First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 3661
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Michael Adam <obnox@samba.org>
Hardware:
OS:
Version:
Priority:
Severity:
Target Milestone:
Reporter: Bob Gautier <bob.gautier@rabobank.com>
Add CC:
CC:
Remove selected CCs
QA Contact:
URL:
Summary:
Keywords:
Flags: Requestee:
  ()

Attachment Type Creator Created Size Flags Actions
Enable idmap_ad to manage connections to multiple domains patch Bob Gautier 2006-04-05 09:57 CST 10.64 KB none Details
Updated version of patch for 3.0.23rc2 and 3.0.23 final patch Bob Gautier 2006-07-28 03:41 CST 9.10 KB none Details
Updated patch for 3.0.23b patch Bob Gautier 2006-08-10 04:29 CST 8.91 KB none Details
multiple connection patch for samba 3.0.32 patch Christina Jagodics 2008-09-05 08:20 CST 8.58 KB none Details
multiple connection patch for samba 3.2.2 patch Christina Jagodics 2008-09-05 08:26 CST 8.18 KB none Details
New AdEx idmap/nss_info plugin for the trunk patch Gerald (Jerry) Carter 2008-09-19 12:39 CST 102.01 KB none Details
log files application/x-gzip Christian McHugh 2008-09-23 13:42 CST 145.04 KB none Details
smb.conf used application/octet-stream Christian McHugh 2008-09-23 13:51 CST 986 bytes none Details
logs again application/gzip Christian McHugh 2008-09-24 21:57 CST 258.12 KB none Details
logs application/x-gzip Christian McHugh 2008-09-25 11:48 CST 188.40 KB none Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 3661 depends on: Show dependency tree
Show dependency graph
Bug 3661 blocks:

Additional Comments:







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug


Description:   Opened: 2006-04-05 09:49 CST
Working with winbindd 3.0.21 onwards, with idmap_ad in an AD setup with
multiple domains, I noticed that 'wbinfo -u' would list users from all trusted
domains whereas 'getent passwd' would only list users from the domain my
machine had actually joined, although there were users in those other domains
which (IMHO) were eligible to be listed.  I was able to get those users listed
by moving my machine to each domain in turn.  Indeed, if I don't delete the
winbindd cache as I move from domain to domain, the users from other domains
start to appear in the getent listing.

On looking at the code path in idmap_ad.c and winbind_ads.c I notice that the
latter (the wbinfo -u path) iterates over all domains, whereas the idmap_ad.c
code does not.

I'm going to attach a patch which appears to fix my problem by making idmap_ad
iterate over all domains.  But I wonder if I'm missing some detail of winbindd
configuration?

------- Comment #1 From Bob Gautier 2006-04-05 09:57:18 CST -------
Created an attachment (id=1846) [details]
Enable idmap_ad to manage connections to multiple domains

I offer this as a 'proof of concept' fix for the problem I'm seeing.  It makes
idmap_ad iterate over all domains that it knows about when looking up users.

This patch was produced from a version of idmap_ad patched with my RFC2307
patch (see BZ#3345).  I'll be happy to try to decouple the two patches if
anyone wants that.

------- Comment #2 From Guenther Deschner 2006-05-30 10:56:42 CST -------
Bob, can you send us a new version of your patch?

------- Comment #3 From Mark Pröhl 2006-07-27 14:42:13 CST -------
i have the same problem. here are some lines of the winbind log:

Connected to LDAP server 192.168.100.1
time offset is 46 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
ads_sasl_spnego_bind: got server principal name =dc1$@EXAMPLE.COM
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
kerberos_kinit_password: using MEMORY:winbind_ccache as ccache
ads_krb5_mk_req: Advancing clock by 46 seconds to cope with clock skew
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration
Fri, 28 Jul 2006 07:32:46 CEST
ads_krb5_mk_req: Ticket (dc1$@EXAMPLE.COM) in ccache (MEMORY:winbind_ccache) is
valid until: (Fri, 28 Jul 2006 07:32:46 CEST - 1154064766)
Got KRB5 session key of length 16
ads_check_posix_schema_mapping
Search for
(|(attributeId=1.2.840.113556.1.6.18.1.310)(attributeId=1.2.840.113556.1.6.18.1.311)(attributeId=1.2.840.113556.1.6.18.1.344)(attributeId=1.2.840.113556.1.6.18.1.312)(attributeId=1.2.84
0.113556.1.6.18.1.337)) gave 0 replies
ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED
ads_check_posix_schema_mapping failed: NT_STATUS_NONE_MAPPED
Search for
(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\C7\F6\D3\1A\D1\B0\A2\BA\A4\00\FD\56\00\02\00\00)
gave 0 replies
...

192.168.100.1 is the dc of winbinds own domain. as far as i understand that
log, winbind is doing something like the following:

# ldapsearch -xLLLD cn=Administrator,cn=Users,dc=example,dc=com -w secret -H
ldap://192.168.100.1 -b dc=example,dc=com
'(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\C7\F6\D3\1A\D1\B0\A2\BA\A4\00\FD\56\00\02\00\00)'
# refldap://child.example.com/DC=child,DC=example,DC=com

# refldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com

# refldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com

# refldap://example.com/CN=Configuration,DC=example,DC=com


I suspect, that the problem ist winbind not following the referral

------- Comment #4 From Bob Gautier 2006-07-28 03:41:38 CST -------
Created an attachment (id=2073) [details]
Updated version of patch for 3.0.23rc2 and 3.0.23 final

I just noticed Guenther's request for an updated patch and can find no evidence
that I sent it.  So here it is (again).

------- Comment #5 From Mark Pröhl 2006-07-28 08:32:22 CST -------
Hi,

i recompiled samba-3.0.23a with patch (from attachment id=2073) on a sles9
system. I works!

Thanks,

- Mark

------- Comment #6 From Christian McHugh 2006-08-05 19:54:37 CST -------
Patch also works on solaris. Thank you very much!

------- Comment #7 From Bob Gautier 2006-08-10 04:29:25 CST -------
Created an attachment (id=2089) [details]
Updated patch for 3.0.23b

------- Comment #8 From Bob Gautier 2006-10-12 02:50:39 CST -------
Any chance of this getting into 3.0.23d?

------- Comment #9 From Gerald (Jerry) Carter 2007-04-10 15:50:08 CST -------
Guenther, is there a reason why this patch was never applied?

------- Comment #10 From Gerald (Jerry) Carter 2007-04-17 16:29:55 CST -------
Moving to target 3.0.26.  Too late for 3.0.25 right now.

------- Comment #11 From Guenther Deschner 2007-05-24 16:29:12 CST -------
(In reply to comment #9)
> Guenther, is there a reason why this patch was never applied?

I was waiting for the idmap rewrite to finish at that time, will take a look
again now.

------- Comment #12 From Mark Pröhl 2007-08-06 02:48:59 CST -------
(In reply to comment #10)
> Moving to target 3.0.26.  Too late for 3.0.25 right now.
> 

will this be fixed in 3.2.0?

------- Comment #13 From Matt McCormick 2008-04-01 00:29:13 CST -------
I have the same problem.  Is there any status on when this patch will be
included

------- Comment #14 From Christian McHugh 2008-08-14 13:00:52 CST -------
Is this still being worked on for the 3.2 release?

------- Comment #15 From Thorsten Hopf 2008-08-15 09:28:21 CST -------
Hi,

we have the same Problem here on 3.2.0. 
All works perfect. Only the id-mapping isn't working with trusted domains

------- Comment #16 From Jeremy Allison 2008-08-15 16:31:40 CST -------
Ok, talked to Jerry and he is planning to add a connection manager into
idmap_ad. This will not make the 3.2.2 release due Mon. 18th, but should make
the release after that.
Assigning this one (and the two attendent ones) to Jerry.
Jeremy.

------- Comment #17 From Jeremy Allison 2008-08-15 16:33:07 CST -------
See bug #5363.
Jeremy

------- Comment #18 From Volker Lendecke 2008-08-15 19:00:25 CST -------
Hmmm. A separate connection manager in idmap_ad? Can't we find a way to re-use
the already existing one?

Volker

------- Comment #19 From Gerald (Jerry) Carter 2008-08-18 09:57:51 CST -------
(In reply to comment #18)
> Hmmm. A separate connection manager in idmap_ad? Can't we find a way to re-use
> the already existing one?

Nope.  I never found a way.  I'm going to try to work on this one since it is
one of
the few interesting things I have sitting around.

------- Comment #20 From Thorsten Hopf 2008-08-25 01:38:29 CST -------
Hi, is there any eta on the 3.2.3 release? Would be great to have it soon! Thx

------- Comment #21 From Christina Jagodics 2008-08-25 03:23:11 CST -------
(In reply to comment #7)
> Created an attachment (id=2089) [edit] [details]
> Updated patch for 3.0.23b
> 

Hi Bob,

just found this bug-thread and tried to build samba using the patch you
provided. Unfortunately it doesn't seem to work.

'getent passwd' only fetches information about users from the domain
my machine's directly joined to.

I'm using samba version 3.0.23b on a debian etch 4.0 system.
My guess is that I do not execute the compile-command correctly.

So, could you please tell me exactly what you did to make that working?

I've also tried patching samba 3.0.24 as the 'idmap_ad.c'-file doesn't 
differ much from the one used with 3.0.23b. 
After some minor changes the patching-process succeeded 
but the issue I described above still remained. 

Generally, is there a chance to make samba 3.0.24 work with your patch
or do I have to use 3.0.23b?


