samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] samba 3.4.5 idmap alloc broken - more deta

[Samba] samba 3.4.5 idmap alloc broken - more details

From: Gaiseric Vandal <gaiseric.vandal_at_nospam>
Date: Wed May 05 2010 - 21:40:31 GMT
To: Samba <samba@lists.samba.org>

There may be several parts to the problem:

1. Winbind on Samba 3.4.x seems unable to allocate idmap entries
(UID/SID or GID/SID) , whether or not the backend is LDAP or TDB.

Winbind on Samba 3.0.x is able to create idmap allocation mappings with
an LDAP backend. The two problems with Samba 3.0.x are as follows
   - "getent" would stop showing trusted users once the cache period
expired.
   - it can't talk to domains in "native" mode.

However, when I run "wbinfo -u" and "getent passwd" on my 3.0.x machine
it will add or update idmap entries in LDAP.

2. Samba 3.4 can read some of the idmap entries from LDAP.

Domain_A is Windows 2003 in mixed-mode. Samba 3.0.x is able to populate
idmap allocation entries in ldap. Samba 3.4 when running "getent
passwd" can see the users from that domain.

Domain_B is a Windows 2003 Native domain. Samba 3.4 can not handle
those entries.

If I manually create the entry in ldap, it does get added to
gencache.tdb with the uid (e.g. 4000.)

e.g.

---------------------------------------------------------------------------------
key(61) = "IDMAP/SID2UID/S-1-5-21-xxxx-1111\00"
data(16) = " 1273070774/40000\00"

key(20) = "IDMAP/UID2SID/40000\00"
data(60) = " 1272981160/S-1-5-21-xxxx-1111\00"

---------------------------------------------------------------------------------

But "getent passwd" will not show the user.

If the entry was not predefined in LDAP, a negative entry gets added to
gencache.tdb

---------------------------------------------------------------------------------
key(60) = "IDMAP/SID2UID/S-1-5-21-xxxx-1112\00"
data(16) = " 1273080966/-1\00"

---------------------------------------------------------------------------------
3. Samba 3.4 has idmap allocation issues even with TDB backend.

If I change DomainB to use TDB backend for idmap allocation,

gencache.tdb file will get a valid uid2sid but not sid2uid entry.

e.g.

---------------------------------------------------------------------------------
key(61) = "IDMAP/SID2UID/S-1-5-21-xxxx-1113\00"
data(16) = " 1273070774/-1\00"

key(20) = "IDMAP/UID2SID/30580\00"
data(60) = " 1272981160/S-1-5-21-xxxx-1113\00"

---------------------------------------------------------------------------------

So in summary it looks like idmap has issues with both allocating new id
mappings and using existing ones.

I compiled samba 3.4.5 from source. Config.log shows it was compiled
against the openldap and kerberos packages from sunfreeware.com (not the
sun ldap and kerberos packages bundled with the OS.)

Help is appreciated.

Thanks

-------- Original Message --------
Subject: samba 3.4.5 idmap alloc broken
Date: Tue, 04 May 2010 16:36:21 -0400
From: Gaiseric Vandal <gaiseric.vandal@gmail.com>
Reply-To: gaiseric.vandal@gmail.com
To: Samba <samba@lists.samba.org>

Some time back I upgraded a domain controller (Solaris 10) from samba
3.0.x to 3.4.5

In order to support interdomain trusts I am using winbind and idmap
allocation with a samba backend. Since the upgrade it appears that
samba is no allocating uid and gid's for trusted domain.

my smb.conf looks something like:

----------------------------------------------------------------------------------------------------------------------------

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = no
winbind trusted domains only = no

# The "idmap domains" has been deprecated in 3.4
# idmap domains = DOMAIN_A DOMAIN_B DOMAIN_C
# Next two lines restored in 3.4 - but prob don't need
idmap uid = 30000-59999
idmap gid = 30000-59999

idmap config DOMAIN_A:backend = ldap
idmap config DOMAIN_A:readonly = no
idmap config DOMAIN_A:default=no
idmap config DOMAIN_A:ldap_base_dn = ou=domain_a,ou=idmap,o=mydomain.com
idmap config DOMAIN_A:ldap_user_dn = cn=Directory Manager
idmap config DOMAIN_A:ldap_url = ldap://ldap1.domain.com
idmap config DOMAIN_A:range = 30000-39999

idmap config DOMAIN_B:backend = ldap
idmap config DOMAIN_B:readonly = no
idmap config DOMAIN_B:default=no
idmap config DOMAIN_B:ldap_base_dn = ou=domain_b,ou=idmap,o=mydomain.com
idmap config DOMAIN_B:ldap_user_dn = cn=Directory Manager
idmap config DOMAIN_B:ldap_url = lldap://ldap1.domain.com
idmap config DOMAIN_B:range = 40000-45999
....

----------------------------------------------------------------------------------------------------------------------------

Domain_A (Windows 2003 AD in Mixed mode) has entries from prior to the
upgrade and hasn't had new accounts added recently. Domain_B (Windows
2008 in Windows 2003 mode) is a new addition. No idmap entries ever
populated. They should have populated after I ran "wbinfo -u" and
"getent passwd" on the samba PDC.

Any ideas?

Thanks

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba