Bug 9751 - AD wbinfo -i WBC_ERR_DOMAIN_NOT_FOUND / NT_STATUS_NONE_MAPPED
Summary: AD wbinfo -i WBC_ERR_DOMAIN_NOT_FOUND / NT_STATUS_NONE_MAPPED
Status: RESOLVED DUPLICATE of bug 9880
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 minor
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-29 10:40 UTC by mopp
Modified: 2015-08-10 20:32 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mopp 2013-03-29 10:40:06 UTC
I' ve seen a lot of posts with people having problems with wbinfo -i and WBC_ERR_DOMAIN_NOT_FOUND / NT_STATUS_NONE_MAPPED.
After reading a couple of posts I found the solution and from my point of view the documentation of idmap_ad requires an update and a more useful error message would be helpful.

Most people might think the primary group is controlled with gidNumber of the user object in active directory, but this is not true.
The primary group of the user is controlled by the AD primary group. So you have to assign a gidNumber to the selected primary group of the user in AD.
Is this behaviour a bug or a feature?

For a second I though it works to use something like "idmap config CORP : uid = 2500-999999" to fetch only the UID from AD but it was problem with the cache.
Is there a way to only get the uidNumber from AD and don't care about gidNumber.
Or could it be a workaround to create a local idmap for "Domain Users", what is the best way to do it?

Configuration:
# winbindd -V
Version 3.6.3-0.30.1-2920-SUSE-CODE11-x86_64
# cat /etc/samba/smb.conf
[global]
        workgroup = CORP
        realm = CORP.DOMAIN.COM
        security = ADS
        local master = no
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind nested groups = yes
        winbind nss info  = rfc2307
        template shell = /bin/bash
        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999
        idmap config CORP : backend = ad
        idmap config CORP : range = 2500-999999
        idmap config CORP : schema_mode = rfc2307

# net ads search '(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P
[...]
sAMAccountName: tstgrp2
gidNumber: 70005

sAMAccountName: tstusr2
uidNumber: 50001

=> Assigning a gidNumber to tstusr2 does not control the primary group.

# wbinfo -n tstusr2
S-1-5-21-3137624152-3039101805-1571016323-134414 SID_USER (1)
# wbinfo -S S-1-5-21-3137624152-3039101805-1571016323-134414
50001
# wbinfo -i tstusr2
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user tstusr2

winbind log:
idmap_cache_find_sid2uid found 50001
idmap_cache_find_sid2gid found -1
Could not convert sid S-1-5-21-3137624152-3039101805-1571016323-134414: NT_STATUS_NONE_MAPPED
wb_request_done[5254:GETPWNAM]: NT_STATUS_NONE_MAPPED

Changed the primary group of the user in AD to a group with a valid gidNumber (tstgrp2).
# net cache flush
# /etc/init.d/winbind restart
# wbinfo -i tstusr2
tstusr2:*:50001:70005:tstusr2:/home/CORP/tstusr2:/bin/bash
Comment 1 mopp 2013-03-29 16:05:05 UTC
I tried to add GID of "Domain Users" to winbindd_idmap.tdb with the intention to use a local group mapping.
# echo "GID 1000010 S-1-5-21-nnnnnnnnnnn" | net idmap restore
The value is shown in the idmap, but it does not work.
Tried it with "idmap config CORP : uid = 2500-999999" and "range = " both did not succeed. You really have to have an eye on the winbind cache during the tests.
Comment 2 Kinglok, Fong 2013-11-20 01:09:40 UTC
Thank you for noting the problem.

Here are something I found during spending four sleepless nights with samba 4.1.0 DCs and member server.

1.  Effective GID of AD users:  It is a must that all users are added through ADUC in way that Unix attributes like UID and GID are added also.  I have to repeat that the effective GID of the user follow the user’s primary *AD* group.  Merely changing group setting in the tab Unix Attributes will not work!  (This should be added to the member server how-to!).

2.  GID range suggestion:  The default group of AD user is Domain User whose GID should be setup through ADUC.  I recommend the GID should be more than 1000 in order not to clash with the system group in unix side.

I don't think it is a bug but it should be well noted in samba 4 how-tos.
Comment 3 Michael Adam 2014-02-21 21:07:22 UTC
(In reply to comment #0)
> I' ve seen a lot of posts with people having problems with wbinfo -i and
> WBC_ERR_DOMAIN_NOT_FOUND / NT_STATUS_NONE_MAPPED.
> After reading a couple of posts I found the solution and from my point of view
> the documentation of idmap_ad requires an update

Well, here is what "man idmap_ad" has to say:

       The idmap_ad plugin provides a way for Winbind to read id mappings from
       an AD server that uses RFC2307/SFU schema extensions. This module
       implements only the "idmap" API, and is READONLY. Mappings must be
       provided in advance by the administrator by adding the uidNumber
       attributes for users and gidNumber attributes for groups in the AD.
       Winbind will only map users that have a uidNumber and whose primary
       group have a gidNumber attribute set.

I thought that was clear... :-)

> and a more useful error message would be helpful.

Well yeah, there is a genral problem that wbinfo always
prints WBC_ERR_DOMAIN_NOT_FOUND when there is an error.
This is not special to idmap_ad and could be improved.

> Most people might think the primary group is controlled with gidNumber of the
> user object in active directory, but this is not true.
> The primary group of the user is controlled by the AD primary group. So you
> have to assign a gidNumber to the selected primary group of the user in AD.
> Is this behaviour a bug or a feature?

This is how it should work and has (to my knowledge)
always worked. After all, samba models a windows
file server, and it is the windows access token
that is converted to the unix token with id mappings.

We could add a mode to idmap_ad that allows to use the
primary gid field from AD for the primary id of the
generated unix token, if this is really desired.

But quite frankly, I don't understand why people
insist on using the user's posix gid number from
AD. Simply give a GID to the primary group and
you're done.

Cheers - Michael
Comment 4 Björn Jacke 2014-07-23 21:51:20 UTC

*** This bug has been marked as a duplicate of bug 9880 ***
Comment 5 Steve Randall 2015-08-10 20:32:23 UTC
Hello all, if you get the following messages when running rfc2307 as a domain member:

WBC_ERR_DOMAIN_NOT_FOUND
Could not get unix ID for SID

Then you must have the following things in place:

1. Make sure the "Domain Users" has a GUID defined! I usually define this using the first available.
2. Make the group the default group in the user's NIS section.

I had lots of fun pulling my hair out (what's left of it) before I worked that out.

]-[