Problem to map uidNumber and getting authentication to work
in [Samba]
|
Prev: [Samba] Samba 3.4.3: Acces problem with EA attributes
Next: [Samba] samba 3.4.2-1: ERROR! Out of file structures
From: Timo Aaltonen on 17 Nov 2009 11:00 On Mon, 21 Sep 2009, Timo Aaltonen wrote: > > > Hi! > > I'm trying to set up a samba client to authenticate from AD (Win2k8), by > using rfc2307 schema mode to map uidNumber, gidNumber and unixHomeDirectory. > The latter two seem to work, while uidNumber doesn't, at least according to > 'wbinfo -i $uid', which shows the uid as the default starting point '10000'. > > Another problem is that getent passwd/group doesn't work at all, and because > of that neither does authentication ('wbinfo -a/-K' works). I _do_ have > winbind on /etc/nsswitch.conf though, so I'm pretty much out of ideas about > what's missing.. > > my smb.conf: > > [global] > workgroup = SHORTREALM > realm = REALM > security = ads > use kerberos keytab = true > idmap config SHORTREALM:schema_mode = rfc2307 > idmap config SHORTREALM:backend = ad > idmap config SHORTREAlM:readonly = yes > winbind nss info = rfc2307 > winbind use default domain = yes > > > I'm using Ubuntu 9.04 with samba 3.3.2, but I tried a backported 3.4.0 and it > had the same problem. Anyone? Apparently this works on RHEL5 with samba 3.0.x, so it's a regression if it doesn't work with anything newer.. -- Timo Aaltonen Systems Specialist IT Services, Helsinki University of Technology -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Jason Gerfen on 17 Nov 2009 12:10 Timo Aaltonen wrote: > On Mon, 21 Sep 2009, Timo Aaltonen wrote: > >> >> >> Hi! >> >> I'm trying to set up a samba client to authenticate from AD >> (Win2k8), by using rfc2307 schema mode to map uidNumber, gidNumber >> and unixHomeDirectory. The latter two seem to work, while uidNumber >> doesn't, at least according to 'wbinfo -i $uid', which shows the uid >> as the default starting point '10000'. >> >> Another problem is that getent passwd/group doesn't work at all, and >> because of that neither does authentication ('wbinfo -a/-K' works). I >> _do_ have winbind on /etc/nsswitch.conf though, so I'm pretty much >> out of ideas about what's missing.. >> >> my smb.conf: >> >> [global] >> workgroup = SHORTREALM >> realm = REALM >> security = ads >> use kerberos keytab = true >> idmap config SHORTREALM:schema_mode = rfc2307 >> idmap config SHORTREALM:backend = ad >> idmap config SHORTREAlM:readonly = yes >> winbind nss info = rfc2307 >> winbind use default domain = yes >> >> >> I'm using Ubuntu 9.04 with samba 3.3.2, but I tried a backported >> 3.4.0 and it had the same problem. > > Anyone? Apparently this works on RHEL5 with samba 3.0.x, so it's a > regression if it doesn't work with anything newer.. > > Have you tried to look up the users SID to UID mapping? %> wbinfo -n USER S-1-5-21-2868754479-89028146-2101856903-111873 User (1) %> wbinfo -S S-1-5-21-2868754479-89028146-2101856903-111873 Could not convert sid S-1-5-21-2868754479-89028146-2101856903-111873 to uid In the logs you would see things like this: [2008/05/28 09:50:04, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 24973 [2008/05/28 09:50:04, 5] nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347) sid2uid returned an error Or in log.winbindd-idmap [2008/05/28 09:50:51, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn DUAL_SID2UID [2008/05/28 09:50:51, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374) [24634]: sid to uid S-1-5-21-2868754479-89028146-2101856903-111473 [2008/05/28 09:50:51, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(105) idmap_sid_to_uid: sid = [S-1-5-21-2868754479-89028146-2101856903-111473] [2008/05/28 09:50:51, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(125) sid [S-1-5-21-2868754479-89028146-2101856903-111473] not mapped to an uid [2,1,2213796440] If this is the case you would want to add the POSIX compliant attributes for each user. Here is the