Bug 4590 - idmap backend = ad; nsswitch does not work correctly !
idmap backend = ad; nsswitch does not work correctly !
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.24
x86 Windows 2003
: P3 critical
: none
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-02 05:39 UTC by Andreas Ladanyi
Modified: 2007-05-29 06:06 UTC (History)
0 users

See Also:


Attachments
log.winbindd (945.14 KB, application/octet-stream)
2007-05-02 07:45 UTC, Andreas Ladanyi
no flags Details
log.winbindd-idmap (15.81 KB, text/plain)
2007-05-02 07:45 UTC, Andreas Ladanyi
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Ladanyi 2007-05-02 05:39:39 UTC
Hi,

I did installed Samba 3.0.24 (first time: debian package, second time: self compiled -> both with same issue):

wbinfo -u ,-t ,-g OK!
net ads join OK !
ldapsearch to AD shows all correctly. All parameters are available. 

getent passwd: only files, not the winbind result.
getent group: files and the AD Groups with Unix gids, but without the members.

nsswitch.conf
=============

passwd: files winbind
shadow: same
group: same


smb.conf
========

[global]

   workgroup = IPR-OFFICE
   realm = IPR.UNI-KARLSRUHE.DE
   server string = %h server (Samba %v)
netbios name = i60p311
   wins server = i60pdc
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
log level = 10
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   encrypt passwords = true

password server = i60pdc.ipr.uni-karlsruhe.de

   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .

   socket options = TCP_NODELAY

   winbind separator = /
   winbind enum users = yes
   winbind enum groups = yes
   winbind cache time = 3600
   idmap backend = ad
   #idmap backend = idmap_rid:BUILTIN=10000-10999,IPR-OFFICE=110000-1000000
   #idmap backend = rid:IPR-OFFICE=500-10000
   idmap uid = 6000-27000  #our unix id ranges, not in conflict with etc/passwd
   idmap gid = 600-619
   #idmap uid = 30000-40000
   #idmap gid = 30000-40000
   template shell = /bin/andysh
   winbind use default domain = yes
   #clients channel = no
   #winbind refresh tickets = yes
   #idmap backend = rid:IPR-OFFICE=25200-100000
   #allow trusted domains = yes
   winbind nss info =  rfc2307
Comment 1 Andreas Ladanyi 2007-05-02 07:45:17 UTC
Created attachment 2679 [details]
log.winbindd
Comment 2 Andreas Ladanyi 2007-05-02 07:45:52 UTC
Created attachment 2680 [details]
log.winbindd-idmap
Comment 3 Andreas Ladanyi 2007-05-02 16:36:41 UTC
net idmap dump /var/lib/samba/winbindd_idmap.tdb looks very good !
Comment 4 Guenther Deschner 2007-05-04 04:26:50 UTC
From the log:
ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 'gidNumber'

So your primary windows group (Domain Users) does not have a posix mapping attribute yet. Can you add one and retry?
Comment 5 Andreas Ladanyi 2007-05-04 05:56:37 UTC
HAllo Günther,

I did the following tasks since my last Comment:

I added a GroupID to the "Domain-User" with RID 513 Standard AD entry. 
The result is know that "getent passwd" prints out the Users to the stdout, but with GID from this "Domain-Users". 

This is a little success since my last tasks!

 But i added an own group only for Unix Clients to the AD and would like only to work with this group, not the Standard Windows Groups. I gave them a GID and this is also shown in "getent group", but without its members which i added in the AD Configuration to this Unix Group. The Unix Group SID->GID also shown correctly by the "net idmap dump ....". Die memberUid in the Unix Group is correctly shown by "ldapsearch...".  -> Courious behavior.

Do i have to give ALL Windows AD Groups and Users a UID/GID, independent if the Windows AD Groups (Standard or own created) are used on Unix Clients or not used on Unix Clients ????

Grüße Andy
Comment 6 Andreas Ladanyi 2007-05-05 02:02:06 UTC
The part....."i cant see the members of the Unix Group which i added in AD to the Unix Group" could be canceled. 

I saw that the members have to be added "windows side" and "unix side" (below the TAB "Unix Attributes" in the group configuration).

This means each member habe to be added twice.

Now, there is only the issue winbind asks to "Domain USer" RID 513 Group. Is there workaround. 

For example changing the primary group ? 
Comment 7 Andreas Ladanyi 2007-05-13 05:02:41 UTC
Ok,

iam able to map user/groups, to add user to groups, to change primary group in AD. 

Winbind with idmap backend=ad works. 

But an ls -al or sometimes pam_winbind ist very slow. A samba developer told me this is a known performance problem in method of listing users and groups with winbind. This problem is beeing fixed in the moment and would be expectly solved in version 3.0.26
Comment 8 Guenther Deschner 2007-05-29 06:05:33 UTC
(In reply to comment #6)
> Now, there is only the issue winbind asks to "Domain USer" RID 513 Group. Is
> there workaround. 
> 
> For example changing the primary group ? 

Sure, you can just modify the primary group to a group that has POSIX attributes.
Comment 9 Guenther Deschner 2007-05-29 06:06:43 UTC
(In reply to comment #7)
> But an ls -al or sometimes pam_winbind ist very slow. A samba developer told me
> this is a known performance problem in method of listing users and groups with
> winbind. This problem is beeing fixed in the moment and would be expectly
> solved in version 3.0.26

Verify your system can correctly find the AD dc (in DNS terms), for the slowliness of ls: try to use nscd.