winbind's idmap_ad appears to not want to enumerate users on solaris 10. With variations in the smb.conf winbind either core dumps outright or simply does not function. This is against a win2k3 domain with rfc2307 unix attributes.
Created attachment 2364 [details] debug 10 logs
Created attachment 2365 [details] smb.conf
Created attachment 2366 [details] dumps core with this smb.conf
Created attachment 2367 [details] logs from core dump
I've found the segv. Either setting "winbind nss info = sfu" or "winbind nss info = rfc2307" should fix that if I'm correct. I'll have to fix this dependency, but could you verify that it does prevent the crash? Thanks.
Created attachment 2368 [details] add schema_mode option Please try this patch which should fix the segv with the original smb.conf. Adds new idmap_ad config option. "idmap config DOMAIN:schema_mode = {sfu,rfc2307}"
Seems to have fixed some of the issues, but I'm still getting: [2007/04/10 13:33:27, 2] lib/module.c:do_smb_load_module(64) Module '/usr/local/samba/lib/idmap/ad.so' loaded [2007/04/10 13:33:27, 0] nsswitch/idmap.c:idmap_init(403) ERROR: Could not get methods for backend ad [2007/04/10 13:33:27, 0] nsswitch/idmap.c:idmap_init(615) Aborting IDMAP Initialization ... Samba was compiled with ./configure --prefix=/usr/local/samba --with-shared-modules=idmap_ad --with-pam --with-ads using kerberos and openldap from blastwave (/opt/csw)
Created attachment 2372 [details] new patch which also fixes the idmap_init() failure when no alloc backend has been specified I have idmap_ad working with this patch against 3.0.25rc1. This includes the previous schema_mode patch.
Christian, this should be fixed now. Please reopen if the second patch doesn get things working for you.
Created attachment 2373 [details] more debug 10 logs Unfortunately after the patch, it now immediately dumps core
dumps core at startup
Created attachment 2375 [details] 3rd revision of patch to fix allocate_gid crashes This is v3 of the patch which adds a fix for the allocate_gid() crashes. I can successfully login using both Krb5 and NTLMSSP and the idmap_ad.
Christian, Hopefully fixed. Again, reopen if you still get failures. Thanks for spending the efforts testing these patches.
winbind runs but still does not return domain users. If tdb is added as described from http://us1.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html samba dumps core.
Created attachment 2377 [details] debug 10 logs of samba dumping core
Created attachment 2378 [details] smb.conf with tdb
I cannot reproduce any crashs on x86. Are you on sparc? What command are you running when yousay that winbindd "does not return domain users"?
The signal 10 indicates a Bus error. Did you install the updated idmap_ad plugin?
Yep. On sparc. As for returning domain users running "getent passwd mcm75" (a domain user) returns nothing. Even after setting winbind enum users and groups to yes, getent passwd pauses but still does not return any domain users. When you say updated idmap_ad plugin, what do you mean? I compiled 3.0.25rc1 plus your patch from below. Should I grab the post bugday rc1 patch as mentioned in the wiki? Thanks again!
Alright, slightly more info. Looks like the crash comes from having BUILTIN in the idmap domains def. Take it out it seems to run fine. Thought I saw that in some documentation or on the list some place. I'll attach another round of log files.
Created attachment 2379 [details] smb.conf now used logs to follow
Created attachment 2380 [details] yet more debug 10 logs This shows winbind running and trying to list out domain users. Oddly it seemed to kind of work for a single user, mmchugh. It returned mmchugh:*:62107:10003:Christian McHugh:/home/NAU-STUDENTS/mmchugh:/bin/false which has the correct uid, and gecos, but nothing else. On another unix host running centrify it returns: mmchugh:x:62107:10000:Christian McHugh:/home/mcm75:/bin/bash Also running getent passwd mcm75 returned nothing, nor did running getent passwd.
Christian, I'm going to release 3.0.25rc2 tomorrow. Let's resync with that release and see where things stand.
please reopen if still reproducible against 3.0.25rc2.
I'm still having issues with winbind doing much of anything. If I just start samba (winbind and all) it appears to not be connected. wbinfo does not seem to function, or return anything. If I then try joining the domain again, everything appears connected. wbinfo -g -t -m all work, but by the time I got around to trying wbinfo -u it would not function any more. It appears to die and loose the domain connection after about 20 seconds.
Created attachment 2399 [details] samba logs
winbind still non functional
we borked winbindd in rc2. Sorry. RC3 coming in a few days.
Winbind appears to sorta work now. Once again it returns the same from comment #22 for user mmchugh, and can't find user mcm75. Also if I add our other domain it looks like idmap_ad fails to start. Attaching log files and smb.conf next.
Created attachment 2413 [details] logs from debug 10
Created attachment 2414 [details] smb.conf with two domains smb.conf showing the addition of the nau domain. Uses the same uid mappings for users that exist in both domains. From our point of view nau\username is the same as nau-students\username so we keep the same uid in both domains. Hope this does not present a problem. What is even stranger is that mcm75 exits in both domains. mmchugh also shares the same uid. As mentioned in the bug comments mcm75 was not found while mmchugh was, and mmchugh was returned improperly.
You have to different idmap domains defined as default. This is an invalid configuration. I'll see what I can do to give better feeedback on misconfiguration. Thanks for the help in testing earlier patches, but I think this is fixed (as soon as smb.conf is corrected). Closing.
Thanks for all the help Jerry, but I think there is still a problem. I tried to explain in comment #29 that I am still seeing the same behavior as shown in comment #22. Doing a getent passwd mmchugh, does not return the all the fields as entered into active directory, but instead uses the winbind template fields. Furthermore, running getent passwd mcm75 returns absolutely nothing, which is also wrong. I realize you would like to get 3.0.25 out the door, but from what I can tell about its current form it seems to be unusable for ad rfc 2307 users. Let me know if there is any information I can send you to clarify the situation or help out in any way.
Pleas read the smb.conf(5) entry for "winbind nss info" to deal with the home directory and login shell. If "mcm75" is the loginName attribute, we ignore that. I could patch for it possibly for 3.0.26 but the current behavior would be expected in that case. btw...I've done a good bit of testing of idmap_ad with rfc2307 as a result of this but and things work as expected. So I would disagree with your use of the work unusable.
About the inability to lookup user mcm75 problem, it looks like the valid lines from log.winbind are: [2007/04/29 11:20:04, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(539) winbindd_sid2gid_async: Resolving S-1-5-21-2129867641-1992771036-1243820751-513 to a gid [2007/04/29 11:20:04, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2282) Retrieving response for pid 22910 [2007/04/29 11:20:04, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(521) sid2gid returned an error [2007/04/29 11:20:04, 5] nsswitch/winbindd_user.c:getpwsid_sid2gid_recv(293) Could not query gid for user NAU-STUDENTS\mcm75 Looks like that prevents winbind from returning mcm75 as a vaild user. I've seen reference in the past that winbind would lookup a users primary gid by looking up their primary group in ad and trying to find a gid for that group. Meaning it would not just read the gid attribute out of the rfc2307 ad attribute. If this the case, that would be the problem, as "Domain Users" does not have a unix gid associated with it. All users just have gid 10000 set rfc2307 style. Also even with winbind nss info set to sfu, doing a getent for user mmchugh still returns the template answers. Is there something special that should be done for rfc2307 attributes? Thanks for all the help Jerry. This bug was marked as release critical. Since it works for you I can fill out new reports about my winbind issues and let you guys get on with the release, if you want.
Make sure you remove winbindd_cache.tdb to clear out any previously cached homedir and login shell attribute. The primary group defined in AD should be returned (it is for me here). Are you using winbindd nss info = sfu ? Or rfc2307 ? Do the sfu.so and rfc2307.so files in /usr/local/samba/lib/nss_info/ point back to idmap/ad.so ?
Created attachment 2565 [details] debug 10 logs Logs showing: rm -r /usr/local/samba/var/* starting samba getent passwd mcm75 getent passwd mmchugh stopping samba
Created attachment 2566 [details] smb.conf used Make sure you remove winbindd_cache.tdb to clear out any previously cached homedir and login shell attribute. - Done. As mentioned in previous attachment. The primary group defined in AD should be returned (it is for me here). Are you using winbindd nss info = sfu ? Or rfc2307 ? - From the config: winbind nss info = sfu rfc2307 That is proper, correct? Not winbindd? I've also tried just winbind nss info = sfu to the same effect. Do the sfu.so and rfc2307.so files in /usr/local/samba/lib/nss_info/ point back to idmap/ad.so ? - Yep. Symlinks in place.
So it looks like my nss info param was wrong and it should just be rfc2307. That should probably be fixed in the smb.conf man page as it only mentions sfu and template. Anyway I've tried a few combinations of params in smb.conf and I'm only able to look up users in the default domain. I think the actual sid lookup is functioning, but it looks like it can't map to uid. Doing a #getent passwd 'NAU\car3' I get this in the log sid [S-1-5-21-20713206-1263413069-421607344-5886] not mapped to an uid [2,1,0] I'll attach the debug logs. Also is there any way, or are there any plans to implement cycling through domains? Such as looking up a user in the current domain and then trying the rest that have trusts? Otherwise depending on what domain the server is joined to a users username will change, which can be very confusing.
Created attachment 2691 [details] log files of debug 10 trying to look up a user from another domain I also appears that winbind hangs when doing a wbinfo -u and never comes back. After that any wbinfo commands only return error: root@ackbar:/usr/local/samba/lib$ ../bin/wbinfo -u Error looking up domain users root@ackbar:/usr/local/samba/lib$ ../bin/wbinfo -p Ping to winbindd failed on fd -1 could not ping winbindd!
wbinfo -u is a syncrhonize operation done in the parent and should be used carefully. It is not a good test for a determining a working system. I'll fix the omission on the man page you mention as well as looking at the logs later this week.
Created attachment 2788 [details] more winbind logs Still not able to lookup a user from another domain with 3.0.25b. Looks similar to comment #36 only now seeing entries like: [2007/06/27 11:54:18, 5] nsswitch/winbindd_dual.c:async_reply_recv(263) Could not receive async reply from child pid 14163 [2007/06/27 11:54:18, 5] nsswitch/winbindd_async.c:winbindd_sid2uid_recv(341) Could not trigger sid2uid [2007/06/27 11:54:18, 5] nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266) Could not query uid for user NAU\car3
idmap_init: Unable to get methods for alloc backend ad The AD backend is read-only. You cannot set it for allocation uids/gids. What are you trying to do here ?
Created attachment 2789 [details] winbind log Sorry for that. Fixed a typo in my smb.conf. Anyway still seeing the same problem. Seems to contact the NAU domain (while joined to nau-students) but still can't lookup a user with "getent passwd 'nau\car3'"
Created attachment 2790 [details] all the logs! Attaching all the logs after noticing: INTERNAL ERROR: Signal 10 in pid 14231 (3.0.25b) in log.winbind-idmap. Also a note about dumping core. Let me know if you want the core file.
Comment on attachment 2793 [details] SPAM
Created attachment 2795 [details] log files and smb.conf After double checking the smb.conf, clearing the winbind cache, and deleting out old log files, I'm still unable to get "getent passwd 'nau\car3'" to return any information. The attached tar.gz contains just the logs of samba starting, running getent passwd 'nau\car3' and getent passwd mcm75 then stopping. Nothing really stands out to me except winbind keeps claiming that it can't map the nau\car3 sid to a uid, which I believe is not true.
to add to my confusion... root@ackbar:/usr/local/samba/bin$ ./wbinfo --domain=NAU -u | grep car3 NAU\car3 root@ackbar:/usr/local/samba/bin$ getent passwd 'NAU\car3' root@ackbar:/usr/local/samba/bin$ wbinfo seems capable of finding the user, while getent can't. The logs that are already attached to this bug report show this same activity.
Just for additional feedback, I see the same samba response with a checkout of 3.2.0
Looks like there is no uid assigned to that user or else you still have conf problems. [15789]: sid to uid S-1-5-21-20713206-1263413069-421607344-5886 idmap_sid_to_uid: sid = [S-1-5-21-20713206-1263413069-421607344-5886] Query backends to map sids->ids SID S-1-5-21-20713206-1263413069-421607344-5886 is being handled by nau-students Query ids from domain nau-students Current tickets expire in 35984 seconds (at 1183173621, time is now 1183137637) Filter: [(&(|(sAMAccountType=805306368)(sAMAccountType=805306369) (sAMAccountType=805306370)(sAMAccountType=268435456) (sAMAccountType=536870912)) (|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E \4B\B0\37\21\19\FE\16\00\00)))] Search for ... in <dc=STUDENTS,dc=FROOT,dc=NAU,dc=EDU> gave 0 replies No IDs found