Thanks in advance

------- Comment #22 From Gerald (Jerry) Carter 2008-08-25 07:49:09 CST -------
I'm working on it.  If someone gets a quciket fix in, that is fine.  But I'm
working on an
overhaul of the id plugin right now anyways.

------- Comment #23 From Christina Jagodics 2008-09-05 08:20:40 CST -------
Created an attachment (id=3528) [details]
multiple connection patch for samba 3.0.32

------- Comment #24 From Christina Jagodics 2008-09-05 08:24:28 CST -------
(From update of attachment 3528 [details])
hi guys,

I did some research and after hours of testing I eventually came up with my own
patch to make the multple-connection thing working for both samba 3.0.32 and
3.2.2 .

------- Comment #25 From Christina Jagodics 2008-09-05 08:26:31 CST -------
Created an attachment (id=3529) [details]
multiple connection patch for samba 3.2.2

------- Comment #26 From Christian McHugh 2008-09-11 11:54:03 CST -------
Tried out the patch on solaris 10, 3.2.3. Looks like we're part way there. 

wbinfo -u shows users from both of my domains (yay!)

But wbinfo -i 'NAU\mcm75' (domain user) dumps core

Here is the last bit of log.winbindd-idmap
[2008/09/11 23:50:15, 10] libads/kerberos.c:kerberos_kinit_password_ext(217)
  kerberos_kinit_password: as EGR214-01$@STUDENTS.FROOT.NAU.EDU using
[MEMORY:winbind_ccache] as ccache and config
[/usr/local/samba/var/locks/smb_krb5/krb5.conf
.NAU-STUDENTS]
[2008/09/11 23:50:15,  3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration
Fri, 12 Sep 2008 09:50:14 GMT-7
[2008/09/11 23:50:15, 10] libsmb/clikrb5.c:ads_krb5_mk_req(702)
  ads_krb5_mk_req: Ticket (ldap/beech.nau.froot.nau.edu@NAU.FROOT.NAU.EDU) in
ccache (MEMORY:winbind_ccache) is valid until: (Fri, 12 Sep 2008 09:50:14 GMT-7
- 1
221187814)
[2008/09/11 23:50:15,  3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
  ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2008/09/11 23:50:15, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(868)
  Got KRB5 session key of length 16
[2008/09/11 23:50:15,  0] lib/fault.c:fault_report(40)
  ===============================================================
[2008/09/11 23:50:15,  0] lib/fault.c:fault_report(41)
  INTERNAL ERROR: Signal 11 in pid 9010 (3.2.3)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2008/09/11 23:50:15,  0] lib/fault.c:fault_report(43)

  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2008/09/11 23:50:15,  0] lib/fault.c:fault_report(44)
  ===============================================================
[2008/09/11 23:50:15,  0] lib/util.c:smb_panic(1663)
  PANIC (pid 9010): internal error
[2008/09/11 23:50:15,  0] lib/util.c:log_stack_trace(1817)
  unable to produce a stack trace on this platform
[2008/09/11 23:50:15,  0] lib/fault.c:dump_core(201)
  dumping core in /usr/local/samba/var/cores/winbindd


If you need anything more, let me know. I'd be happy to help make this go.

------- Comment #27 From Christian McHugh 2008-09-15 14:38:10 CST -------
Looks like my crashing issue is not from this patch. Sorry for the noise. I've
opened bug 5766 about winbind not working.

------- Comment #28 From Gerald (Jerry) Carter 2008-09-18 07:49:51 CST -------
*** Bug 5772 has been marked as a duplicate of this bug. ***

------- Comment #29 From Gerald (Jerry) Carter 2008-09-19 12:39:25 CST -------
Created an attachment (id=3603) [details]
New AdEx idmap/nss_info plugin for the trunk

Includes support for RFC2307, trusted domains, name aliasing, global catalog
searches, etc...
Patch sent to the samba-technical ml.

------- Comment #30 From Christina Jagodics 2008-09-22 09:07:41 CST -------
Hi Jerry,

thanks for your quick response and the patch which hopefully will solve my
problem.
Applying the patch wasn't a problem either but when trying to compile the
source code I always get the following error:

---------
[...]
Compiling winbindd/idmap_adex/idmap_adex.c
winbindd/idmap_adex/idmap_adex.c:405: warning: initialization from incompatible
pointer type
winbindd/idmap_adex/idmap_adex.c:416: error: unknown field 'map_to_alias'
specified in initializer
winbindd/idmap_adex/idmap_adex.c:416: warning: initialization from incompatible
pointer type
winbindd/idmap_adex/idmap_adex.c:417: error: unknown field 'map_from_alias'
specified in initializer
winbindd/idmap_adex/idmap_adex.c:417: warning: excess elements in struct
initializer
winbindd/idmap_adex/idmap_adex.c:417: warning: (near initialization for
'adex_nss_methods')
The following command failed:
gcc -I. -I/root/build/samba-3.2.4/source  -O -D_SAMBA_BUILD_=3
-I/root/build/samba-3.2.4/source/popt
-I/root/build/samba-3.2.4/source/iniparser/src -Iinclude -I./include  -I. -I.
-I./lib/replace -I./lib/talloc -I./lib/tdb/include -I./libaddns -I./librpc
-DHAVE_CONFIG_H  -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
-Iinclude -I./include -I. -I. -I./lib/replace -I./lib/talloc
-I./lib/tdb/include -I./libaddns -I./librpc -I./popt -DLDAP_DEPRECATED  
-I/include -I/root/build/samba-3.2.4/source/lib -D_SAMBA_BUILD_=3 -fPIC -c
winbindd/idmap_adex/idmap_adex.c -o winbindd/idmap_adex/idmap_adex.o
make: *** [winbindd/idmap_adex/idmap_adex.o] Error 1
-----------

Tried this patch with 3.2.2 as well as 3.2.4 .
Would be very nice if you could take a look at this.

Thanks
Christina

------- Comment #31 From Christian McHugh 2008-09-22 11:21:04 CST -------
I noticed that the patch seemed to depend on the name mapping infrastructure in
samba.git, so I tried grabbing and patching the samba source from git. However,
I'm also getting compile errors on solaris 10 (seems limited to winbind though) 

Compiling nsswitch/pam_winbind.c
nsswitch/pam_winbind.c: In function '_pam_error_code_str':
nsswitch/pam_winbind.c:74: error: 'PAM_MODULE_UNKNOWN' undeclared (first use in
this function)
nsswitch/pam_winbind.c:74: error: (Each undeclared identifier is reported only
once
nsswitch/pam_winbind.c:74: error: for each function it appears in.)
nsswitch/pam_winbind.c:76: error: 'PAM_BAD_ITEM' undeclared (first use in this
function)
nsswitch/pam_winbind.c:78: error: 'PAM_CONV_AGAIN' undeclared (first use in
this function)
nsswitch/pam_winbind.c:80: error: 'PAM_INCOMPLETE' undeclared (first use in
this function)
nsswitch/pam_winbind.c: In function '_pam_get_item':
nsswitch/pam_winbind.c:115: warning: passing argument 3 of 'pam_get_item' from
incompatible pointer type
nsswitch/pam_winbind.c: In function '_pam_log_state_datum':
nsswitch/pam_winbind.c:251: warning: passing argument 3 of 'pam_get_item' from
incompatible pointer type
nsswitch/pam_winbind.c: In function 'converse':
nsswitch/pam_winbind.c:575: warning: passing argument 2 of 'conv->conv' from
incompatible pointer type
nsswitch/pam_winbind.c: In function 'pam_sm_authenticate':
nsswitch/pam_winbind.c:2039: warning: passing argument 2 of 'pam_get_user' from
incompatible pointer type
nsswitch/pam_winbind.c: In function 'pam_sm_acct_mgmt':
nsswitch/pam_winbind.c:2242: warning: passing argument 2 of 'pam_get_user' from
incompatible pointer type
nsswitch/pam_winbind.c: In function 'pam_sm_close_session':
nsswitch/pam_winbind.c:2376: warning: passing argument 2 of 'pam_get_user' from
incompatible pointer type
nsswitch/pam_winbind.c: In function 'pam_sm_chauthtok':
nsswitch/pam_winbind.c:2518: warning: passing argument 2 of 'pam_get_user' from
incompatible pointer type
The following command failed:
gcc -I/opt/csw/include -O -I. -I/usr/local/src/samba3.3/source3 
-I/usr/local/src/samba3.3/source3/iniparser/src -Iinclude -I./include  -I. -I.
-I./../lib/replace -I./../lib/talloc -I./../lib/tdb/include -I./libaddns
-I./librpc -DHAVE_CONFIG_H  -I/opt/csw/include -I/opt/csw/include
-D_LARGEFILE_SOURCE -D_REENTRANT -D_FILE_OFFSET_BITS=64 -Iinclude -I./include
-I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tdb/include
-I./libaddns -I./librpc -I./../lib/popt -DLDAP_DEPRECATED -DSUNOS5 -I/include 
-I/usr/local/src/samba3.3/source3/lib -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC
-c nsswitch/pam_winbind.c -o nsswitch/pam_winbind.o
gmake: *** [nsswitch/pam_winbind.o] Error 1

------- Comment #32 From Christian McHugh 2008-09-22 11:45:53 CST -------
Commenting out the missing PAM stuff lets me compile, but adex.so won't load.

[2008/09/22 23:37:30,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'nss'
[2008/09/22 23:37:30,  3] winbindd/idmap.c:idmap_init_default_domain(359)
  idmap_init: using 'adex' as remote backend
[2008/09/22 23:37:30,  3] winbindd/idmap.c:idmap_init_domain(302)
  idmap backend adex not found
[2008/09/22 23:37:30,  5] lib/module.c:smb_probe_module(111)
  Probing module 'adex'
[2008/09/22 23:37:30,  5] lib/module.c:smb_probe_module(130)
  Probing module 'adex': Trying to load from /usr/local/samba/lib/idmap/adex.so
[2008/09/22 23:37:30,  0] lib/module.c:do_smb_load_module(59)
  Error trying to resolve symbol 'init_samba_module' in
/usr/local/samba/lib/idmap/adex.so: ld.so.1: winbindd: fatal: init_samba_
module: can't find symbol
[2008/09/22 23:37:30,  3] winbindd/idmap.c:idmap_init_domain(307)
  Could not probe idmap module adex

------- Comment #33 From Gerald (Jerry) Carter 2008-09-22 19:37:55 CST -------
Can you try the v3-3-test branch?  The idmap_adex module has been checked in.
This will save you some build  and patch headaches.

------- Comment #34 From Christina Jagodics 2008-09-23 07:27:11 CST -------
Yep, compiling the source code from the v3-3-test branch succeeded and I also
managed to join my machine to our win2k8 domain. wbinfo -u/g/m works quite fine
but 'getent passwd' again only fetches users from the domain my machine's
directly joined to. Wasn't this patch supposed to solve this issue? Or do I
have to add the other patch (idmap_ad) as well?

------- Comment #35 From Christian McHugh 2008-09-23 13:08:09 CST -------
Compiled from git, but I'm still having problems. First, still having pam
problems, so I opened but 5784. Secondly, I cannot lookup users. I've added the
required attributes into the PAS, but it seems unable to do a lookup on the
Domain Users group. 

The entry should have been:
NAU-STUDENTS\mcm75:x:62107:10000:Michael Christian McHugh:/home/mcm75:/bin/bash

With the 10000 group being just a number. Everyone in the domain has a gid of
10000 and there is a group with the same gid. Point being, it is not the Domain
Users group. Looks like leaving Domain Users without gid is causing lookups to
fail.


[2008/09/24 01:00:18, 10]
winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = CN=mcm75,CN=Users,DC=students,DC=froot,DC=nau,DC=edu, 
Filter = (objectclass=*), Scope = 0, GC = no
[2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key =
IDMAP/SID2UID/S-1-5-21-2129867641-1992771036-1243820751-98358; value = 62107
and timeout = Wed Oct  1 01:00:18 2008
   (604800 seconds ahead)
[2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = IDMAP/UID2SID/62107; value =
S-1-5-21-2129867641-1992771036-1243820751-98358 and timeout = Wed Oct  1
01:00:18 2008
   (604800 seconds ahead)
[2008/09/24 01:00:18, 10] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(247)
  winbindd_dual_sid2uid: 0x00000000 -
S-1-5-21-2129867641-1992771036-1243820751-98358 - 62107
[2008/09/24 01:00:18, 10] winbindd/winbindd_cache.c:cache_store_response(2622)
  Storing response for pid 16943, len 3496
[2008/09/24 01:00:18, 10] lib/events.c:get_timed_events_timeout(320)
  timed_events_timeout: 279/466700
[2008/09/24 01:00:18,  4] winbindd/winbindd_dual.c:fork_domain_child(1333)
  child daemon request 49
[2008/09/24 01:00:18, 10] winbindd/winbindd_dual.c:child_process_request(433)
  child_process_request: request fn DUAL_SID2GID
[2008/09/24 01:00:18,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(305)
  [16941]: sid to gid S-1-5-21-2129867641-1992771036-1243820751-513
[2008/09/24 01:00:18, 10] winbindd/idmap_util.c:idmap_sid_to_gid(212)
  idmap_sid_to_gid: sid = [S-1-5-21-2129867641-1992771036-1243820751-513]
[2008/09/24 01:00:18, 10] lib/gencache.c:gencache_get(194)
  Cache entry with key =
IDMAP/SID2GID/S-1-5-21-2129867641-1992771036-1243820751-513 couldn't be found
[2008/09/24 01:00:18, 10]
winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = ,  Filter =
(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\79\33\F3\7E\DC\45\C7\76\CF\32\23\4A\01\02\00\00),
Scope = 2, GC = yes
[2008/09/24 01:00:18, 10]
winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = CN=Domain
Users,CN=Users,DC=students,DC=froot,DC=nau,DC=edu,  Filter = (objectclass=*),
Scope = 0, GC = no
[2008/09/24 01:00:18, 10]
winbindd/idmap_adex/provider_unified.c:get_object_uint32(749)
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/09/24 01:00:18, 10]
winbindd/idmap_adex/provider_unified.c:get_object_id(809)
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/09/24 01:00:18, 10] winbindd/idmap_adex/provider_unified.c:pull_id(831)
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/09/24 01:00:18, 10]
winbindd/idmap_adex/provider_unified.c:_ccp_get_id_from_sid(1006)
  Failed! (NT_STATUS_OBJECT_NAME_NOT_FOUND)
[2008/09/24 01:00:18, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key =
IDMAP/SID2UID/S-1-5-21-2129867641-1992771036-1243820751-513; value = -1 and
timeout = Wed Sep 24 01:02:18 2008
   (120 seconds ahead)
[2008/09/24 01:00:18, 10] winbindd/winbindd_idmap.c:winbindd_dual_sid2gid(320)
  winbindd_dual_sid2gid: 0xc0000073 -
S-1-5-21-2129867641-1992771036-1243820751-513 - 0
[2008/09/24 01:00:18, 10] winbindd/winbindd_cache.c:cache_store_response(2622)
  Storing response for pid 16943, len 3496
[2008/09/24 01:00:18, 10] lib/events.c:get_timed_events_timeout(320)
  timed_events_timeout: 279/463207