process in case this is the problem 1. Create a ldiff for each user similar to the following: dn: CN=User name,OU=container,DC=server,DC=com changetype: modify replace: msSFUName msSFUName: user **(this must be something without spaces) -- modify: unixHomeDirectory unixHomeDirectory: /path/to/home -- modify: msSFUHomeDirectory msSFUHomeDirectory: /path/to/home -- modify: uidNumber uidNumber: 888 -- modify: gidNumber gidNumber: 500 -- modify: loginShell loginShell: /bin/bash 2. Create another ldiff to modify the DN schema object attribute like the following: dn: CN=User name,OU=container,DC=server,DC=comchangetype: modrdn newrdn: CN=user **(this must also be something without spaces) deleteoldrdn: 1 3. Then use the ldapmodify tool on the ldif files like so: %> ldapmodify -x -D "CN=Administrator,CN=Users,DC=server,DC=com" -w "password" -h server.com -p 389 -f filename.ldif If you need a script to automatically process any account which gives an error with the wbinfo commands let me know. It is perl and requires the wbinfo, ldapsearch and ldapmodify tools. -- Jas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Timo Aaltonen on 18 Nov 2009 06:10
Thank you for the reply! On Tue, 17 Nov 2009, Jason Gerfen wrote: > Have you tried to look up the users SID to UID mapping? > %> wbinfo -n USER > S-1-5-21-2868754479-89028146-2101856903-111873 User (1) > > %> wbinfo -S S-1-5-21-2868754479-89028146-2101856903-111873 > Could not convert sid S-1-5-21-2868754479-89028146-2101856903-111873 to uid Works here, but returns '10000'. > If this is the case you would want to add the POSIX compliant attributes for > each user. Here is the process in case this is the problem I've done those but maybe didn't express it clearly in the first post. From 'net ads search' output: uid: tjaalton uidNumber: 26200 gidNumber: 45 unixHomeDirectory: /home/tjaalton/unix loginShell: /bin/zsh and 'wbinfo -i tjaalton': tjaalton:*:10000:45:Timo TEST. Aaltonen:/home/tjaalton/unix:/bin/zsh From the log.winbind-idmap I found a lot of these: [2009/11/18 12:41:05, 1] winbindd/idmap.c:438(idmap_init_passdb_domain) Could not init passdb idmap domain [2009/11/18 12:41:05, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2009/11/18 12:41:05, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2009/11/18 12:41:05, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2009/11/18 12:41:05, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2009/11/18 12:41:05, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2009/11/18 12:41:05, 0] winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init) idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL [2009/11/18 12:41:05, 0] winbindd/idmap.c:589(idmap_alloc_init) ERROR: Initialization failed for alloc backend, deferred! so something is probably misconfigured, but I can't see what. Authentication works (using pam_krb5.so), if only with the correct UID :) Here are the config options of the samba package, in case something is missing: --cache-file=./config.cache \ --with-fhs \ --enable-shared \ --enable-static \ --prefix=/usr \ --sysconfdir=/etc \ --libdir=/usr/lib/samba \ --with-privatedir=/etc/samba \ --with-piddir=/var/run/samba \ --localstatedir=/var \ --with-rootsbindir=/sbin \ --with-pammodulesdir=/lib/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-readline \ --with-pam_smbpass \ --with-libsmbclient \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --without-smbmount \ --with-dnsupdate \ --without-libtdb \ --without-libnetapi \ --with-modulesdir=/usr/lib/samba \ --datarootdir=/usr/share \ --datadir=/usr/share/samba \ --with-swatdir=/usr/share/samba/swat \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --enable-external-libtalloc \ --without-libtalloc \ --with-cifsmount \ --with-cifsupcall \ --with-acl-support \ --with-quotas thanks! -- Timo Aaltonen Systems Specialist IT Services, Helsinki University of Technology -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |