Working with winbindd 3.0.21 onwards, with idmap_ad in an AD setup with multiple domains, I noticed that 'wbinfo -u' would list users from all trusted domains whereas 'getent passwd' would only list users from the domain my machine had actually joined, although there were users in those other domains which (IMHO) were eligible to be listed. I was able to get those users listed by moving my machine to each domain in turn. Indeed, if I don't delete the winbindd cache as I move from domain to domain, the users from other domains start to appear in the getent listing. On looking at the code path in idmap_ad.c and winbind_ads.c I notice that the latter (the wbinfo -u path) iterates over all domains, whereas the idmap_ad.c code does not. I'm going to attach a patch which appears to fix my problem by making idmap_ad iterate over all domains. But I wonder if I'm missing some detail of winbindd configuration?
Created attachment 1846 [details] Enable idmap_ad to manage connections to multiple domains I offer this as a 'proof of concept' fix for the problem I'm seeing. It makes idmap_ad iterate over all domains that it knows about when looking up users. This patch was produced from a version of idmap_ad patched with my RFC2307 patch (see BZ#3345). I'll be happy to try to decouple the two patches if anyone wants that.
Bob, can you send us a new version of your patch?
i have the same problem. here are some lines of the winbind log: Connected to LDAP server 192.168.100.1 time offset is 46 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 ads_sasl_spnego_bind: got server principal name =dc1$@EXAMPLE.COM ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) kerberos_kinit_password: using MEMORY:winbind_ccache as ccache ads_krb5_mk_req: Advancing clock by 46 seconds to cope with clock skew ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 28 Jul 2006 07:32:46 CEST ads_krb5_mk_req: Ticket (dc1$@EXAMPLE.COM) in ccache (MEMORY:winbind_ccache) is valid until: (Fri, 28 Jul 2006 07:32:46 CEST - 1154064766) Got KRB5 session key of length 16 ads_check_posix_schema_mapping Search for (|(attributeId=1.2.840.113556.1.6.18.1.310)(attributeId=1.2.840.113556.1.6.18.1.311)(attributeId=1.2.840.113556.1.6.18.1.344)(attributeId=1.2.840.113556.1.6.18.1.312)(attributeId=1.2.84 0.113556.1.6.18.1.337)) gave 0 replies ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED ads_check_posix_schema_mapping failed: NT_STATUS_NONE_MAPPED Search for (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\C7\F6\D3\1A\D1\B0\A2\BA\A4\00\FD\56\00\02\00\00) gave 0 replies ... 192.168.100.1 is the dc of winbinds own domain. as far as i understand that log, winbind is doing something like the following: # ldapsearch -xLLLD cn=Administrator,cn=Users,dc=example,dc=com -w secret -H ldap://192.168.100.1 -b dc=example,dc=com '(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\C7\F6\D3\1A\D1\B0\A2\BA\A4\00\FD\56\00\02\00\00)' # refldap://child.example.com/DC=child,DC=example,DC=com # refldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com # refldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com # refldap://example.com/CN=Configuration,DC=example,DC=com I suspect, that the problem ist winbind not following the referral
Created attachment 2073 [details] Updated version of patch for 3.0.23rc2 and 3.0.23 final I just noticed Guenther's request for an updated patch and can find no evidence that I sent it. So here it is (again).
Hi, i recompiled samba-3.0.23a with patch (from attachment id=2073) on a sles9 system. I works! Thanks, - Mark
Patch also works on solaris. Thank you very much!
Created attachment 2089 [details] Updated patch for 3.0.23b
Any chance of this getting into 3.0.23d?
Guenther, is there a reason why this patch was never applied?
Moving to target 3.0.26. Too late for 3.0.25 right now.
(In reply to comment #9) > Guenther, is there a reason why this patch was never applied? I was waiting for the idmap rewrite to finish at that time, will take a look again now.
(In reply to comment #10) > Moving to target 3.0.26. Too late for 3.0.25 right now. > will this be fixed in 3.2.0?
I have the same problem. Is there any status on when this patch will be included
Is this still being worked on for the 3.2 release?
Hi, we have the same Problem here on 3.2.0. All works perfect. Only the id-mapping isn't working with trusted domains
Ok, talked to Jerry and he is planning to add a connection manager into idmap_ad. This will not make the 3.2.2 release due Mon. 18th, but should make the release after that. Assigning this one (and the two attendent ones) to Jerry. Jeremy.
See bug #5363. Jeremy
Hmmm. A separate connection manager in idmap_ad? Can't we find a way to re-use the already existing one? Volker
(In reply to comment #18) > Hmmm. A separate connection manager in idmap_ad? Can't we find a way to re-use > the already existing one? Nope. I never found a way. I'm going to try to work on this one since it is one of the few interesting things I have sitting around.
Hi, is there any eta on the 3.2.3 release? Would be great to have it soon! Thx
(In reply to comment #7) > Created an attachment (id=2089) [edit] > Updated patch for 3.0.23b > Hi Bob, just found this bug-thread and tried to build samba using the patch you provided. Unfortunately it doesn't seem to work. 'getent passwd' only fetches information about users from the domain my machine's directly joined to. I'm using samba version 3.0.23b on a debian etch 4.0 system. My guess is that I do not execute the compile-command correctly. So, could you please tell me exactly what you did to make that working? I've also tried patching samba 3.0.24 as the 'idmap_ad.c'-file doesn't differ much from the one used with 3.0.23b. After some minor changes the patching-process succeeded but the issue I described above still remained. Generally, is there a chance to make samba 3.0.24 work with your patch or do I have to use 3.0.23b? Thanks in advance
I'm working on it. If someone gets a quciket fix in, that is fine. But I'm working on an overhaul of the id plugin right now anyways.
Created attachment 3528 [details] multiple connection patch for samba 3.0.32
Comment on attachment 3528 [details] multiple connection patch for samba 3.0.32 hi guys, I did some research and after hours of testing I eventually came up with my own patch to make the multple-connection thing working for both samba 3.0.32 and 3.2.2 .
Created attachment 3529 [details] multiple connection patch for samba 3.2.2
Tried out the patch on solaris 10, 3.2.3. Looks like we're part way there. wbinfo -u shows users from both of my domains (yay!) But wbinfo -i 'NAU\mcm75' (domain user) dumps core Here is the last bit of log.winbindd-idmap [2008/09/11 23:50:15, 10] libads/kerberos.c:kerberos_kinit_password_ext(217) kerberos_kinit_password: as EGR214-01$@STUDENTS.FROOT.NAU.EDU using [MEMORY:winbind_ccache] as ccache and config [/usr/local/samba/var/locks/smb_krb5/krb5.conf .NAU-STUDENTS] [2008/09/11 23:50:15, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 12 Sep 2008 09:50:14 GMT-7 [2008/09/11 23:50:15, 10] libsmb/clikrb5.c:ads_krb5_mk_req(702) ads_krb5_mk_req: Ticket (ldap/beech.nau.froot.nau.edu@NAU.FROOT.NAU.EDU) in ccache (MEMORY:winbind_ccache) is valid until: (Fri, 12 Sep 2008 09:50:14 GMT-7 - 1 221187814) [2008/09/11 23:50:15, 3] libsmb/clikrb5.c:ads_krb5_mk_req(713) ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT [2008/09/11 23:50:15, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(868) Got KRB5 session key of length 16 [2008/09/11 23:50:15, 0] lib/fault.c:fault_report(40) =============================================================== [2008/09/11 23:50:15, 0] lib/fault.c:fault_report(41) INTERNAL ERROR: Signal 11 in pid 9010 (3.2.3) Please read the Trouble-Shooting section of the Samba3-HOWTO [2008/09/11 23:50:15, 0] lib/fault.c:fault_report(43) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2008/09/11 23:50:15, 0] lib/fault.c:fault_report(44) =============================================================== [2008/09/11 23:50:15, 0] lib/util.c:smb_panic(1663) PANIC (pid 9010): internal error [2008/09/11 23:50:15, 0] lib/util.c:log_stack_trace(1817) unable to produce a stack trace on this platform [2008/09/11 23:50:15, 0] lib/fault.c:dump_core(201) dumping core in /usr/local/samba/var/cores/winbindd If you need anything more, let me know. I'd be happy to help make this go.