------- Comment #36 From Christian McHugh 2008-09-23 13:23:09 CST -------
Also it looks as if winbind is unable to lookup some group sids on the domain.
So I start winbind and try to lookup gid

root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10000
Could not convert gid 10000 to sid

But then I can lookup a user with that group and all is well
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -i 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10003
S-1-5-21-2129867641-1992771036-1243820751-82750


So without looking up the user first, it is unable to resolve git<->sid.
So attemping to lookup random groups still fails.

root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005
Could not convert gid 12005 to sid
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12006
Could not convert gid 12006 to sid

------- Comment #37 From Gerald (Jerry) Carter 2008-09-23 13:25:31 CST -------
(In reply to comment #35)

> The entry should have been:
> NAU-STUDENTS\mcm75:x:62107:10000:Michael Christian McHugh:/home/mcm75:/bin/bash
> 
> With the 10000 group being just a number. Everyone in the domain has a gid of
> 10000 and there is a group with the same gid. Point being, it is not the Domain
> Users group. Looks like leaving Domain Users without gid is causing lookups to
> fail.

No.  Pretty sure that is a red herring.  The lookup failure is not fatal based
on what
I remember from checking before.

Please make sure that $(libdir)/nss_info/adex.so is a symlink to
$(libdir)/idmap/adex.so.
This is a bug in the install script from what I remember.  I'll look into that
now.
(and that you set "winbind nss info = adex").  The config I'm using in
v3-3-test looks like:

   idmap backend = adex
   idmap uid = 10000 - 4000000000
   idmap gid = 10000 - 4000000000

   winbind nss info = adex
   winbind normalize names = yes

------- Comment #38 From Gerald (Jerry) Carter 2008-09-23 13:36:52 CST -------
Christian, just to clarify....the new adex.so only support RFC2307 schema right
now.
That schema model is what you are using yes?

------- Comment #39 From Christian McHugh 2008-09-23 13:38:11 CST -------
Thanks for all your help Jerry, but I'm still having problems.

$(libdir)/nss_info/adex.so did not exist at all, so I just created it. I then
wiped out all caches and rejoined samba to the domain, but the problem seems to
be about the same.

I can lookup a user with gid 10003
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash

But not anyone else
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10003
S-1-5-21-2129867641-1992771036-1243820751-82750
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 10000
Could not convert gid 10000 to sid

and lookups on random groups still fail
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005
Could not convert gid 12005 to sid

------- Comment #40 From Christian McHugh 2008-09-23 13:38:24 CST -------
Yep, rfc2307 attributes

------- Comment #41 From Christian McHugh 2008-09-23 13:42:10 CST -------
Created an attachment (id=3613) [details]
log files

Log files with a cleared cache
Ran:
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005
Could not convert gid 12005 to sid
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop

------- Comment #42 From Christian McHugh 2008-09-23 13:51:33 CST -------
Created an attachment (id=3614) [details]
smb.conf used

------- Comment #43 From Gerald (Jerry) Carter 2008-09-24 18:58:15 CST -------
I have and explanation I believe for the "getent passwd NAU-STUDENTS\mcm75"
failure. 

  Probing module 'adex'
  Probing module 'adex': Trying to load from
/usr/local/samba/lib/nss_info/adex.so
  Error loading module '/usr/local/samba/lib/nss_info/adex.so': ld.so.1:
winbindd: fatal: /usr/local/samba/lib/nss_info/adex.so: open failed: No such
file or directory

Can you verify that the file is in place?

Without this, winbindd will try to map the Windows primary group for the user 
to a gid which as you pointed out is not mapped at all.  settiong that
parameter
should fill in the primary group from the gidNumber.

For the gid2sid() failure can be explained if you have not added the uid,
gidNumber,
and uidNumber attributes in the PAS for GC.  But you said you had, so I'm a bit
perplexed.

Seems there is either a bad debug msg or some logic error in the caching code
here
that I need to track down.  This is v3-3-test right ?

  [17116]: gid 12005 to sid
  gid = [12005]
  Cache entry with key = IDMAP/GID2SID/12005 couldn't be found
                                          ^^^^^^^^^^^^^^
  Adding cache entry with key = IDMAP/UID2SID/12005; value = - and timeout.....
                                                      ^^^^^^^^^^^^^^

------- Comment #44 From Christian McHugh 2008-09-24 21:53:34 CST -------
Hmmm. Like I said in comment #39, the nss link was not made at install, so I
created it manually.

root@egr214-01:/usr/local/samba/var$ ls -l /usr/local/samba/lib/nss_info/
total 8
lrwxrwxrwx   1 root     root          20 Sep 24 01:32 adex.so ->
../lib/idmap/adex.so
lrwxrwxrwx   1 root     root          14 Sep 23 22:35 rfc2307.so ->
../idmap/ad.so
lrwxrwxrwx   1 root     root          14 Sep 23 22:35 sfu.so -> ../idmap/ad.so
lrwxrwxrwx   1 root     root          14 Sep 23 22:35 sfu20.so ->
../idmap/ad.so

After a reboot to clear out any weirdness, I'm not seeing the missing nss
module error anymore. Yay.

But the output still looks the same:
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
root@egr214-01:/usr/local/samba/var$

As for entries being entered into the PAS, I've been told by our domain team
that it has been done. Are you aware of any test I could run to confirm?

------- Comment #45 From Christian McHugh 2008-09-24 21:57:02 CST -------
Created an attachment (id=3630) [details]
logs again

Log files without the nss errors

Ran:
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
NAU-STUDENTS\mmchugh:*:62107:10003:Christian McHugh:/home/mmchugh:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop

------- Comment #46 From Gerald (Jerry) Carter 2008-09-25 11:12:28 CST -------
(In reply to comment #44)
> Hmmm. Like I said in comment #39, the nss link was not made at install, so I
> created it manually.
> 
> root@egr214-01:/usr/local/samba/var$ ls -l /usr/local/samba/lib/nss_info/
> total 8
> lrwxrwxrwx   1 root     root          20 Sep 24 01:32 adex.so ->
> ../lib/idmap/adex.so

Link is incorrect.  This should be ../idmap/adex.so.

------- Comment #47 From Christian McHugh 2008-09-25 11:47:40 CST -------
Oh wow. Color me embarrassed. Sorry about my bad link creation.

idmap_adex does appear to be working mostly for users on the domain that samba
is joined to (in this case NAU-STUDENTS).
But it looks like group lookups are still funky, as well as trust domains.

Doing a group lookup such as
wbinfo -G 12005
Could not convert gid 12005 to sid

fails, as well as getent group
root@egr214-01:/usr/local/samba/var$ getent group 'NAU-STUDENTS\cefns_it-staff'
root@egr214-01:/usr/local/samba/var$

the smb.conf used has idmap config statements for both domains:
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   idmap backend = adex
   idmap uid = 50 - 1000000
   idmap gid = 50 - 1000000
   idmap domains = NAU-STUDENTS NAU
   idmap config NAU-STUDENTS:backend = adex
   idmap config NAU-STUDENTS:range = 50 - 1000000
   idmap config NAU:backend = adex
   idmap config NAU:range = 50 - 1000000
   winbind nss info = adex
   winbind normalize names = yes
   winbind refresh tickets = yes
   template homedir = /home/%U
   template shell = /bin/bash

------- Comment #48 From Christian McHugh 2008-09-25 11:48:22 CST -------
Created an attachment (id=3635) [details]
logs

Logs from running:
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba start
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mmchugh'
mmchugh:*:62107:10000:Christian McHugh:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU-STUDENTS\mcm75'
mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU\mcm75'
root@egr214-01:/usr/local/samba/var$ getent passwd 'NAU\car3'
root@egr214-01:/usr/local/samba/var$ ../bin/wbinfo -G 12005
Could not convert gid 12005 to sid
root@egr214-01:/usr/local/samba/var$ /etc/init.d/NAUsamba stop

------- Comment #49 From Gerald (Jerry) Carter 2008-09-25 12:24:20 CST -------
ok.  This adex.so plugin is doing the right thing it seems but there is some 
a bug in the ordering of querying the plugins.   The failure for the NAU domain
is caused by prematurely ending the search list of plugins and never asking
adex.so
at all.  

