Bug 5806 - idmap_adex not working with trusted domains
Summary: idmap_adex not working with trusted domains
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: x86 Solaris
: P3 normal
Target Milestone: ---
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-02 10:58 UTC by mchugh19@yahoo.com
Modified: 2008-11-19 10:40 UTC (History)
1 user (show)

See Also:


Attachments
log files (441.37 KB, application/x-gzip)
2008-10-02 10:59 UTC, mchugh19@yahoo.com
no flags Details
Semantic fix for idmap_passdb to allow other backends to continue the search (2.62 KB, text/plain)
2008-10-03 14:26 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details
logs (190.99 KB, application/x-gzip)
2008-10-03 15:40 UTC, mchugh19@yahoo.com
no flags Details
Log the domains we add to our internal list (1.17 KB, patch)
2008-10-06 11:51 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details
Log the dn of ann located entries from the cell search function (1.25 KB, patch)
2008-10-06 11:51 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details
Logs including crash (843.58 KB, application/x-gzip)
2008-10-10 17:10 UTC, mchugh19@yahoo.com
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mchugh19@yahoo.com 2008-10-02 10:58:11 UTC
In testing samba 3.3.0pre2 it looks like the adex plugin is not supporting groups, or users from trusted domains.

root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU\mcm75'
root@egr214-01:/usr/local/samba/var$ getent group 'NAU-STUDENTS\cefns-it_staff'
root@egr214-01:/usr/local/samba/var$ getent group 'NAU-STUDENTS\cefns-cefnsweb'
root@egr214-01:/usr/local/samba/var$
Comment 1 mchugh19@yahoo.com 2008-10-02 10:59:09 UTC
Created attachment 3653 [details]
log files
Comment 2 Gerald (Jerry) Carter (dead mail address) 2008-10-03 13:32:17 UTC
This is strange.  It works fine for me in a 2003R2 forest.

$ wbinfo -m  --verbose
Domain Name     DNS Domain              Trust Type  Transitive  In   Out  
BUILTIN                                 None        Yes         Yes  Yes  
GARRYCK                                 None        Yes         Yes  Yes  
HEADQ           sales.plainjoe.org      None        Yes         Yes  Yes  
US              us.sales.plainjoe.org   In-Forest   Yes         Yes  Yes  

$ wbinfo -i HEADQ\\gcarter
gcarter:*:10000:10000:Gerald W. Carter:/home/sales/gcarter:/bin/bash

$ wbinfo -i US\\Administrator
Administrator:*:20001:20000:Administrator:/home/Administrator:/bin/bash

I remember a bug that we Simo and I discussed last week.  I'll try
to track that down and see if that could explain your failures.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2008-10-03 14:26:12 UTC
Created attachment 3655 [details]
Semantic fix for idmap_passdb to allow other backends to continue the search

This is a patch against v3-3-test.  It's semantically correctly I believe 
and may fix your problem.  I'm still not sure why my setup is working and
yours is failing.  Seems that we both should be hitting the failure path.
But try this patch and let me know.
Comment 4 mchugh19@yahoo.com 2008-10-03 15:38:24 UTC
Still having problems. Applied the patch to 3.3.0pre2

[2008/10/04 03:34:56,  5] winbindd/winbindd_idmap.c:winbindd_sid2uid_recv(187)
  sid2uid returned an error
[2008/10/04 03:34:56,  5] winbindd/winbindd_user.c:getpwsid_sid2uid_recv(338)
  Could not query uid for user NAU\mcm75
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/10/04 03:34:47, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = IDMAP/SID2UID/S-1-5-21-2129867641-1992771036-1243820751-513; value = -1 and timeout = Sat Oct  4 03:36:47 2008
Comment 5 mchugh19@yahoo.com 2008-10-03 15:40:36 UTC
Created attachment 3656 [details]
logs

Logs of running

root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -i NAU-STUDENTS\\mmchugh
mmchugh:*:62107:10000:Christian McHugh:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -i NAU-STUDENTS\\mcm75
mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -i NAU\\mcm75
Could not get info for user NAU\mcm75
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -m --verbose
Domain Name     DNS Domain              Trust Type  Transitive  In   Out
BUILTIN                                 None        Yes         Yes  Yes
EGR214-01                               None        Yes         Yes  Yes
NAU-STUDENTS    students.froot.nau.edu  None        Yes         Yes  Yes
FROOT           froot.nau.edu           In-Forest   Yes         Yes  Yes
ADROOT          adroot.azwestern.edu    None        Yes         Yes  No
NAU             nau.froot.nau.edu       In-Forest   Yes         Yes  Yes
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop
Comment 6 Gerald (Jerry) Carter (dead mail address) 2008-10-06 11:49:57 UTC
We keep hitting new problems apparently.  This time:

  [ 3366]: sid to uid S-1-5-21-20713206-1263413069-421607344-35508
  idmap_sid_to_uid: sid = [S-1-5-21-20713206-1263413069-421607344-35508]
  Cache entry with key = IDMAP/SID2UID/S-1-5-21-20713206-1263413069-421607344-35508 couldn't be found
  cell_do_search: Base = ,  Filter = (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E\4B\B0\37\21\19\B4\8A\00\00), Scope = 2, GC = yes
  Failed! (NT_STATUS_TRUSTED_DOMAIN_FAILURE)

This code is only hit when find fine the partial record via a GC search and then attempt
to connect to the associated domain to get the complete record and we cannot find the
domain.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2008-10-06 11:51:03 UTC
Created attachment 3660 [details]
Log the domains we add to our internal list
Comment 8 Gerald (Jerry) Carter (dead mail address) 2008-10-06 11:51:29 UTC
Created attachment 3661 [details]
Log the dn of ann located entries from the cell search function
Comment 9 Gerald (Jerry) Carter (dead mail address) 2008-10-06 11:52:27 UTC
Please try these two patches.  The add more debug information.  Also if possible to grant me remote access to a test machine build thje build environment, I can short circuit some of the latency with dealing with bugzilla.
Comment 10 Gerald (Jerry) Carter (dead mail address) 2008-10-06 14:38:41 UTC
After some private debugging on a problematic host, the issue appears to be
working as expected.  However, the assignment of duplicate name aliases (uid attribute),
uidNumber, and gid Number values is not a supported environment.  

Waiting on more testing from Christian.
Comment 11 Gerald (Jerry) Carter (dead mail address) 2008-10-07 08:36:05 UTC
Christian, can we marked this as fixed now that the plugin appears to be functioning correctly
(other than some configuration issues with the data stored in AD)?
Comment 12 mchugh19@yahoo.com 2008-10-09 09:58:52 UTC
Looks like I am getting crashes when attempting to connect to a file share.

[2008/10/09 04:53:54,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (62107, 10000) - sec_ctx_stack_ndx = 0
[2008/10/09 04:53:54,  0] lib/util.c:smb_panic(1666)
  PANIC (pid 21466): sys_setgroups failed
[2008/10/09 04:53:54,  0] lib/util.c:log_stack_trace(1820)
  unable to produce a stack trace on this platform
[2008/10/09 04:53:54,  0] lib/fault.c:dump_core(206)
  dumping core in /usr/local/samba/var/cores/smbd
[2008/10/09 04:53:54,  3] smbd/server.c:remove_child_pid(299)
  smbd/server.c:299 Unclean shutdown of pid 21466
[2008/10/09 04:53:54,  2] lib/messages_local.c:message_notify(270)
  message to process 21466 failed - No such process
[2008/10/09 04:53:54,  2] lib/messages_local.c:messaging_tdb_send(358)
  pid 21466 doesn't exist - deleting messages record
[2008/10/09 04:53:54,  2] lib/messages.c:traverse_fn(127)
  pid 21466 doesn't exist - deleting connections -1 []
Comment 13 mchugh19@yahoo.com 2008-10-10 11:16:15 UTC
Seeing the same problem with a git checkout.
Comment 14 Gerald (Jerry) Carter (dead mail address) 2008-10-10 11:40:13 UTC
(In reply to comment #12)
> Looks like I am getting crashes when attempting to connect to a file share.
> 
> [2008/10/09 04:53:54,  3] smbd/sec_ctx.c:set_sec_ctx(324)
>   setting sec ctx (62107, 10000) - sec_ctx_stack_ndx = 0
> [2008/10/09 04:53:54,  0] lib/util.c:smb_panic(1666)
>   PANIC (pid 21466): sys_setgroups failed

This is a different issue.  But could you upload a complete level 10 debug
file from smbd?  Thanks.
Comment 15 mchugh19@yahoo.com 2008-10-10 17:10:55 UTC
Created attachment 3674 [details]
Logs including crash
Comment 16 mchugh19@yahoo.com 2008-10-14 10:00:30 UTC
Just tried again with a git checkout. I'm still seeing a panic when trying to connect from a windows machine with sys_setgroups failed. 

Also, I seem to be unable to lookup users from a trusted domain.

[2008/10/14 21:54:22,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(234)
  [  841]: sid to uid S-1-5-21-20713206-1263413069-421607344-35508
[2008/10/14 21:54:22,  3] winbindd/idmap_adex/provider_unified.c:search_cell_list(599)
  LWI (search_cell_list): NT_STATUS_TRUSTED_DOMAIN_FAILURE
[2008/10/14 21:54:44,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(234)
  [  841]: sid to uid S-1-5-21-20713206-1263413069-421607344-35508
[2008/10/14 21:56:43,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(305)
  [  841]: sid to gid S-1-5-32-544
[2008/10/14 21:56:43,  2] lib/module.c:do_smb_load_module(64)
  Module '/usr/local/samba/lib/idmap/adex.so' loaded
[2008/10/14 21:56:43,  1] winbindd/idmap.c:idmap_alloc_init(575)
  could not find idmap alloc module adex
[2008/10/14 21:56:43,  3] winbindd/idmap.c:idmap_new_mapping(690)
  Could not allocate id: NT_STATUS_INVALID_PARAMETER
[2008/10/14 21:56:43,  2] lib/module.c:do_smb_load_module(64)
  Module '/usr/local/samba/lib/idmap/adex.so' loaded
[2008/10/14 21:56:43,  1] winbindd/idmap.c:idmap_alloc_init(575)
  could not find idmap alloc module adex
[2008/10/14 21:56:43,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(305)
  [  841]: sid to gid S-1-5-32-545
[2008/10/14 21:56:43,  2] lib/module.c:do_smb_load_module(64)
  Module '/usr/local/samba/lib/idmap/adex.so' loaded
[2008/10/14 21:56:43,  1] winbindd/idmap.c:idmap_alloc_init(575)
  could not find idmap alloc module adex
[2008/10/14 21:56:43,  3] winbindd/idmap.c:idmap_new_mapping(690)
  Could not allocate id: NT_STATUS_INVALID_PARAMETER
[2008/10/14 21:56:43,  2] lib/module.c:do_smb_load_module(64)
  Module '/usr/local/samba/lib/idmap/adex.so' loaded
[2008/10/14 21:56:43,  1] winbindd/idmap.c:idmap_alloc_init(575)
  could not find idmap alloc module adex
[2008/10/14 21:56:46,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(234)
  [  841]: sid to uid S-1-5-21-20713206-1263413069-421607344-35508
[2008/10/14 21:56:46,  3] winbindd/idmap_adex/provider_unified.c:search_cell_list(599)
  LWI (search_cell_list): NT_STATUS_TRUSTED_DOMAIN_FAILURE
Comment 17 Gerald (Jerry) Carter (dead mail address) 2008-10-14 10:23:07 UTC
Christian,  Am at a conference this week.  I'll pick back up as soon as I'm back
in the office on Oct 16.
Comment 18 mchugh19@yahoo.com 2008-10-20 15:58:10 UTC
As of a git-fetch from this morning I'm still unable to lookup users from a trusted domain (such as NAU\\mcm75) and trying to connect from windows still makes smbd dump core.
Comment 19 Gerald (Jerry) Carter (dead mail address) 2008-10-21 07:12:53 UTC
(In reply to comment #18)
> As of a git-fetch from this morning I'm still unable to lookup users from a
> trusted domain (such as NAU\\mcm75) and trying to connect from windows still
> makes smbd dump core.
> 

I thought we already worked this out based on comment #10 and some private email.
The duplicate uid values is not a supported config.


Comment 20 mchugh19@yahoo.com 2008-10-21 09:19:53 UTC
The thing is it used to work. A few git updates ago I was able to lookup users in both domains. Now I cannot. Also there is another problem of smbd crashing when I attempt to connect to the machine from windows.
Comment 21 mchugh19@yahoo.com 2008-10-23 12:19:45 UTC
To assist in clearing up the problems, I've opened new bug about the crashing problem. Bug 5848
Comment 22 mchugh19@yahoo.com 2008-10-28 10:11:05 UTC
So when I attempt to do a lookup on a user from a trusted domain I see:

[2008/10/28 22:07:18,  3] winbindd/winbindd_util.c:init_child_recv(654)
  Could not init child
[2008/10/28 22:07:18,  1] winbindd/winbindd_util.c:trustdom_recv(294)
  Could not receive trustdoms

But wbinfo manages to see it as online

root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo --online-status
BUILTIN : online
EGR214-01 : online
NAU-STUDENTS : online
ADROOT : offline
FROOT : online
NAU : online
BUS : offline
Comment 23 mchugh19@yahoo.com 2008-11-03 15:25:06 UTC
Users in other domains are still broken as of today's git checkout.
Comment 24 mchugh19@yahoo.com 2008-11-18 10:42:56 UTC
I just tried again with a git checkout, and I'm still having problems. 

I can lookup users in the domain to which the machine is joined, but not to any others. In the log.winbindd-idmap log I see entires for

[2008/11/18 23:39:17,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(305)
  [ 7381]: sid to gid S-1-5-21-2129867641-1992771036-1243820751-513
[2008/11/18 23:39:28,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(234)
  [ 7381]: sid to uid S-1-5-21-20713206-1263413069-421607344-35431
[2008/11/18 23:39:28,  3] winbindd/idmap_adex/provider_unified.c:search_cell_list(599)
  LWI (search_cell_list): NT_STATUS_TRUSTED_DOMAIN_FAILURE
[2008/11/18 23:39:32,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(234)
  [ 7381]: sid to uid S-1-5-21-20713206-1263413069-421607344-13796
[2008/11/18 23:39:32,  3] winbindd/idmap_adex/provider_unified.c:search_cell_list(599)
  LWI (search_cell_list): NT_STATUS_TRUSTED_DOMAIN_FAILURE


This worked for 3.3pre2, so I think something was broken shortly afterward.
Comment 25 mchugh19@yahoo.com 2008-11-19 10:40:03 UTC
Clearing out /usr/local/samba and installing again, from scratch seems to have fixed my lookup problems. I don't know what made it get confused, but both 3.3.0pre2 and a git checkout once again perform lookups for me.