Looks like my crashing issue is not from this patch. Sorry for the noise. I've opened bug 5766 about winbind not working.
*** Bug 5772 has been marked as a duplicate of this bug. ***
Created attachment 3603 [details] New AdEx idmap/nss_info plugin for the trunk Includes support for RFC2307, trusted domains, name aliasing, global catalog searches, etc... Patch sent to the samba-technical ml.
Hi Jerry, thanks for your quick response and the patch which hopefully will solve my problem. Applying the patch wasn't a problem either but when trying to compile the source code I always get the following error: --------- [...] Compiling winbindd/idmap_adex/idmap_adex.c winbindd/idmap_adex/idmap_adex.c:405: warning: initialization from incompatible pointer type winbindd/idmap_adex/idmap_adex.c:416: error: unknown field 'map_to_alias' specified in initializer winbindd/idmap_adex/idmap_adex.c:416: warning: initialization from incompatible pointer type winbindd/idmap_adex/idmap_adex.c:417: error: unknown field 'map_from_alias' specified in initializer winbindd/idmap_adex/idmap_adex.c:417: warning: excess elements in struct initializer winbindd/idmap_adex/idmap_adex.c:417: warning: (near initialization for 'adex_nss_methods') The following command failed: gcc -I. -I/root/build/samba-3.2.4/source -O -D_SAMBA_BUILD_=3 -I/root/build/samba-3.2.4/source/popt -I/root/build/samba-3.2.4/source/iniparser/src -Iinclude -I./include -I. -I. -I./lib/replace -I./lib/talloc -I./lib/tdb/include -I./libaddns -I./librpc -DHAVE_CONFIG_H -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Iinclude -I./include -I. -I. -I./lib/replace -I./lib/talloc -I./lib/tdb/include -I./libaddns -I./librpc -I./popt -DLDAP_DEPRECATED -I/include -I/root/build/samba-3.2.4/source/lib -D_SAMBA_BUILD_=3 -fPIC -c winbindd/idmap_adex/idmap_adex.c -o winbindd/idmap_adex/idmap_adex.o make: *** [winbindd/idmap_adex/idmap_adex.o] Error 1 ----------- Tried this patch with 3.2.2 as well as 3.2.4 . Would be very nice if you could take a look at this. Thanks Christina
I noticed that the patch seemed to depend on the name mapping infrastructure in samba.git, so I tried grabbing and patching the samba source from git. However, I'm also getting compile errors on solaris 10 (seems limited to winbind though) Compiling nsswitch/pam_winbind.c nsswitch/pam_winbind.c: In function '_pam_error_code_str': nsswitch/pam_winbind.c:74: error: 'PAM_MODULE_UNKNOWN' undeclared (first use in this function) nsswitch/pam_winbind.c:74: error: (Each undeclared identifier is reported only once nsswitch/pam_winbind.c:74: error: for each function it appears in.) nsswitch/pam_winbind.c:76: error: 'PAM_BAD_ITEM' undeclared (first use in this function) nsswitch/pam_winbind.c:78: error: 'PAM_CONV_AGAIN' undeclared (first use in this function) nsswitch/pam_winbind.c:80: error: 'PAM_INCOMPLETE' undeclared (first use in this function) nsswitch/pam_winbind.c: In function '_pam_get_item': nsswitch/pam_winbind.c:115: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type nsswitch/pam_winbind.c: In function '_pam_log_state_datum': nsswitch/pam_winbind.c:251: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type nsswitch/pam_winbind.c: In function 'converse': nsswitch/pam_winbind.c:575: warning: passing argument 2 of 'conv->conv' from incompatible pointer type nsswitch/pam_winbind.c: In function 'pam_sm_authenticate': nsswitch/pam_winbind.c:2039: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type nsswitch/pam_winbind.c: In function 'pam_sm_acct_mgmt': nsswitch/pam_winbind.c:2242: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type nsswitch/pam_winbind.c: In function 'pam_sm_close_session': nsswitch/pam_winbind.c:2376: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type nsswitch/pam_winbind.c: In function 'pam_sm_chauthtok': nsswitch/pam_winbind.c:2518: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type The following