------- Comment #50 From Christian McHugh 2008-09-25 14:22:42 CST -------
Also FYI, the 12005 gid I keep trying to lookup also exists on the NAU-STUDENTS
domain. In general lookups seem to be working well for users, but not as well
for groups.

getent group 'NAU-STUDENTS\cefns_it-staff'    
is also failing.

------- Comment #51 From Christian McHugh 2008-10-02 10:15:19 CST -------
Just tried with 3.3.0pre2 and have the same problems. Still unable to do
lookups on groups and trusted domains.

------- Comment #52 From Gerald (Jerry) Carter 2008-10-02 10:32:18 CST -------
(In reply to comment #51)
> Just tried with 3.3.0pre2 and have the same problems. Still unable to do
> lookups on groups and trusted domains.
> 

Yeah.  I've found a bug.  Sorry I didn't get the fix in before pre2.  You are
still
testing the adex.so plugin right?  Mind if we open a enw bug against that
library
so that we don't confuse the issues here?

------- Comment #53 From Christian McHugh 2008-10-02 11:00:07 CST -------
> Mind if we open a enw bug against that library
> so that we don't confuse the issues here?

Thanks Jerry. Opened bug 5806 about adex.

------- Comment #54 From Gerald (Jerry) Carter 2008-11-21 12:14:59 CST -------
If you are using the RFC2307 schema, please try the idmap_adex plugin in 
the v3-3 codebase.  Same principal but supporting domain trusts.

------- Comment #55 From Christian McHugh 2008-12-15 09:12:52 CST -------
This is marked as done in Samba 3.3.0rc2. Is that true?

------- Comment #56 From Michael Adam 2008-12-15 09:19:23 CST -------
(In reply to comment #55)
> This is marked as done in Samba 3.3.0rc2. Is that true?

Oh right, I forgot to comment here.
I have added trusted domain support to idmap_ad.

This does now work with _explicitly_ configured domains.
I.e. this works:

idmap config DOMAIN_1 : backend = ad
idmap config DOMAIN_1 : range = 10001-20000

idmap config DOMAIN_2 : backend = ad
idmap config DOMAIN_2 : range = 20001-30000

What does not yet work is using "ad" as the default
backend.

nss_info works with ad as well.
Here you can specify one of the ad flavours as the default backend
and/or explicitly configure backends for specific domains:

winbind nss info = rfc2307 sfu:DOMAIN_1 sfu20:DOMAIN_2

or like this

winbind nss info = template rfc2307:DOMAIN_1

Cheers - Michael

------- Comment #57 From Christian McHugh 2009-01-15 13:07:41 CST -------
*** Bug 5363 has been marked as a duplicate of this bug. ***

------- Comment #58 From Christian McHugh 2009-02-25 10:08:37 CST -------
Not sure if this is considered the same bug, so if this should be a new report
please let me know. 

Looks like groups lookups are broken (at least on solaris 10) with idmap_ad

root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent passwd
'NAU-STUDENTS\mcm75'
NAU-STUDENTS\mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash
root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent group
'NAU-STUDENTS\cefns_test2'
NAU-STUDENTS\cefns_test2:x:1201:NAU-STUDENTS\mcm75,NAU-STUDENTS\mmchugh,NAU\car3,NAU\mcm75
root@egr214-01:/usr/local/src/samba-3.3.1/source$ groups 'NAU-STUDENTS\mcm75'
10000

------- Comment #59 From Michael Adam 2009-05-12 15:38:53 CST -------
Hi Christian,

(In reply to comment #58)
> Not sure if this is considered the same bug, so if this should be a new report
> please let me know. 
> 
> Looks like groups lookups are broken (at least on solaris 10) with idmap_ad
> 
> root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent passwd
> 'NAU-STUDENTS\mcm75'
> NAU-STUDENTS\mcm75:*:62107:10000:mcm75:/home/mcm75:/bin/bash
> root@egr214-01:/usr/local/src/samba-3.3.1/source$ getent group
> 'NAU-STUDENTS\cefns_test2'
> NAU-STUDENTS\cefns_test2:x:1201:NAU-STUDENTS\mcm75,NAU-STUDENTS\mmchugh,NAU\car3,NAU\mcm75
> root@egr214-01:/usr/local/src/samba-3.3.1/source$ groups 'NAU-STUDENTS\mcm75'
> 10000

I think this is a different bug.
For me idmap_ad with trusted domains is working in 3.3.

Also, I have not been able to reproduce your prolem (on linux):
samba ad member, one trusted domain with idmap_ad. group on
a user from the trusted domain is correctly showing groups.

Christian, could you please open a new bug for samba 3.3,
and provide config and other details along with that?

Thanks! - Michael

------- Comment #60 From Michael Adam 2009-05-12 15:41:43 CST -------
Marking this bug fixed - it is fixed in 3.3.
Won't be fixed in lower versions of samba.
Cheers - Michael

First Last Prev Next    No search results available      Search page      Enter new bug