -O -I. -I/usr/local/src/samba3.3/source3  -I/usr/local/src/samba3.3/source3/iniparser/src -Iinclude -I./include  -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tdb/include -I./libaddns -I./librpc -DHAVE_CONFIG_H  -I/opt/csw/include -I/opt/csw/include -D_LARGEFILE_SOURCE -D_REENTRANT -D_FILE_OFFSET_BITS=64 -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tdb/include -I./libaddns -I./librpc -I./../lib/popt -DLDAP_DEPRECATED -DSUNOS5 -I/include  -I/usr/local/src/samba3.3/source3/lib -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c nsswitch/pam_winbind.c -o nsswitch/pam_winbind.o
gmake: *** [nsswitch/pam_winbind.o] Error 1
Comment 32 mchugh19@yahoo.com 2008-09-22 11:45:53 UTC
Commenting out the missing PAM stuff lets me compile, but adex.so won't load.

[2008/09/22 23:37:30,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'nss'
[2008/09/22 23:37:30,  3] winbindd/idmap.c:idmap_init_default_domain(359)
  idmap_init: using 'adex' as remote backend
[2008/09/22 23:37:30,  3] winbindd/idmap.c:idmap_init_domain(302)
  idmap backend adex not found
[2008/09/22 23:37:30,  5] lib/module.c:smb_probe_module(111)
  Probing module 'adex'
[2008/09/22 23:37:30,  5] lib/module.c:smb_probe_module(130)
  Probing module 'adex': Trying to load from /usr/local/samba/lib/idmap/adex.so
[2008/09/22 23:37:30,  0] lib/module.c:do_smb_load_module(59)
  Error trying to resolve symbol 'init_samba_module' in /usr/local/samba/lib/idmap/adex.so: ld.so.1: winbindd: fatal: init_samba_
module: can't find symbol
[2008/09/22 23:37:30,  3] winbindd/idmap.c:idmap_init_domain(307)
  Could not probe idmap module adex
Comment 33 Gerald (Jerry) Carter 2008-09-22 19:37:55 UTC
Can you try the v3-3-test branch?  The idmap_adex module has been checked in.
This will save you some build  and patch headaches.
Comment 34 Christina Jagodics (550 #5.1.0 Address rejected) 2008-09-23 07:27:11 UTC
Yep, compiling the source code from the v3-3-test branch succeeded and I also managed to join my machine to our win2k8 domain. wbinfo -u/g/m works quite fine but 'getent passwd' again only fetches users from the domain my machine's directly joined to. Wasn't this patch supposed to solve this issue? Or do I have to add the other patch (idmap_ad) as well?

Comment 35 mchugh19@yahoo.com 2008-09-23 13:08:09 UTC
Compiled from git, but I'm still having problems. First, still having pam problems, so I opened but 5784. Secondly, I cannot lookup users. I've added the required attributes into the PAS, but it seems unable to do a lookup on the Domain Users group. 

The entry should have been:
NAU-STUDENTS\mcm75:x:62107:10000:Michael Christian McHugh:/home/mcm75:/bin/bash

With the 10000 group being just a number. Everyone in the domain has a gid of 10000 and there is a group with the same gid. Point being, it is not the Domain Users group. Looks like leaving Domain Users without gid is causing lookups to fail.


[2008/09/24 01:00:18, 10] winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = CN=mcm75,CN=Users,DC=students,DC=froot,DC=nau,DC=edu,  Filter = (objectclass=*), Scope = 0, GC = no
[2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = IDMAP/SID2UID/S-1-5-21-2129867641-1992771036-1243820751-98358; value = 62107 and timeout = Wed Oct  1 01:00:18 2008
   (604800 seconds ahead)
[2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = IDMAP/UID2SID/62107; value = S-1-5-21-2129867641-1992771036-1243820751-98358 and timeout = Wed Oct  1 01:00:18 2008
   (604800 seconds ahead)
[2008/09/24 01:00:18, 10] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(247)
  winbindd_dual_sid2uid: 0x00000000 - S-1-5-21-2129867641-1992771036-1243820751-98358 - 62107
[2008/09/24 01:00:18, 10] winbindd/winbindd_cache.c:cache_store_response(2622)
  Storing response for pid 16943, len 3496
[2008/09/24 01:00:18, 10] lib/events.c:get_timed_events_timeout(320)
  timed_events_timeout: 279/466700
[2008/09/24 01:00:18,  4] winbindd/winbindd_dual.c:fork_domain_child(1333)
  child daemon request 49
[2008/09/24 01:00:18, 10] winbindd/winbindd_dual.c:child_process_request(433)
  child_process_request: request fn DUAL_SID2GID
[2008/09/24 01:00:18,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(305)
  [16941]: sid to gid S-1-5-21-2129867641-1992771036-1243820751-513
[2008/09/24 01:00:18, 10] winbindd/idmap_util.c:idmap_sid_to_gid(212)
  idmap_sid_to_gid: sid = [S-1-5-21-2129867641-1992771036-1243820751-513]
[2008/09/24 01:00:18, 10] lib/gencache.c:gencache_get(194)
  Cache entry with key = IDMAP/SID2GID/S-1-5-21-2129867641-1992771036-1243820751-513 couldn't be found
[2008/09/24 01:00:18, 10] winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = ,  Filter = (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\79\33\F3\7E\DC\45\C7\76\CF\32\23\4A\01\02\00\00), Scope = 2, GC = yes
[2008/09/24 01:00:18, 10] winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = CN=Domain Users,CN=Users,DC=students,DC=froot,DC=nau,DC=edu,  Filter = (objectclass=*), Scope = 0, GC = no
[2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:get_object_uint32(749)
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:get_object_id(809)
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:pull_id(831)
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:_ccp_get_id_from_sid(1006)
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = IDMAP/SID2UID/S-1-5-21-2129867641-1992771036-1243820751-513; value = -1 and timeout = Wed Sep 24 01:02:18 2008
   (120 seconds ahead)
[2008/09/24 01:00:18, 10] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(320)
  winbindd_dual_sid2gid: 0xc0000073 - S-1-5-21-2129867641-1992771036-1243820751-513 - 0
[2008/09/24 01:00:18, 10] winbindd/winbindd_cache.c:cache_store_response(2622)
  Storing response for pid 16943, len 3496
[2008/09/24 01:00:18, 10] lib/events.c:get_timed_events_timeout(320)
  timed_events_timeout: 279/463207
Comment 36 mchugh19@yahoo.com 2008-09-23 13:23:09 UTC
Also it looks as if winbind is unable to lookup some group sids on the domain. So I start winbind and try to lookup gid

root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10000
Could not convert gid 10000 to sid

But then I can lookup a user with that group and all is well
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -i 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10003
S-1-5-21-2129867641-1992771036-1243820751-82750


So without looking up the user first, it is unable to resolve git<->sid.
So attemping to lookup random groups still fails.

root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005
Could not convert gid 12005 to sid
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12006
Could not convert gid 12006 to sid
Comment 37 Gerald (Jerry) Carter 2008-09-23 13:25:31 UTC
(In reply to comment #35)

> The entry should have been:
> NAU-STUDENTS\mcm75:x:62107:10000:Michael Christian McHugh:/home/mcm75:/bin/bash
> 
> With the 10000 group being just a number. Everyone in the domain has a gid of
> 10000 and there is a group with the same gid. Point being, it is not the Domain
> Users group. Looks like leaving Domain Users without gid is causing lookups to
> fail.

No.  Pretty sure that is a red herring.  The lookup failure is not fatal based on what
I remember from checking before.

Please make sure that $(libdir)/nss_info/adex.so is a symlink to $(libdir)/idmap/adex.so.
This is a bug in the install script from what I remember.  I'll look into that now.
(and that you set "winbind nss info = adex").  The config I'm using in v3-3-test looks like:

   idmap backend = adex
   idmap uid = 10000 - 4000000000
   idmap gid = 10000 - 4000000000

   winbind nss info = adex
   winbind normalize names = yes



Comment 38 Gerald (Jerry) Carter 2008-09-23 13:36:52 UTC
Christian, just to clarify....the new adex.so only support RFC2307 schema right now.
That schema model is what you are using yes?
Comment 39 mchugh19@yahoo.com 2008-09-23 13:38:11 UTC
Thanks for all your help Jerry, but I'm still having problems.

$(libdir)/nss_info/adex.so did not exist at all, so I just created it. I then wiped out all caches and rejoined samba to the domain, but the problem seems to be about the same.

I can lookup a user with gid 10003
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash

But not anyone else
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10003
S-1-5-21-2129867641-1992771036-1243820751-82750
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10000
Could not convert gid 10000 to sid

and lookups on random groups still fail
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005
Could not convert gid 12005 to sid

Comment 40 mchugh19@yahoo.com 2008-09-23 13:38:24 UTC
Yep, rfc2307 attributes
Comment 41 mchugh19@yahoo.com 2008-09-23 13:42:10 UTC
Created attachment 3613 [details]
log files

Log files with a cleared cache
Ran:
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005
Could not convert gid 12005 to sid
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop
Comment 42 mchugh19@yahoo.com 2008-09-23 13:51:33 UTC
Created attachment 3614 [details]
smb.conf used
Comment 43 Gerald (Jerry) Carter 2008-09-24 18:58:15 UTC
I have and explanation I believe for the "getent passwd NAU-STUDENTS\mcm75"
failure. 

  Probing module 'adex'
  Probing module 'adex': Trying to load from /usr/local/samba/lib/nss_info/adex.so
  Error loading module '/usr/local/samba/lib/nss_info/adex.so': ld.so.1: winbindd: fatal: /usr/local/samba/lib/nss_info/adex.so: open failed: No such file or directory

Can you verify that the file is in place?

Without this, winbindd will try to map the Windows primary group for the user 
to a gid which as you pointed out is not mapped at all.  settiong that parameter
should fill in the primary group from the gidNumber.

For the gid2sid() failure can be explained if you have not added the uid, gidNumber,
and uidNumber attributes in the PAS for GC.  But you said you had, so I'm a bit perplexed.

Seems there is either a bad debug msg or some logic error in the caching code here
that I need to track down.  This is v3-3-test right ?

  [17116]: gid 12005 to sid
  gid = [12005]
  Cache entry with key = IDMAP/GID2SID/12005 couldn't be found
                                          ^^^^^^^^^^^^^^
  Adding cache entry with key = IDMAP/UID2SID/12005; value = - and timeout.....
                                                      ^^^^^^^^^^^^^^


Comment 44 mchugh19@yahoo.com 2008-09-24 21:53:34 UTC
Hmmm. Like I said in comment #39, the nss link was not made at install, so I created it manually.

root@egr214-01:/usr/local/samba/var$ ls -l /usr/local/samba/lib/nss_info/
total 8
lrwxrwxrwx   1 root     root          20 Sep 24 01:32 adex.so -> ../lib/idmap/adex.so
lrwxrwxrwx   1 root     root          14 Sep 23 22:35 rfc2307.so -> ../idmap/ad.so
lrwxrwxrwx   1 root     root          14 Sep 23 22:35 sfu.so -> ../idmap/ad.so
lrwxrwxrwx   1 root     root          14 Sep 23 22:35 sfu20.so -> ../idmap/ad.so

After a reboot to clear out any weirdness, I'm not seeing the missing nss module error anymore. Yay.

But the output still looks the same:
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
root@egr214-01:/usr/local/samba/var$

As for entries being entered into the PAS, I've been told by our domain team that it has been done. Are you aware of any test I could run to confirm?
Comment 45 mchugh19@yahoo.com 2008-09-24 21:57:02 UTC
Created attachment 3630 [details]
logs again

Log files without the nss errors

Ran:
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop
Comment 46 Gerald (Jerry) Carter 2008-09-25 11:12:28 UTC
(In reply to comment #44)
> Hmmm. Like I said in comment #39, the nss link was not made at install, so I
> created it manually.
> 
> root@egr214-01:/usr/local/samba/var$ ls -l /usr/local/samba/lib/nss_info/
> total 8
> lrwxrwxrwx   1 root     root          20 Sep 24 01:32 adex.so ->
> ../lib/idmap/adex.so

Link is incorrect.  This should be ../idmap/adex.so.

Comment 47 mchugh19@yahoo.com 2008-09-25 11:47:40 UTC
Oh wow. Color me embarrassed. Sorry about my bad link creation.

idmap_adex does appear to be working mostly for users on the domain that samba is joined to (in this case NAU-STUDENTS).
But it looks like group lookups are still funky, as well as trust domains.

Doing a group lookup such as
wbinfo -G 12005
Could not convert gid 12005 to sid

fails, as well as getent group
root@egr214-01:/usr/local/samba/var$ getent group 'NAU-STUDENTS\cefns_it-staff'
root@egr214-01:/usr/local/samba/var$

the smb.conf used has idmap config statements for both domains:
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   idmap backend = adex
   idmap uid = 50 - 1000000
   idmap gid = 50 - 1000000
   idmap domains = NAU-STUDENTS NAU
   idmap config NAU-STUDENTS:backend = adex
   idmap config NAU-STUDENTS:range = 50 - 1000000
   idmap config NAU:backend = adex
   idmap config NAU:range = 50 - 1000000
   winbind nss info = adex
   winbind normalize names = yes
   winbind refresh tickets = yes
   template homedir = /home/%U
   template shell = /bin/bash
Comment 48 mchugh19@yahoo.com 2008-09-25 11:48:22 UTC
Created attachment 3635 [details]
logs

Logs from running:
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
mmchugh:*:62107:10000:Christian McHugh:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU\mcm75'
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU\car3'
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005
Could not convert gid 12005 to sid
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop
Comment 49 Gerald (Jerry) Carter 2008-09-25 12:24:20 UTC
ok.  This adex.so plugin is doing the right thing it seems but there is some 
a bug in the ordering of querying the plugins.   The failure for the NAU domain
is caused by prematurely ending the search list of plugins and never asking adex.so
at all.  
Comment 50 mchugh19@yahoo.com 2008-09-25 14:22:42 UTC
Also FYI, the 12005 gid I keep trying to lookup also exists on the NAU-STUDENTS domain. In general lookups seem to be working well for users, but not as well for groups.

getent group 'NAU-STUDENTS\cefns_it-staff'    
is also failing.
Comment 51 mchugh19@yahoo.com 2008-10-02 10:15:19 UTC
Just tried with 3.3.0pre2 and have the same problems. Still unable to do lookups on groups and trusted domains.
Comment 52 Gerald (Jerry) Carter 2008-10-02 10:32:18 UTC
(In reply to comment #51)
> Just tried with 3.3.0pre2 and have the same problems. Still unable to do
> lookups on groups and trusted domains.
> 

Yeah.  I've found a bug.  Sorry I didn't get the fix in before pre2.  You are still
testing the adex.so plugin right?  Mind if we open a enw bug against that library
so that we don't confuse the issues here?
Comment 53 mchugh19@yahoo.com 2008-10-02 11:00:07 UTC
> Mind if we open a enw bug against that library
> so that we don't confuse the issues here?

Thanks Jerry. Opened bug 5806 about adex.
Comment 54 Gerald (Jerry) Carter 2008-11-21 12:14:59 UTC
If you are using the RFC2307 schema, please try the idmap_adex plugin in 
the v3-3 codebase.  Same principal but supporting domain trusts.
Comment 55 mchugh19@yahoo.com 2008-12-15 09:12:52 UTC
This is marked as done in Samba 3.3.0rc2. Is that true?
Comment 56 Michael Adam 2008-12-15 09:19:23 UTC
(In reply to comment #55)
> This is marked as done in Samba 3.3.0rc2. Is that true?

Oh right, I forgot to comment here.
I have added trusted domain support to idmap_ad.

This does now work with _explicitly_ configured domains.
I.e. this works:

idmap config DOMAIN_1 : backend = ad
idmap config DOMAIN_1 : range = 10001-20000

idmap config DOMAIN_2 : backend = ad
idmap config DOMAIN_2 : range = 20001-30000

What does not yet work is using "ad" as the default
backend.

nss_info works with ad as well.
Here you can specify one of the ad flavours as the default backend
and/or explicitly configure backends for specific domains:

winbind nss info = rfc2307 sfu:DOMAIN_1 sfu20:DOMAIN_2

or like this

winbind nss info = template rfc2307:DOMAIN_1

Cheers - Michael
Comment 57 mchugh19@yahoo.com 2009-01-15 13:07:41 UTC
*** Bug 5363 has been marked as a duplicate of this bug. ***
Comment 58 mchugh19@yahoo.com 2009-02-25 10:08:37 UTC
Not sure if this is considered the same bug, so if this should be a new report please let me know. 

Looks like groups lookups are broken (at least on solaris 10) with idmap_ad

root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent passwd 'NAU-STUDENTS\mcm75'
NAU-STUDENTS\mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent group 'NAU-STUDENTS\cefns_test2'
NAU-STUDENTS\cefns_test2:x:1201:NAU-STUDENTS\mcm75,NAU-STUDENTS\mmchugh,NAU\car3,NAU\mcm75
root@egr214-01:/usr/local/src/samba-3.3.1/source$ groups 'NAU-STUDENTS\mcm75'
10000
Comment 59 Michael Adam 2009-05-12 15:38:53 UTC
Hi Christian,

(In reply to comment #58)
> Not sure if this is considered the same bug, so if this should be a new report
> please let me know. 
> 
> Looks like groups lookups are broken (at least on solaris 10) with idmap_ad
> 
> root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent passwd
> 'NAU-STUDENTS\mcm75'
> NAU-STUDENTS\mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash
> root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent group
> 'NAU-STUDENTS\cefns_test2'
> NAU-STUDENTS\cefns_test2:x:1201:NAU-STUDENTS\mcm75,NAU-STUDENTS\mmchugh,NAU\car3,NAU\mcm75
> root@egr214-01:/usr/local/src/samba-3.3.1/source$ groups 'NAU-STUDENTS\mcm75'
> 10000

I think this is a different bug.
For me idmap_ad with trusted domains is working in 3.3.

Also, I have not been able to reproduce your prolem (on linux):
samba ad member, one trusted domain with idmap_ad. group on
a user from the trusted domain is correctly showing groups.

Christian, could you please open a new bug for samba 3.3,
and provide config and other details along with that?

Thanks! - Michael
Comment 60 Michael Adam 2009-05-12 15:41:43 UTC
Marking this bug fixed - it is fixed in 3.3.
Won't be fixed in lower versions of samba.
Cheers - Michael
Comment 61 Björn Jacke 2014-07-23 12:24:02 UTC
*** Bug 4069 has been marked as a duplicate of this bug. ***