command failed: gcc -I/opt/csw/include -O -I. -I/usr/local/src/samba3.3/source3 -I/usr/local/src/samba3.3/source3/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tdb/include -I./libaddns -I./librpc -DHAVE_CONFIG_H -I/opt/csw/include -I/opt/csw/include -D_LARGEFILE_SOURCE -D_REENTRANT -D_FILE_OFFSET_BITS=64 -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tdb/include -I./libaddns -I./librpc -I./../lib/popt -DLDAP_DEPRECATED -DSUNOS5 -I/include -I/usr/local/src/samba3.3/source3/lib -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c nsswitch/pam_winbind.c -o nsswitch/pam_winbind.o gmake: *** [nsswitch/pam_winbind.o] Error 1
Commenting out the missing PAM stuff lets me compile, but adex.so won't load. [2008/09/22 23:37:30, 5] winbindd/idmap.c:smb_register_idmap(169) Successfully added idmap backend 'nss' [2008/09/22 23:37:30, 3] winbindd/idmap.c:idmap_init_default_domain(359) idmap_init: using 'adex' as remote backend [2008/09/22 23:37:30, 3] winbindd/idmap.c:idmap_init_domain(302) idmap backend adex not found [2008/09/22 23:37:30, 5] lib/module.c:smb_probe_module(111) Probing module 'adex' [2008/09/22 23:37:30, 5] lib/module.c:smb_probe_module(130) Probing module 'adex': Trying to load from /usr/local/samba/lib/idmap/adex.so [2008/09/22 23:37:30, 0] lib/module.c:do_smb_load_module(59) Error trying to resolve symbol 'init_samba_module' in /usr/local/samba/lib/idmap/adex.so: ld.so.1: winbindd: fatal: init_samba_ module: can't find symbol [2008/09/22 23:37:30, 3] winbindd/idmap.c:idmap_init_domain(307) Could not probe idmap module adex
Can you try the v3-3-test branch? The idmap_adex module has been checked in. This will save you some build and patch headaches.
Yep, compiling the source code from the v3-3-test branch succeeded and I also managed to join my machine to our win2k8 domain. wbinfo -u/g/m works quite fine but 'getent passwd' again only fetches users from the domain my machine's directly joined to. Wasn't this patch supposed to solve this issue? Or do I have to add the other patch (idmap_ad) as well?
Compiled from git, but I'm still having problems. First, still having pam problems, so I opened but 5784. Secondly, I cannot lookup users. I've added the required attributes into the PAS, but it seems unable to do a lookup on the Domain Users group. The entry should have been: NAU-STUDENTS\mcm75:x:62107:10000:Michael Christian McHugh:/home/mcm75:/bin/bash With the 10000 group being just a number. Everyone in the domain has a gid of 10000 and there is a group with the same gid. Point being, it is not the Domain Users group. Looks like leaving Domain Users without gid is causing lookups to fail. [2008/09/24 01:00:18, 10] winbindd/idmap_adex/likewise_cell.c:cell_do_search(382) cell_do_search: Base = CN=mcm75,CN=Users,DC=students,DC=froot,DC=nau,DC=edu, Filter = (objectclass=*), Scope = 0, GC = no [2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131) Adding cache entry with key = IDMAP/SID2UID/S-1-5-21-2129867641-1992771036-1243820751-98358; value = 62107 and timeout = Wed Oct 1 01:00:18 2008 (604800 seconds ahead) [2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131) Adding cache entry with key = IDMAP/UID2SID/62107; value = S-1-5-21-2129867641-1992771036-1243820751-98358 and timeout = Wed Oct 1 01:00:18 2008 (604800 seconds ahead) [2008/09/24 01:00:18, 10] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(247) winbindd_dual_sid2uid: 0x00000000 - S-1-5-21-2129867641-1992771036-1243820751-98358 - 62107 [2008/09/24 01:00:18, 10] winbindd/winbindd_cache.c:cache_store_response(2622) Storing response for pid 16943, len 3496 [2008/09/24 01:00:18, 10] lib/events.c:get_timed_events_timeout(320) timed_events_timeout: 279/466700 [2008/09/24 01:00:18, 4] winbindd/winbindd_dual.c:fork_domain_child(1333) child daemon request 49 [2008/09/24 01:00:18, 10] winbindd/winbindd_dual.c:child_process_request(433) child_process_request: request fn DUAL_SID2GID [2008/09/24 01:00:18, 3] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(305) [16941]: sid to gid S-1-5-21-2129867641-1992771036-1243820751-513 [2008/09/24 01:00:18, 10] winbindd/idmap_util.c:idmap_sid_to_gid(212) idmap_sid_to_gid: sid = [S-1-5-21-2129867641-1992771036-1243820751-513] [2008/09/24 01:00:18, 10] lib/gencache.c:gencache_get(194) Cache entry with key = IDMAP/SID2GID/S-1-5-21-2129867641-1992771036-1243820751-513 couldn't be found [2008/09/24 01:00:18, 10] winbindd/idmap_adex/likewise_cell.c:cell_do_search(382) cell_do_search: Base = , Filter = (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\79\33\F3\7E\DC\45\C7\76\CF\32\23\4A\01\02\00\00), Scope = 2, GC = yes [2008/09/24 01:00:18, 10] winbindd/idmap_adex/likewise_cell.c:cell_do_search(382) cell_do_search: Base = CN=Domain Users,CN=Users,DC=students,DC=froot,DC=nau,DC=edu, Filter = (objectclass=*), Scope = 0, GC = no [2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:get_object_uint32(749) Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND) [2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:get_object_id(809) Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND) [2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:pull_id(831) Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND) [2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:_ccp_get_id_from_sid(1006) Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND) [2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131) Adding cache entry with key = IDMAP/SID2UID/S-1-5-21-2129867641-1992771036-1243820751-513; value = -1 and timeout = Wed Sep 24 01:02:18 2008 (120 seconds ahead) [2008/09/24 01:00:18, 10] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(320) winbindd_dual_sid2gid: 0xc0000073 - S-1-5-21-2129867641-1992771036-1243820751-513 - 0 [2008/09/24 01:00:18, 10] winbindd/winbindd_cache.c:cache_store_response(2622) Storing response for pid 16943, len 3496 [2008/09/24 01:00:18, 10] lib/events.c:get_timed_events_timeout(320) timed_events_timeout: 279/463207
Also it looks as if winbind is unable to lookup some group sids on the domain. So I start winbind and try to lookup gid root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10000 Could not convert gid 10000 to sid But then I can lookup a user with that group and all is well root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -i 'NAU-STUDENTS\mmchugh' NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10003 S-1-5-21-2129867641-1992771036-1243820751-82750 So without looking up the user first, it is unable to resolve git<->sid. So attemping to lookup random groups still fails. root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005 Could not convert gid 12005 to sid root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12006 Could not convert gid 12006 to sid
(In reply to comment #35) > The entry should have been: > NAU-STUDENTS\mcm75:x:62107:10000:Michael Christian McHugh:/home/mcm75:/bin/bash > > With the 10000 group being just a number. Everyone in the domain has a gid of > 10000 and there is a group with the same gid. Point being, it is not the Domain > Users group. Looks like leaving Domain Users without gid is causing lookups to > fail. No. Pretty sure that is a red herring. The lookup failure is not fatal based on what I remember from checking before. Please make sure that $(libdir)/nss_info/adex.so is a symlink to $(libdir)/idmap/adex.so. This is a bug in the install script from what I remember. I'll look into that now. (and that you set "winbind nss info = adex"). The config I'm using in v3-3-test looks like: idmap backend = adex idmap uid = 10000 - 4000000000 idmap gid = 10000 - 4000000000 winbind nss info = adex winbind normalize names = yes
Christian, just to clarify....the new adex.so only support RFC2307 schema right now. That schema model is what you are using yes?
Thanks for all your help Jerry, but I'm still having problems. $(libdir)/nss_info/adex.so did not exist at all, so I just created it. I then wiped out all caches and rejoined samba to the domain, but the problem seems to be about the same. I can lookup a user with gid 10003 root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh' NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash But not anyone else root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75' root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10003 S-1-5-21-2129867641-1992771036-1243820751-82750 root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10000 Could not convert gid 10000 to sid and lookups on random groups still fail root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005 Could not convert gid 12005 to sid
Yep, rfc2307 attributes
Created attachment 3613 [details] log files Log files with a cleared cache Ran: root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh' NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75' root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005 Could not convert gid 12005 to sid root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop
Created attachment 3614 [details] smb.conf used
I have and explanation I believe for the "getent passwd NAU-STUDENTS\mcm75" failure. Probing module 'adex' Probing module 'adex': Trying to load from /usr/local/samba/lib/nss_info/adex.so Error loading module '/usr/local/samba/lib/nss_info/adex.so': ld.so.1: winbindd: fatal: /usr/local/samba/lib/nss_info/adex.so: open failed: No such file or directory Can you verify that the file is in place? Without this, winbindd will try to map the Windows primary group for the user to a gid which as you pointed out is not mapped at all. settiong that parameter should fill in the primary group from the gidNumber. For the gid2sid() failure can be explained if you have not added the uid, gidNumber, and uidNumber attributes in the PAS for GC. But you said you had, so I'm a bit perplexed. Seems there is either a bad debug msg or some logic error in the caching code here that I need to track down. This is v3-3-test right ? [17116]: gid 12005 to sid gid = [12005] Cache entry with key = IDMAP/GID2SID/12005 couldn't be found ^^^^^^^^^^^^^^ Adding cache entry with key = IDMAP/UID2SID/12005; value = - and timeout..... ^^^^^^^^^^^^^^
Hmmm. Like I said in comment #39, the nss link was not made at install, so I created it manually. root@egr214-01:/usr/local/samba/var$ ls -l /usr/local/samba/lib/nss_info/ total 8 lrwxrwxrwx 1 root root 20 Sep 24 01:32 adex.so -> ../lib/idmap/adex.so lrwxrwxrwx 1 root root 14 Sep 23 22:35 rfc2307.so -> ../idmap/ad.so lrwxrwxrwx 1 root root 14 Sep 23 22:35 sfu.so -> ../idmap/ad.so lrwxrwxrwx 1 root root 14 Sep 23 22:35 sfu20.so -> ../idmap/ad.so After a reboot to clear out any weirdness, I'm not seeing the missing nss module error anymore. Yay. But the output still looks the same: root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh' NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75' root@egr214-01:/usr/local/samba/var$ As for entries being entered into the PAS, I've been told by our domain team that it has been done. Are you aware of any test I could run to confirm?
Created attachment 3630 [details] logs again Log files without the nss errors Ran: root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh' NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75' root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop
(In reply to comment #44) > Hmmm. Like I said in comment #39, the nss link was not made at install, so I > created it manually. > > root@egr214-01:/usr/local/samba/var$ ls -l /usr/local/samba/lib/nss_info/ > total 8 > lrwxrwxrwx 1 root root 20 Sep 24 01:32 adex.so -> > ../lib/idmap/adex.so Link is incorrect. This should be ../idmap/adex.so.
Oh wow. Color me embarrassed. Sorry about my bad link creation. idmap_adex does appear to be working mostly for users on the domain that samba is joined to (in this case NAU-STUDENTS). But it looks like group lookups are still funky, as well as trust domains. Doing a group lookup such as wbinfo -G 12005 Could not convert gid 12005 to sid fails, as well as getent group root@egr214-01:/usr/local/samba/var$ getent group 'NAU-STUDENTS\cefns_it-staff' root@egr214-01:/usr/local/samba/var$ the smb.conf used has idmap config statements for both domains: winbind enum users = yes winbind enum groups = yes winbind nested groups = yes idmap backend = adex idmap uid = 50 - 1000000 idmap gid = 50 - 1000000 idmap domains = NAU-STUDENTS NAU idmap config NAU-STUDENTS:backend = adex idmap config NAU-STUDENTS:range = 50 - 1000000 idmap config NAU:backend = adex idmap config NAU:range = 50 - 1000000 winbind nss info = adex winbind normalize names = yes winbind refresh tickets = yes template homedir = /home/%U template shell = /bin/bash
Created attachment 3635 [details] logs Logs from running: root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh' mmchugh:*:62107:10000:Christian McHugh:/home/mcm75:/bin/bash root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75' mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU\mcm75' root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU\car3' root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005 Could not convert gid 12005 to sid root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop
ok. This adex.so plugin is doing the right thing it seems but there is some a bug in the ordering of querying the plugins. The failure for the NAU domain is caused by prematurely ending the search list of plugins and never asking adex.so at all.
