Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
I read the bugreport that Dale linked and ended up using the workaround listed there. Changes made to '/etc/samba/smb.conf' follow: @@ -28,9 +28,12 @@ winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d -idmap config CBJ_NT:backend = rid -idmap config CBJ_NT:base_rid = 0 -idmap config CBJ_NT:range = 1-65533 +idmap config * : backend = rid +idmap config * : base_rid = 0 +idmap config * : range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 Does anyone have any idea why not explictly specifying the domain fixes this issue? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, July 10, 2012 11:18 To: Kevin Elliott Cc: samba@lists.samba.org Subject: Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND On 07/10/2012 12:56 PM, Kevin Elliott wrote: Hello all, I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track the current development to try and chase some long standing bugs out. I think I've resolved one problem but introduced another. I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like so: city-liza-lnx:/var/log/samba# wbinfo -t checking the trust secret for domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) city-liza-lnx:/var/log/samba# wbinfo -s S-1-5-21-505306839-1977890393-20515302-14949 CBJ_NT+kevin_elliott 1 city-liza-lnx:/var/log/samba# wbinfo -S S-1-5-21-505306839-1977890393-20515302-14949 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid This looks like it has all the markings of following bugreport: https://bugzilla.samba.org/show_bug.cgi?id=8371#c5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Before I follow this upstream can someone sanity check my configs for me? I understand that much has changed between 3.5 and 3.6 regarding the idmaping. [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 199.58.55.87/22, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes passdb backend = tdbsam password server = 199.58.55.25, 199.58.55.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 10 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 199.58.55.25 ldap ssl = no winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d idmap config CBJ_NT:backend = rid idmap config CBJ_NT:base_rid = 0 idmap config CBJ_NT:range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 winbind separator = + winbind use default domain = Yes [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Thank you for your consideration. Kevin, With idmap rid, it could also be this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 This bug has been in every version of 3.6. For me, a reboot of the system usually will fix the problem until the next samba/winbind restart is required; others have not been so fortunate. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
I think you might be missing some stuff in the prior config you had.
The following works for me with Samba 3.6.6:
idmap config * : backend = tdb
idmap config * : range = 100-199
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 1000-99
idmap config MYDOMAIN : base_rid= 0
You need the * entry in there because you need a range for defaults. I
only have a single domain (and yes it's not called MYDOMAIN:-) ). For
instance, I have log files named:
log.wb-BUILTIN
log.wb-MYDOMAIN
log.wb-HOSTNAME
I do not have the winbind enum groups or users defined in my config
file. The default is no for both. Also, winbind refused to function
properly when I attempted setting the backend for my domain as tdb.
Everywhere I've read, rid is safe for multiple domains and multiple
winbind enabled systems, so long as those ranges are consistent
throughout your winbind systems' config settings, and they have
completely separate ranges. They must not overlap!
Sample output:
[hchoi@HOSTNAME hchoi](30)# wbinfo -i hchoi
hchoi:*:2601:1513::/home/hchoi:/bin/bash
[hchoi@HOSTNAME hchoi](31)# id hchoi
uid=2601(hchoi) gid=1513(domain users) groups=1513(domain
users),...,101(BUILTIN\users)
[hchoi@HOSTNAME hchoi](34)# wbinfo -i administrator
administrator:*:1500:1513::/home/administrator:/bin/bash
[hchoi@HOSTNAME hchoi](32)# id administrator
uid=1500(administrator) gid=1513(domain users) groups=1513(domain
users),1520(group policy creator owners),1512(domain
admins),2106(organization management),1519(enterprise
admins),1518(schema
admins),101(BUILTIN\users),100(BUILTIN\administrators)
My remaining smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.NET
server string = Linux Server
security = ADS
ntlm auth = No
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 1000
max protocol = SMB2
load printers = No
printcap name = /dev/null
disable spoolss = Yes
wins server = 192.168.10.10, 192.168.10.11
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind offline logon = Yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
...
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
Hope this helps..
On 07/12/2012 01:06 PM, Kevin Elliott wrote:
I read the bugreport that Dale linked and ended up using the workaround listed
there.
Changes made to '/etc/samba/smb.conf' follow:
@@ -28,9 +28,12 @@
winbind enum users = Yes
winbind enum groups = Yes
panic action = /usr/share/samba/panic-action %d
-idmap config CBJ_NT:backend = rid
-idmap config CBJ_NT:base_rid = 0
-idmap config CBJ_NT:range = 1-65533
+idmap config * : backend = rid
+idmap config * : base_rid = 0
+idmap config * : range = 1-65533
idmap config LIBRARY:backend = rid
idmap config LIBRARY:base_rid = 0
idmap config LIBRARY:range = 65535-7
Does anyone have any idea why not explictly specifying the domain fixes this
issue?
-Original Message-
From: Dale Schroeder [mailto:d...@briannassaladdressing.com]
Sent: Tuesday, July 10, 2012 11:18
To: Kevin Elliott
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba 3.6.5, idmap configuration and
WBC_ERR_DOMAIN_NOT_FOUND
On 07/10/2012 12:56 PM, Kevin Elliott wrote:
Hello all,
I recently upgraded from Samba 3.5.6 (the version contained
in Debian Stable) to Samba 3.6.5 (the version from Debian
Backports) in an effort to closer track the current
development to try and chase some long standing bugs out.
I think I've resolved one problem but introduced another.
I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to
perform a SID to UID lookup much like so:
city-liza-lnx:/var/log/samba# wbinfo -t checking the trust
secret for
domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba#
wbinfo -n CBJ_NT+kevin_elliott
S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1)
city-liza-lnx:/var/log/samba# wbinfo -s
S-1-5-21-505306839-1977890393-20515302-14949
CBJ_NT+kevin_elliott 1
city-liza-lnx:/var/log/samba# wbinfo -S
S-1-5-21-505306839-1977890393-20515302-14949
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
not convert
sid S-1-5-21-505306839-1977890393-20515302-14949 to uid
This looks like it has all the markings of following
[Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
Hello all, I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track the current development to try and chase some long standing bugs out. I think I've resolved one problem but introduced another. I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like so: city-liza-lnx:/var/log/samba# wbinfo -t checking the trust secret for domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) city-liza-lnx:/var/log/samba# wbinfo -s S-1-5-21-505306839-1977890393-20515302-14949 CBJ_NT+kevin_elliott 1 city-liza-lnx:/var/log/samba# wbinfo -S S-1-5-21-505306839-1977890393-20515302-14949 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid This looks like it has all the markings of following bugreport: https://bugzilla.samba.org/show_bug.cgi?id=8371#c5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Before I follow this upstream can someone sanity check my configs for me? I understand that much has changed between 3.5 and 3.6 regarding the idmaping. [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 199.58.55.87/22, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes passdb backend = tdbsam password server = 199.58.55.25, 199.58.55.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 10 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 199.58.55.25 ldap ssl = no winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d idmap config CBJ_NT:backend = rid idmap config CBJ_NT:base_rid = 0 idmap config CBJ_NT:range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 winbind separator = + winbind use default domain = Yes [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Thank you for your consideration. -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
On 07/10/2012 12:56 PM, Kevin Elliott wrote: Hello all, I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track the current development to try and chase some long standing bugs out. I think I've resolved one problem but introduced another. I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like so: city-liza-lnx:/var/log/samba# wbinfo -t checking the trust secret for domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) city-liza-lnx:/var/log/samba# wbinfo -s S-1-5-21-505306839-1977890393-20515302-14949 CBJ_NT+kevin_elliott 1 city-liza-lnx:/var/log/samba# wbinfo -S S-1-5-21-505306839-1977890393-20515302-14949 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid This looks like it has all the markings of following bugreport: https://bugzilla.samba.org/show_bug.cgi?id=8371#c5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Before I follow this upstream can someone sanity check my configs for me? I understand that much has changed between 3.5 and 3.6 regarding the idmaping. [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 199.58.55.87/22, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes passdb backend = tdbsam password server = 199.58.55.25, 199.58.55.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 10 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 199.58.55.25 ldap ssl = no winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d idmap config CBJ_NT:backend = rid idmap config CBJ_NT:base_rid = 0 idmap config CBJ_NT:range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 winbind separator = + winbind use default domain = Yes [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Thank you for your consideration. Kevin, With idmap rid, it could also be this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 This bug has been in every version of 3.6. For me, a reboot of the system usually will fix the problem until the next samba/winbind restart is required; others have not been so fortunate. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
