[Samba] Samba 3.6 problems with idmap rid

January 15th, 2012 - 01:50 pm ET by Jakov Sosic | Report spam

Hi!

I am using mainly Samba 3.5 on CentOS, and I was very pleased with
idmap_rid backend for SID-to-RID mappings.

But on Solaris 10, I can only use 3.6 because OpenCSW ships only 3.6.
Problem is, things are changed and are not working as expected...

Here is my config on RHEL Samba 3.5:

[global]
workgroup = WINDOMAIN
realm = WINDOMAIN.LOCAL
server string = localserver (Samba ver. %v)
security = ADS
allow trusted domains = No
password server = someserver.windomain.local
log file = /var/log/samba/log.%m
load printers = No
local master = No
domain master = No
idmap backend = idmap_rid:WINDOMAIN000-49999
idmap uid = 10000-49999
idmap gid = 10000-49999
winbind use default domain = Yes
cups options = raw

And it works like a charm. On a version 3.6:

[global]
workgroup = WINDOMAIN
realm = WINDOMAIN.LOCAL
server string = localserver (Samba ver. %v)
security = ADS
allow trusted domains = No
username map = /etc/opt/csw/samba/smbusers
syslog = 0
log file = /var/opt/csw/samba/log/%m.log
max log size = 500
socket options = TCP_NODELAY SO_RCVBUF92 SO_SNDBUF92
load printers = No
local master = No
domain master = No
winbind use default domain = Yes
idmap config * : range = 10000-49999
idmap config * : backend = rid : WINDOMAIN000-49999

Now, on a 3.6 I have the following problem:

# net ads testjoin
Join is OK

# net rpc testjoin
Join to 'WINDOMAIN' is OK

# net getlocalsid
SID for domain LOCALSERVER is: S-1-5-21-1414315435-1886595200-1013317001

# wbinfo -u | grep jakov.sosic
jakov.sosic

# wbinfo -i jakov.sosic
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user jakov.sosic

Where am I wrong? Why can't I get rid mappings for domain users?

Jakov Sosic
www.srce.unizg.hr
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Follow the discussion Replies

4 replies

Make a reply

Replies

#1 Dale Schroeder

January 15th, 2012 - 02:10 pm ET | Report spam

On 01/15/2012 12:35 PM, Jakov Sosic wrote:

Hi!

I am using mainly Samba 3.5 on CentOS, and I was very pleased with
idmap_rid backend for SID-to-RID mappings.

But on Solaris 10, I can only use 3.6 because OpenCSW ships only 3.6.
Problem is, things are changed and are not working as expected...

Here is my config on RHEL Samba 3.5:

[global]
workgroup = WINDOMAIN
realm = WINDOMAIN.LOCAL
server string = localserver (Samba ver. %v)
security = ADS
allow trusted domains = No
password server = someserver.windomain.local
log file = /var/log/samba/log.%m
load printers = No
local master = No
domain master = No
idmap backend = idmap_rid:WINDOMAIN000-49999
idmap uid = 10000-49999
idmap gid = 10000-49999
winbind use default domain = Yes
cups options = raw

And it works like a charm. On a version 3.6:

[global]
workgroup = WINDOMAIN
realm = WINDOMAIN.LOCAL
server string = localserver (Samba ver. %v)
security = ADS
allow trusted domains = No
username map = /etc/opt/csw/samba/smbusers
syslog = 0
log file = /var/opt/csw/samba/log/%m.log
max log size = 500
socket options = TCP_NODELAY SO_RCVBUF92 SO_SNDBUF92
load printers = No
local master = No
domain master = No
winbind use default domain = Yes
idmap config * : range = 10000-49999
idmap config * : backend = rid : WINDOMAIN000-49999

Now, on a 3.6 I have the following problem:

# net ads testjoin
Join is OK

# net rpc testjoin
Join to 'WINDOMAIN' is OK

# net getlocalsid
SID for domain LOCALSERVER is: S-1-5-21-1414315435-1886595200-1013317001

# wbinfo -u | grep jakov.sosic
jakov.sosic

# wbinfo -i jakov.sosic
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user jakov.sosic

Where am I wrong? Why can't I get rid mappings for domain users?

Jakov,

That looks similar to what Robert LeBlanc posted with Samba Bug 8676
(Debian Bug 652679). Compare his findings to what you see.

https://bugzilla.samba.org/show_bug.cgi?id76
http://bugs.debian.org/cgi-bin/bugr...i?buge2679

On my test systems using RID, I see similar, but not identical symptoms
to his HASH backend. For me, a reboot will restore connectivity until I
need to restart Samba or winbind. Then nothing but another reboot will
get winbind working again.

Dale
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Reply to this message

#2 Jakov Sosic

January 15th, 2012 - 02:40 pm ET | Report spam

On 01/15/2012 07:59 PM, Dale Schroeder wrote:

Jakov,

That looks similar to what Robert LeBlanc posted with Samba Bug 8676
(Debian Bug 652679). Compare his findings to what you see.

https://bugzilla.samba.org/show_bug.cgi?id76
http://bugs.debian.org/cgi-bin/bugr...i?buge2679

On my test systems using RID, I see similar, but not identical symptoms
to his HASH backend. For me, a reboot will restore connectivity until I
need to restart Samba or winbind. Then nothing but another reboot will
get winbind working again.

On Solaris 10u10 and OpenCSW last Samba package (3.6.1) even reboot
doesn't help :-/

Jakov Sosic
www.srce.unizg.hr
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Reply to this message

#3 David Roid

January 16th, 2012 - 03:20 am ET | Report spam

Ever since upgrade to 3.6, wbinfo -u working but wbinfo -i hitting
WBC_ERR_DOMAIN_NOT_FOUND has been a headache, seems winbind always fails to
get the domain info for individual idmap the VERY FIRST TIME you start it
after upgrade or join a domain. Most of times I manage to solve it by
using:

<smb.conf>
idmap config * : range = 10000-20000
idmap config * : backend = tdb
idmap config MYDOMAIN : default = yes
idmap config MYDOMAIN : range = 100000-200000
idmap config MYDOMAIN : backend = rid
<smb.conf>

If above snip doesn't work, try your luck with changing "idmap config *"
options back to old-style "idmap uid/gid = " + "idmap backend = tdb"
while keeping your domain-specific options new-style, ought to solve it.

My observation is, it's like you have to give winbind/idmap a kick start
and once you get wbinfo -i working, you can again change back to "idmap
config *" (otherwise testparm will complain).

Regards
-David

2012/1/16 Jakov Sosic

Hi!

I am using mainly Samba 3.5 on CentOS, and I was very pleased with
idmap_rid backend for SID-to-RID mappings.

But on Solaris 10, I can only use 3.6 because OpenCSW ships only 3.6.
Problem is, things are changed and are not working as expected...

Here is my config on RHEL Samba 3.5:

[global]
workgroup = WINDOMAIN
realm = WINDOMAIN.LOCAL
server string = localserver (Samba ver. %v)
security = ADS
allow trusted domains = No
password server = someserver.windomain.local
log file = /var/log/samba/log.%m
load printers = No
local master = No
domain master = No
idmap backend = idmap_rid:WINDOMAIN000-49999
idmap uid = 10000-49999
idmap gid = 10000-49999
winbind use default domain = Yes
cups options = raw

And it works like a charm. On a version 3.6:

[global]
workgroup = WINDOMAIN
realm = WINDOMAIN.LOCAL
server string = localserver (Samba ver. %v)
security = ADS
allow trusted domains = No
username map = /etc/opt/csw/samba/smbusers
syslog = 0
log file = /var/opt/csw/samba/log/%m.log
max log size = 500
socket options = TCP_NODELAY SO_RCVBUF92 SO_SNDBUF92
load printers = No
local master = No
domain master = No
winbind use default domain = Yes
idmap config * : range = 10000-49999
idmap config * : backend = rid : WINDOMAIN000-49999

Now, on a 3.6 I have the following problem:

# net ads testjoin
Join is OK

# net rpc testjoin
Join to 'WINDOMAIN' is OK

# net getlocalsid
SID for domain LOCALSERVER is: S-1-5-21-1414315435-1886595200-1013317001

# wbinfo -u | grep jakov.sosic
jakov.sosic

# wbinfo -i jakov.sosic
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user jakov.sosic

Where am I wrong? Why can't I get rid mappings for domain users?

Jakov Sosic
www.srce.unizg.hr
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Reply to this message

#4 Jakov Sosic

January 16th, 2012 - 03:30 am ET | Report spam

On 01/16/2012 09:15 AM, David Roid wrote:

Ever since upgrade to 3.6, wbinfo -u working but wbinfo -i hitting
WBC_ERR_DOMAIN_NOT_FOUND has been a headache, seems winbind always fails
to get the domain info for individual idmap the VERY FIRST TIME you
start it after upgrade or join a domain. Most of times I manage to solve
it by using:

<smb.conf>
idmap config * : range = 10000-20000
idmap config * : backend = tdb
idmap config MYDOMAIN : default = yes
idmap config MYDOMAIN : range = 100000-200000
idmap config MYDOMAIN : backend = rid
<smb.conf>

If above snip doesn't work, try your luck with changing "idmap config *"
options back to old-style "idmap uid/gid = " + "idmap backend = tdb"
while keeping your domain-specific options new-style, ought to solve it.

My observation is, it's like you have to give winbind/idmap a kick start
and once you get wbinfo -i working, you can again change back to "idmap
config *" (otherwise testparm will complain).

Yeah I tried that but then identity mapping is very strange. For
instance, first user I ask for with wbinfo -i "username" gets UID 10001,
second gets 10002, third 10003 - and that's nowhere near the behaviour
of autorid in 3.5 :-/

Jakov Sosic
www.srce.unizg.hr
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Follow the discussion Replies

Reply to this message

Create a new topic Replies

Make a reply

Make your own search

[Samba] Samba 3.6 problems with idmap rid

Similar topics

Replies