Bug 7582 - idmap_ad fails to map uidNumber with rfc2307
idmap_ad fails to map uidNumber with rfc2307
Status: RESOLVED DUPLICATE of bug 9880
Product: Samba 3.5
Classification: Unclassified
Component: Winbind
3.5.4
x64 Linux
: P3 critical
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-23 04:41 UTC by Klaus Steinberger
Modified: 2014-07-24 19:19 UTC (History)
1 user (show)

See Also:


Attachments
Level 10 log of winbindd-idmap (40.68 KB, application/octet-stream)
2010-07-23 04:43 UTC, Klaus Steinberger
no flags Details
Level 10 log of wb-AD (265.19 KB, application/octet-stream)
2010-07-23 04:43 UTC, Klaus Steinberger
no flags Details
Level 10 log of winbindd (123.12 KB, application/octet-stream)
2010-07-23 04:44 UTC, Klaus Steinberger
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Klaus Steinberger 2010-07-23 04:41:38 UTC
We do have valid uidNumbers in our Active Directory with rfc2307 schema. Til 3.4.8 winbind works very well and maps uidnumbers as expected.

Starting with 3.5.0 the same configuration refuses to work.

The symptoms:

wbinfo -u works 
but wbinfo -i 'AD\username' returns 
Could not get info for user AD\username
Comment 1 Klaus Steinberger 2010-07-23 04:43:02 UTC
Created attachment 5859 [details]
Level 10 log of winbindd-idmap
Comment 2 Klaus Steinberger 2010-07-23 04:43:38 UTC
Created attachment 5860 [details]
Level 10 log of wb-AD
Comment 3 Klaus Steinberger 2010-07-23 04:44:06 UTC
Created attachment 5861 [details]
Level 10 log of winbindd
Comment 4 Michael Adam 2010-08-16 14:23:42 UTC
Hi, thanks for the report!
Could you please also attach a copy of
your smb.conf (at least global section)?

Cheers - Michael
Comment 5 Klaus Steinberger 2010-08-17 01:16:33 UTC
Of Course:

#GLOBAL PARAMETERS
[global]
        fileid:mapping = fsname
        netbios name = lsf-cups
        workgroup = AD
        realm = AD.PHYSIK.UNI-MUENCHEN.DE
        preferred master = no
        server string = Print Server LS Feldmann
        security = ADS
        encrypt passwords = yes
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 10240
        load printers = yes
        printcap name = cups
        printing = cups

        winbind nss info = rfc2307
        winbind normalize names = yes
        # http://wiki.samba.org/index.php/Samba_&_Active_Directory#Configuring_Samba
        passdb backend = tdbsam
        idmap backend = tdb
        idmap uid = 500 - 999
        idmap gid = 500 - 999
        idmap config AD : backend = ad
        idmap config AD : range = 1000-999999
        idmap config AD : schema_mode = rfc2307

        ;template primary group = "Domain Users"
        template shell = /bin/bash
        template homedir = /export/home/%U
        username map script = /usr/local/sbin/machine-account-map.pl


[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        writeable = no
        printable = yes
        guest ok = yes

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = ripley
        writeable = yes
        guest ok = yes

Comment 6 Klaus Steinberger 2010-11-26 04:00:34 UTC
Hi,

Ezra Van Everbroeck <ezra@ucsd.edu> did work out, that the mapping works again when the primary Windows Groups has a gidnumber setup.

In our environment we originally did not give "Domain Users" a gidnumber Attribute. But the behavior is now that a User with a primary windows group without a gidnumber attribute will not be mapped anymore.


But one thing is hitting me further:

With the idmdap_ad plugin  the winbind normalize names do not work anymore.

until 3.4 a name was mapped to the uid attribute. in 3.5.x this do not work.


Behavior until 3.4.x:

[root@filer ~]# wbinfo -i 'AD\Guinea.Pig'
Guinea.Pig:*:10007:10000::/home/g/Guinea.Pig:/bin/bash
[root@filer ~]# 


Behavior in 3.5.x:

[root@filer-lskr samba]# wbinfo -i 'AD\Guinea.Pig'

AD\guinea.pig:*:10007:10000:Guinea Pig:/home/g/Guinea.Pig:/bin/bash
[root@filer-lskr samba]# 


This is bad, as this will break definitly our NFS4 idmap Mappings.
Comment 7 Björn Jacke 2014-07-23 16:57:30 UTC
okay, so this is a dup. docs are already made more clear.

for the *new* issue you report in the last comment, I don't see why "winbind normalize names" should do what "winbind use default domain" does, I don't see the misbehaviour. Anyway, if you still think this is a bug, then please open a new report for it...

*** This bug has been marked as a duplicate of bug 9880 ***
Comment 8 Klaus Steinberger 2014-07-24 07:14:41 UTC
(In reply to comment #7)
> okay, so this is a dup. docs are already made more clear.
> 
> for the *new* issue you report in the last comment, I don't see why "winbind
> normalize names" should do what "winbind use default domain" does, I don't see
> the misbehaviour. Anyway, if you still think this is a bug, then please open a
> new report for it...
> 
> *** This bug has been marked as a duplicate of bug 9880 ***

sorry, but I thing you did misunderstood my problem.

We do have user login names with uppercase characters. A down mapping to lower case breaks Kerberors! So why the behavior of "winbind normalize names" was changed to something completly useless?

I would expect from normalize names that the name would be returned exactly as in the attribute with upper and lower case.

so I would epexct the behavior like it was in 3.4 which returns for "AD\Guinea.Pig" the value "Guinea.Pig"  and not something crippled.

Sincerly,
Klaus
Comment 9 Björn Jacke 2014-07-24 19:19:09 UTC
the initial reported problem was your missing gidnumer attributes. Don't hijack bug reports with discussions about other topics and dicsussions about other samba features that are not related. If you think that winbind normalize names does not what it should do (I don't see that yet), then open a new bug about *that* issue, please.

*** This bug has been marked as a duplicate of bug 9880 ***