Re: [Samba] How can I confirm that idmap_ad is being used?
Daniel, On May 18, 2011, at 12:00 AM, Zabel, Daniel wrote: I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Try to add to your smb.conf: log level = 3 idmap:10 winbind:10 to force idmap Logging also to Debuglevel 10. I've discovered that Samba is writing to log files under /usr/local/ samba/var, as well as to files under /var/log/samba. (Why is it doing that? In smb.conf it is told to put log files in /var/log/samba.) Anyway, now I can see that idmap_ad is being called and is making log entries at debug level 10. This enabled me to see that my idmap config SU : range settings were wrong -- I was filtering out values I wanted to see. Once I set the ranges correctly, wbinfo -S started to work. (I can now map a user SID to the correct Unix numerical UID.) The other wbinfo mappings still fail: U, G, and Y. Did net ads testjoin and net ads info work? Yes, both these commands work. Nsswicth.conf is important! Should look like this: passwd:files winbind group: files winbind I've configured my nsswitch.conf like this, but it made no difference. These winbind relevant seetings I have also in my config winbind nss info = rfc2307 template winbind normalize names = yes winbind use default domain = yes winbind offline logon = yes winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind trusted domains only = no Thanks; I altered my config to match these settings, but again, it didn't affect my wbinfo tests. -- Kai Lanz On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote: Have a look at: log.winbindd-idmap I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Now, this is interesting! The problem Edgar Holleis describes sounds exactly like the one I am facing. See my post to the Samba mailing list, Winbindd can't convert between SIDs and uid/gid. Edgar said: Winbind correctly resolves: User-Name-SID (wbinfo -n), Group-Name-SID (wbinfo -s) What doesn't work: SID-UID (wbinfo -S), UID-SID (wbinfo -U), GID (wbinfo -Y), GID-UID SID-(wbinfo -G) (Except, wbinfo -s is SID-User-name, the reverse of wbinfo -n, not Group-Name-SID as Edgar wrote...) That's the same pattern of success and failure I get in my wbinfo tests. So, how does one go from Edgar's bug report, with 4 failing wbinfo queries, to your comment, wbinfo resolves everything correctly? I'm running samba-3.5.8 on OpenSolaris. Following Michael Adam's example, I tried the following in my smb.conf: idmap backend = tdb idmap uid = 5 - 9 idmap gid = 5 - 9 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 2 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 3 - 4 Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? -- Kai Lanz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I confirm that idmap_ad is being used?
Hi Kai, Have a look at: log.winbindd-idmap Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Not totally sure but I think you have to configure it separately for each domain for which you want to use it, using disjoint ranges. Cheers, Daniel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Kai Lanz Gesendet: Dienstag, 17. Mai 2011 02:56 An: samba@lists.samba.org Betreff: [Samba] How can I confirm that idmap_ad is being used? How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I confirm that idmap_ad is being used?
Hi Daniel, On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote: Have a look at: log.winbindd-idmap I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Now, this is interesting! The problem Edgar Holleis describes sounds exactly like the one I am facing. See my post to the Samba mailing list, Winbindd can't convert between SIDs and uid/gid. Edgar said: Winbind correctly resolves: User-Name-SID (wbinfo -n), Group-Name-SID (wbinfo -s) What doesn't work: SID-UID (wbinfo -S), UID-SID (wbinfo -U), SID-GID (wbinfo -Y), GID-UID (wbinfo -G) (Except, wbinfo -s is SID-User-name, the reverse of wbinfo -n, not Group-Name-SID as Edgar wrote...) That's the same pattern of success and failure I get in my wbinfo tests. So, how does one go from Edgar's bug report, with 4 failing wbinfo queries, to your comment, wbinfo resolves everything correctly? I'm running samba-3.5.8 on OpenSolaris. Following Michael Adam's example, I tried the following in my smb.conf: idmap backend = tdb idmap uid = 5 - 9 idmap gid = 5 - 9 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 2 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 3 - 4 Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org ] Im Auftrag von Kai Lanz Gesendet: Dienstag, 17. Mai 2011 02:56 An: samba@lists.samba.org Betreff: [Samba] How can I confirm that idmap_ad is being used? How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Kai Lanz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I confirm that idmap_ad is being used?
Hi Kai, I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Try to add to your smb.conf: log level = 3 idmap:10 winbind:10 to force idmap Logging also to Debuglevel 10. Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? Did net ads testjoin and net ads info work? Nsswicth.conf is important! Should look like this: passwd:files winbind group: files winbind These winbind relevant seetings I have also in my config winbind nss info = rfc2307 template winbind normalize names = yes winbind use default domain = yes winbind offline logon = yes winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind trusted domains only = no Cheers, Daniel Hi Daniel, On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote: Have a look at: log.winbindd-idmap I've looked at that file; it's empty. (Not a single entry.) I run my tests with winbindd -n -d 10 -D. Also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=6322 Now, this is interesting! The problem Edgar Holleis describes sounds exactly like the one I am facing. See my post to the Samba mailing list, Winbindd can't convert between SIDs and uid/gid. Edgar said: Winbind correctly resolves: User-Name-SID (wbinfo -n), Group-Name-SID (wbinfo -s) What doesn't work: SID-UID (wbinfo -S), UID-SID (wbinfo -U), GID (wbinfo -Y), GID-UID SID-(wbinfo -G) (Except, wbinfo -s is SID-User-name, the reverse of wbinfo -n, not Group-Name-SID as Edgar wrote...) That's the same pattern of success and failure I get in my wbinfo tests. So, how does one go from Edgar's bug report, with 4 failing wbinfo queries, to your comment, wbinfo resolves everything correctly? I'm running samba-3.5.8 on OpenSolaris. Following Michael Adam's example, I tried the following in my smb.conf: idmap backend = tdb idmap uid = 5 - 9 idmap gid = 5 - 9 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 2 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 3 - 4 Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't resolve everything correctly. Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add winbind to the passwd and group lines or not. Is that expected? -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org ] Im Auftrag von Kai Lanz Gesendet: Dienstag, 17. Mai 2011 02:56 An: samba@lists.samba.org Betreff: [Samba] How can I confirm that idmap_ad is being used? How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Kai Lanz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How can I confirm that idmap_ad is being used?
How can I confirm that idmap_ad is being called? I've configured Samba with --with-shared-modules=idmap_ad, built and installed it; the file ad.so is now present in /usr/local/samba/lib/ idmap/ as expected. I then added the following to smb.conf: idmap backend = tdb idmap uid = 65536 - 99 idmap gid = 65536 - 99 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 1 - 65535 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 1 - 65535 Now I fire up winbindd with debug-level = 10, and issue some queries via wbinfo. Some requests work as expected, some fail, but when I look in log.winbindd I never see any reference to idmap.c or idmap_ad.c. I'd like to confirm that this module is being used. I went so far as to deliberately break the smb.conf by specifying idmap config SU range = 1 - which I expected to produce an error from idmap_ad_initialize(), invalid filter range. But that message is never logged; instead I see only errors from winbindd_util.c, add_trusted_domain(): [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: 204(add_trusted_domain) invalid range syntax in idmap config SU: 1 - Have I missed out on some crucial bit of configuration that's required to enable idmap_ad? -- Kai Lanz Stanford University School of Earth Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