Also FYI, the 12005 gid I keep trying to lookup also exists on the NAU-STUDENTS domain. In general lookups seem to be working well for users, but not as well for groups. getent group 'NAU-STUDENTS\cefns_it-staff' is also failing.
Just tried with 3.3.0pre2 and have the same problems. Still unable to do lookups on groups and trusted domains.
(In reply to comment #51) > Just tried with 3.3.0pre2 and have the same problems. Still unable to do > lookups on groups and trusted domains. > Yeah. I've found a bug. Sorry I didn't get the fix in before pre2. You are still testing the adex.so plugin right? Mind if we open a enw bug against that library so that we don't confuse the issues here?
> Mind if we open a enw bug against that library > so that we don't confuse the issues here? Thanks Jerry. Opened bug 5806 about adex.
If you are using the RFC2307 schema, please try the idmap_adex plugin in the v3-3 codebase. Same principal but supporting domain trusts.
This is marked as done in Samba 3.3.0rc2. Is that true?
(In reply to comment #55) > This is marked as done in Samba 3.3.0rc2. Is that true? Oh right, I forgot to comment here. I have added trusted domain support to idmap_ad. This does now work with _explicitly_ configured domains. I.e. this works: idmap config DOMAIN_1 : backend = ad idmap config DOMAIN_1 : range = 10001-20000 idmap config DOMAIN_2 : backend = ad idmap config DOMAIN_2 : range = 20001-30000 What does not yet work is using "ad" as the default backend. nss_info works with ad as well. Here you can specify one of the ad flavours as the default backend and/or explicitly configure backends for specific domains: winbind nss info = rfc2307 sfu:DOMAIN_1 sfu20:DOMAIN_2 or like this winbind nss info = template rfc2307:DOMAIN_1 Cheers - Michael
*** Bug 5363 has been marked as a duplicate of this bug. ***
Not sure if this is considered the same bug, so if this should be a new report please let me know. Looks like groups lookups are broken (at least on solaris 10) with idmap_ad root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent passwd 'NAU-STUDENTS\mcm75' NAU-STUDENTS\mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent group 'NAU-STUDENTS\cefns_test2' NAU-STUDENTS\cefns_test2:x:1201:NAU-STUDENTS\mcm75,NAU-STUDENTS\mmchugh,NAU\car3,NAU\mcm75 root@egr214-01:/usr/local/src/samba-3.3.1/source$ groups 'NAU-STUDENTS\mcm75' 10000
Hi Christian, (In reply to comment #58) > Not sure if this is considered the same bug, so if this should be a new report > please let me know. > > Looks like groups lookups are broken (at least on solaris 10) with idmap_ad > > root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent passwd > 'NAU-STUDENTS\mcm75' > NAU-STUDENTS\mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash > root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent group > 'NAU-STUDENTS\cefns_test2' > NAU-STUDENTS\cefns_test2:x:1201:NAU-STUDENTS\mcm75,NAU-STUDENTS\mmchugh,NAU\car3,NAU\mcm75 > root@egr214-01:/usr/local/src/samba-3.3.1/source$ groups 'NAU-STUDENTS\mcm75' > 10000 I think this is a different bug. For me idmap_ad with trusted domains is working in 3.3. Also, I have not been able to reproduce your prolem (on linux): samba ad member, one trusted domain with idmap_ad. group on a user from the trusted domain is correctly showing groups. Christian, could you please open a new bug for samba 3.3, and provide config and other details along with that? Thanks! - Michael
Marking this bug fixed - it is fixed in 3.3. Won't be fixed in lower versions of samba. Cheers - Michael
*** Bug 4069 has been marked as a duplicate of this bug. ***