Problem with ADS idmap backend

I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD
domain whose PDC is a W2k3 server (Standard x64 R2 SP2).

Using wbinfo -u and wbinfo -g I can see domain users and groups from
the CentOS box, but getent (passwd|group) fails to display them.  The
nsswitch is setup correctly, as far as I can tell.  When I tail -f the
samba log file during a getent query, I see that winbindd is having
problems mapping the sid to the uid or gid ("sid2uid returned an
error").

Furthermore, wbinfo -n can find the SID for a user or group, but it
can't preform the inverse mapping.

In the following example, 'deisner' and 'unixusers' are a domain user
and group, respectively.

>From the CentOS box (with intentional SID obfuscation):

    $ wbinfo -u |grep deisner
    deisner
    $ wbinfo -n deisner
    S-1-5-21-**********6 User (1)
    $ wbinfo -S S-1-5-21-**********6
    Could not convert sid S-1-5-21-**********6 to uid
    $ wbinfo -g |grep unixusers
    unixusers
    $ wbinfo -n unixusers
    S-1-5-21-**********8 Domain Group (2)
    $ wbinfo -Y S-1-5-21-**********8
    Could not convert sid S-1-5-21-**********8 to gid

In the log file, I see this:
    [2008/03/10 18:37:58, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
      Retrieving response for pid 6274
    [2008/03/10 18:37:58, 5]
nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
      sid2gid returned an error
    [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
      Could not convert sid S-1-5-21-*8


I'm using the SFU schema.  In AD I have uids and gids assigned to the
user and group, in the Unix Attributes tab, with values in the range
I've specified for the idmap range.  Here is my smb.conf:


[global]
        workgroup = THEDOMAIN
        server string = Centos Samba Server
        hosts allow = xxx.y.  xxx.y.  127.  # obfuscated
        printcap name = CUPS
        load printers = yes
        cups options = raw
        log file = /usr/local/samba/var/log.smbd
        security = ads
        encrypt passwords = yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = no
        unix charset = LOCALE
        netbios name = LDAP
        realm = THEDOMAIN.FOO.ORG
        use kerberos keytab = Yes
        idmap domains = THEDOMAIN
        idmap config THEDOMAIN:backend = ad
        idmap config THEDOMAIN:default = yes
        idmap config THEDOMAIN:schema_mode = sfu
        idmap config THEDOMAIN:range    = 10000 - 300000000
        log level = 1
        syslog = 0
        winbind use default domain = yes
        winbind nested groups = yes
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/windows/%D/%U
        template shell = /bin/bash
        allow trusted domains = no

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        read only = No
        valid users = %D\%U
        [printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

[voltest]
        admin users = THEDOMAIN\administrator
        comment = Volume Test
        path = /home/voltest
        public = no
        writable = yes
        store dos attributes = yes
        nt acl support = yes
        map acl inherit = yes


Running Wireshark on the W2k3 server, I can see the CentOS box making
the LsarLookupSids request and getting a response (though the content
is encrypted so I can't see the details).

Can anybody see anything obviously wrong?  Does anybody have this working?

Thanks!

-David
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

David Eisner wrote:
Try adding to global section:
winbind nss info = sfu

Right now you're defaulting to "template".

Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

On Mon, Mar 10, 2008 at 7:54 PM, Douglas VanLeuven <[hidden email]> wrote:

>  Try adding to global section:
>  winbind nss info = sfu
>
>  Right now you're defaulting to "template".


Doug,

Thanks for the tip.  Unfortunately, after making the change and
restarting winbindd, the problem persists.   Are there any .tdb files
I need to delete?

-David
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

David Eisner wrote:
> On Mon, Mar 10, 2008 at 7:54 PM, Douglas VanLeuven <[hidden email]> wrote:
>
>>  Try adding to global section:
>>  winbind nss info = sfu
>>
>>  Right now you're defaulting to "template".

>
> Thanks for the tip.  Unfortunately, after making the change and
> restarting winbindd, the problem persists.   Are there any .tdb files
> I need to delete?

My winbind reinitializes to version 1 and clears it's cache on restart.

If you're running nscd, you have to restart that as well.

There's a pdf I refer to
http://www.samba.org/~idra/samba3_newidmap.pdf

Simo wrote that up.

The only thing I picked up from that paper is to add an allocation range
for samba's BUILTIN users and groups.

        idmap alloc backend = tdb
        idmap alloc config:range = 50000-50999

If you do that, you end up with a file called idmap_cache.tdb that would
have to be cleared manually.

I took a good look at the differences between our files and I'm not using
        winbind use default domain = yes
        winbind nested groups = yes

but I wouldn't think that would make a difference.  The configuration
looks good.

I use opensuse and nsswitch.conf is

passwd: compat winbind
group:  files winbind

It installed that way and I never changed it even though there is no
shadow entry.  From what I've read, any shadow entry shouldn't have
winbind on it.

I thought the win 2k3 R2 server used the rfc2307 schema out of the box.
 But if you were able to install SFU and modify the schema and the ldap
entries exist in the ad, it shouldn't have any effect.

Still, if all else fails - from source/nsswitch/idmap_ad.c in funtion
idmap_ad_init(void) each method is checked in turn: rfc2307, sfu, and
sfu20.  Once the status is OK, the remaining checks are skipped.  If
rfc2307 is initializing OK ...

Don't have a w2k3 R2 to experiment.  If I did, I'd put the sfu check
ahead of the rfc2307 check, recompile and see if it made a difference.

Probably just a foolish thought, though.

In case you don't have the source, I've included the function for you.

Regards, Doug


/* The SFU and RFC2307 NSS plugins share everything but the init
   function which sets the intended schema model to use */


/************************************************************************
 Initialize the plugins
 ***********************************************************************/

NTSTATUS idmap_ad_init(void)
{
        static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
        static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
        static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
        static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;

        /* Always register the AD method first in order to get the
           idmap_domain interface called */

        if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
                status_idmap_ad =
                  smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
                                                     "ad", &ad_methods);
                if ( !NT_STATUS_IS_OK(status_idmap_ad) )
                        return status_idmap_ad;
        }
       
        if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
                status_nss_rfc2307 =
                  smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
                                                            "rfc2307",
                                               &nss_rfc2307_methods );
                if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
                        return status_nss_rfc2307;
        }

        if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
                status_nss_sfu =
                  smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
                                                        "sfu",
                                                 &nss_sfu_methods );
                if ( !NT_STATUS_IS_OK(status_nss_sfu) )
                        return status_nss_sfu;
        }

        if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
                status_nss_sfu20 =
                  smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
                                                        "sfu20",
                                                  &nss_sfu20_methods );
                if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
                        return status_nss_sfu20;
        }

        return NT_STATUS_OK;
}

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

On Tue, Mar 11, 2008 at 7:14 AM, Douglas VanLeuven <[hidden email]> wrote:

>  If you're running nscd, you have to restart that as well.

Nope, not running nscd.

>  The only thing I picked up from that paper is to add an allocation range
>  for samba's BUILTIN users and groups.
>
>         idmap alloc backend = tdb
>         idmap alloc config:range = 50000-50999
>
>  If you do that, you end up with a file called idmap_cache.tdb that would
>  have to be cleared manually.

Added

  idmap alloc backend = tdb
  idmap alloc config:range        = 5000 - 9999

No change.


>  I took a good look at the differences between our files and I'm not using
>
>         winbind use default domain = yes
>         winbind nested groups = yes
>
>  but I wouldn't think that would make a difference.  The configuration
>  looks good.

Made those changes, too, but again, nothing doing.


>  Still, if all else fails - from source/nsswitch/idmap_ad.c in funtion
>  idmap_ad_init(void) each method is checked in turn: rfc2307, sfu, and
>  sfu20.  Once the status is OK, the remaining checks are skipped.  If
>  rfc2307 is initializing OK ...

I changed the order of the sfu and rfc2307 check as you suggested,
recompiled, but again, nope.

My read of that code is that each of the idmap plugins is registered
in turn until/if the first one fails.  That is, once that status is
*not* OK (note the ! ), the remaining checks are skipped and it
returns the failed status code.

I'm going to continue to look through the code.  I've also turned on
some NTDS debugging flags to see what I come up with.

Thanks again for your help, I really appreciate it.

-David


--
David Eisner http://cradle.brokenglass.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Solved!

Summary: Change schema mode from sfu to rfc2307 in smb.conf:

   idmap config THEDOMAIN:schema_mode = rfc2307

Also, I'm an idiot: I didn't have Services For Unix installed; I was
confusing that with "Identity Management for Unix" and "Server for
NIS", which I do have installed.  I should note that I was initially
having problems without any schema_mode line (before setting it to
either sfu or rfc2307), but there may have been other problems that I
fixed along the way that were responsible for this.

Details:

I had been watching winbindd activity in smbd.log, and realized I
needed to look at log.winbindd-idmap, too.  That's where I noticed
this error:

  [2008/03/11 11:11:16, 2] nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
  ad_idmap_cached_connection: Failed to obtain schema details!

It turns out that ads_get_attrnames_by_oids was searching the schema
with this filter:

  [2008/03/11 11:58:30, 2] libads/ldap_schema.c:ads_get_attrnames_by_oids(65)
    ## : search expr:
(|(attributeId=1.2.840.113556.1.6.18.1.310)(attributeId=1.2.840.113556.1.6.18.1.311)(attributeId=1.2.840.113556.1.6.18.1.344)(attributeId=1.2.840.113556.1.6.18.1.312)(attributeId=1.2.840.113556.1.6.18.1.337))

and getting 0 results.  These are the attribute IDs for attributes in
the SFU schema extension. Using dsquery on the server, I could see
that these attributes weren't in the schema at all.

Thanks again for your help, and sorry for the bother.

-David
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

I'm glad you posted this. I know a lot of other people have been having
issues getting this to work. Some success and configs are now in the
archives :)

I know I tried this a long time ago and never got it working. I might give
it another shot thanks to you!


On 3/11/08, David Eisner <[hidden email]> wrote: --
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba