Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
linux client to authenticate windows server using idmap_rid
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mattmatteh
Guru
Guru


Joined: 10 Mar 2004
Posts: 449
Location: near chicago

PostPosted: Wed Jun 25, 2014 10:57 pm    Post subject: linux client to authenticate windows server using idmap_rid Reply with quote

I am trying to get this working https://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html
Code:
[global]
        workgroup = MYWORK
        realm = MYWORK.COM
        server string = Samba Server
        security = ADS
        allow trusted domains = No
        kerberos method = secrets and keytab
        max protocol = SMB2
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        show add printer wizard = No
        local master = No
        domain master = No
        template homedir = /home/%U
        template shell = /bin/bash
        winbind refresh tickets = Yes
        idmap config * : range = 20000 - 21000
        idmap config MYWORK : range = 1000 - 10000
        idmap config MYWORK : base_rid = 1000
        idmap config MYWORK : backend = rid
        idmap config * : backend = tdb
        invalid users = root

I thought this was working earlier this afternoon, but is not now
Code:
dataservicesmj / # net rpc testjoin MYWORK\\matth
Unable to find a suitable server for domain MYWORK
Join to domain 'MYWORK' is not valid: NT_STATUS_UNSUCCESSFUL

dataservicesmj / # net rpc testjoin matth
Unable to find a suitable server for domain MYWORK
Join to domain 'MYWORK' is not valid: NT_STATUS_UNSUCCESSFUL

wbinfo mostly works except for -i and -r
Code:
dataservicesmj / # wbinfo -i MYWORK\\matth
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user MYWORK\matth

dataservicesmj / # wbinfo -i matth
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user matth

dataservicesmj / # wbinfo -r MYWORK\\matth
2982
5199
6202

dataservicesmj / # wbinfo -r matth
2982
5199
6202

dataservicesmj / # wbinfo -n matth
S-1-5-21-1101513176-159291237-519397536-5811 SID_USER (1)

dataservicesmj / # wbinfo -n MYWORK\\matth
S-1-5-21-1101513176-159291237-519397536-5811 SID_USER (1)
dataservicesmj / #

dataservicesmj / # wbinfo -S S-1-5-21-1101513176-159291237-519397536-5811
5811
dataservicesmj / # wbinfo -s S-1-5-21-1101513176-159291237-519397536-5811
MYWORK\matth 1

dataservicesmj / # wbinfo -u | wc -l
397

I kinda had this working a few days ago. While trying to get pam_mount to work it started acting up. By that I mean the UID was either 6811 or 4811. While messing with pam, I never touched nssswitch, pam.d/* or smb.conf, ls -l showed time stamps from last week. And would not work at all if i blew away /var/cache/samba which shouldnt matter since there is no local id mapping; thats the whole point of using rid I thought.

I am really stumped to why this is not working. Either I have this st up wrong, the server is weird, or I found a bug. Also, the sever is windows and I do not maintain it. The other IT guy stopped by to enter the Administrator passwd to grant machine authentication ( If thats the right term for it )
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Thu Jun 26, 2014 4:38 am    Post subject: why still using "net rpc"? Reply with quote

"net rpc" was used for NT style domains, you want to do

Code:
net ads testjoin


idmap_rid still caches sid information in the winbind tdb file in /var/lib/samba. When I have trouble with the domain, I will be blowing away the tdb files in /var/lib/samba while debugging what's wrong with winbind. I also blow away everything in /var/log/samba between restarts of the services.

The way idmap_rid works is that it uses the 'relative' id part of a sid when mapping sids to rids. The algorithm used guarantees that a sid for a domain will map to the same uid or gid no matter what. When juggling multiple domains, the "idmap domain" newer style syntax allows a multi-domain site to avoid rid collisions by assigning subranges of the "idmap alloc" range to each domain.

So yeah, you do care about the winbind<mumble>.tdb files because winbind will look at them first before going out to query the domain. If a misconfigure from before generated garbage, you will still have problems until you blow them away.

The default logging for winbind and winbind_idmap is not good enough usually if you are having configuration problems. Go into your /etc/conf.d/samba to change:

Code:
winbind_start_options=""


to something higher like

Code:
winbind_start_options="-d5"


You then might get a clue in the idmap log in /var/log/samba about the horrors going on between your samba and the dc.

My typical winbind test looks like:

Stop samba
Fix smb.conf or whatever
turn on winbind daemon debugging as I noted
blow away the .tdb files in /var/lib/samba
rm -rf everything inside /var/log/samba
start samba
"getent passwd"

If that getent doesn't work, look at the idmap and other /var/log/samba files
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Thu Jun 26, 2014 4:44 am    Post subject: Also Reply with quote

Take a look at this thread. That example works fine for Samba running on RHEL5 but the idmap syntax changed in versions newer than 3.4.x such as is found in RHEL6 and gentoo.

https://forums.gentoo.org/viewtopic-t-991562-highlight-.html
Back to top
View user's profile Send private message
mattmatteh
Guru
Guru


Joined: 10 Mar 2004
Posts: 449
Location: near chicago

PostPosted: Thu Jun 26, 2014 3:50 pm    Post subject: Re: why still using "net rpc"? Reply with quote

vaxbrat wrote:
"net rpc" was used for NT style domains, you want to do
Code:
net ads testjoin
That works
Code:
dataservicesmj samba # net ads testjoin
Join is OK
vaxbrat wrote:
idmap_rid still caches sid information in the winbind tdb file in /var/lib/samba. When I have trouble with the domain, I will be blowing away the tdb files in /var/lib/samba while debugging what's wrong with winbind. I also blow away everything in /var/log/samba between restarts of the services.
I have done this many times, and just now too.
vaxbrat wrote:
The way idmap_rid works is that it uses the 'relative' id part of a sid when mapping sids to rids. The algorithm used guarantees that a sid for a domain will map to the same uid or gid no matter what. When juggling multiple domains, the "idmap domain" newer style syntax allows a multi-domain site to avoid rid collisions by assigning subranges of the "idmap alloc" range to each domain.
I was wondering what the difference was. For now I only need to worry about 1 domain.
vaxbrat wrote:
Code:
winbind_start_options="-d5"
Just added that now.
vaxbrat wrote:

You then might get a clue in the idmap log in /var/log/samba about the horrors going on between your samba and the dc.

My typical winbind test looks like:

Stop samba
Fix smb.conf or whatever
turn on winbind daemon debugging as I noted
blow away the .tdb files in /var/lib/samba
rm -rf everything inside /var/log/samba
start samba
"getent passwd"

If that getent doesn't work, look at the idmap and other /var/log/samba files
This looks strange. My computer name is a domain name ?
Code:
/var/log/log.wb-DATASERVICESMJ  has several lines like this
name_to_sid: DATASERVICESMJ\ROOT for domain DATASERVICESMJ
Does this look right ? I am reading that as my computer name is a domain name ?
Code:
dataservicesmj samba # wbinfo --online-status
BUILTIN : online
DATASERVICESMJ : online
JETLITHO : online
Back to top
View user's profile Send private message
mattmatteh
Guru
Guru


Joined: 10 Mar 2004
Posts: 449
Location: near chicago

PostPosted: Thu Jun 26, 2014 5:55 pm    Post subject: Reply with quote

also just found this
Code:
log.winbindd-idmap:  no backend defined for idmap config DATASERVICESMJ
again suggesting that something thinks my computer name is a domain
Back to top
View user's profile Send private message
mattmatteh
Guru
Guru


Joined: 10 Mar 2004
Posts: 449
Location: near chicago

PostPosted: Thu Jun 26, 2014 7:04 pm    Post subject: Reply with quote

Should this fail ?
Code:
nmblookup -U jservdc01.mywork.com -R dataservicesmj
name_query failed to find name dataservicesmj
This works
Code:
nmblookup -U dataservicesmj.mywork.com -R dataservicesmj
Got a positive name query response from 10.201.1.93 ( 10.201.1.93 )
10.201.1.93 dataservicesmj<00>
Back to top
View user's profile Send private message
mattmatteh
Guru
Guru


Joined: 10 Mar 2004
Posts: 449
Location: near chicago

PostPosted: Thu Jun 26, 2014 8:39 pm    Post subject: Reply with quote

just tried
Code:
wbinfo -i matth
and go this
Code:
dataservicesmj / # grep -r -C 10  matth /var/log/samba/*
/var/log/samba/log.winbindd-  msg_try_to_go_online: received for domain MYWORK.
/var/log/samba/log.winbindd-[2014/06/26 15:34:08.404195,  5] winbindd/winbindd_cm.c:164(msg_try_to_go_online)
/var/log/samba/log.winbindd-  msg_try_to_go_online: domain MYWORK already online.
/var/log/samba/log.winbindd-[2014/06/26 15:34:08.404557,  5] winbindd/winbindd_dual.c:506(winbind_child_died)
/var/log/samba/log.winbindd-  Already reaped child 23204 died
/var/log/samba/log.winbindd-[2014/06/26 15:34:09.005788,  3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
/var/log/samba/log.winbindd-  [23205]: request interface version
/var/log/samba/log.winbindd-[2014/06/26 15:34:09.006075,  3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
/var/log/samba/log.winbindd-  [23205]: request location of privileged pipe
/var/log/samba/log.winbindd-[2014/06/26 15:34:09.006438,  3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
/var/log/samba/log.winbindd:  getpwnam matth
/var/log/samba/log.winbindd-[2014/06/26 15:34:09.015517,  5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
/var/log/samba/log.winbindd-  Could not convert sid S-1-5-21-1101513176-159291237-519397536-5811: NT_STATUS_NONE_MAPPED
looks like samba never tries the server MYWORK since i dont see any log for /var/log/samba/log.wb-MYWORK
Code:
dataservicesmj / # grep -r NT_STATUS_NONE_MAPPED /var/log/samba/* | uniq
/var/log/samba/log.wb-DATASERVICESMJ:  name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
/var/log/samba/log.winbindd:  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
/var/log/samba/log.winbindd:  Could not convert sid S-1-5-32-544: NT_STATUS_NONE_MAPPED
/var/log/samba/log.winbindd:  Could not convert sid S-1-5-32-545: NT_STATUS_NONE_MAPPED
/var/log/samba/log.winbindd:  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
/var/log/samba/log.winbindd:  Could not convert sid S-1-5-21-1101513176-159291237-519397536-5811: NT_STATUS_NONE_MAPPED
here is /etc/krb5.conf
Code:
[libdefaults]
        default_realm = MYWORK.COM
        forwardable = true
        fcc-mit-ticketflags = true
        default_keytab_name = FILE:/etc/krb5.keytab

[realms]
        MYWORK.COM = {
                kdc = jservdc01.mywork.com
                admin_server = jservdc01.mywork.com
                default_domain = MYWORK.COM
        }

[domain_realm]
        .mywork.com = MYWORK.COM
        mywork.com = MYWORK.COM

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Fri Jun 27, 2014 2:07 am    Post subject: I think your "new style" syntax for idmap is wrong Reply with quote

I don't have a new flavor of example config nearby to post at the moment, but I think you have a syntax problem with your idmap config stanzas based on this:

Quote:
also just found this
Code:
   
log.winbindd-idmap:  no backend defined for idmap config DATASERVICESMJ

again suggesting that something thinks my computer name is a domain


I had a similar problem trying to specify the backend of a domain as a rid at one point with bad syntax and got a similar error. You might want to stare at the idmap config sections of the manpage for smb.conf for a good while. The syntax error is probably what was making everything else go horribly wrong and I have seen cases where a "testparm" didn't find anything wrong with a bad config.

I think you might want to do something like:

Code:
#
#  Sets the entire range and uses tdb for the backend cache
#
idmap config * : backend = tdb
idmap config * : range = 20000 - 21000
#
#  use rid for MYWORK
#
idmap config MYWORK : backend = rid
#
#  only one domain so grab the entire range for it
#
idmap config MYWORK : range = 20000 - 21000


in place of all this:

Code:
        idmap config * : range = 20000 - 21000
        idmap config MYWORK : range = 1000 - 10000
        idmap config MYWORK : base_rid = 1000
        idmap config MYWORK : backend = rid
        idmap config * : backend = tdb
Back to top
View user's profile Send private message
mattmatteh
Guru
Guru


Joined: 10 Mar 2004
Posts: 449
Location: near chicago

PostPosted: Fri Jun 27, 2014 2:49 pm    Post subject: Re: I think your "new style" syntax for idmap is w Reply with quote

vaxbrat wrote:
I think you might want to do something like:

Code:
#
#  Sets the entire range and uses tdb for the backend cache
#
idmap config * : backend = tdb
idmap config * : range = 20000 - 21000
#
#  use rid for MYWORK
#
idmap config MYWORK : backend = rid
#
#  only one domain so grab the entire range for it
#
idmap config MYWORK : range = 20000 - 21000


in place of all this:

Code:
        idmap config * : range = 20000 - 21000
        idmap config MYWORK : range = 1000 - 10000
        idmap config MYWORK : base_rid = 1000
        idmap config MYWORK : backend = rid
        idmap config * : backend = tdb
I have not seen any example where the range is the same for the domain and default. I did try it and samba didnt even start correctly.
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Fri Jun 27, 2014 7:00 pm    Post subject: I do it all of the time Reply with quote

Like I said, the default range is the "entire" range for mapping. Then if you have multiple domains to map, they get subranges of that. When you said samba didn't start, did you run testparm on the conf file first? What was the error?
Back to top
View user's profile Send private message
mattmatteh
Guru
Guru


Joined: 10 Mar 2004
Posts: 449
Location: near chicago

PostPosted: Fri Jun 27, 2014 9:57 pm    Post subject: Re: I do it all of the time Reply with quote

vaxbrat wrote:
Like I said, the default range is the "entire" range for mapping. Then if you have multiple domains to map, they get subranges of that. When you said samba didn't start, did you run testparm on the conf file first? What was the error?
I think that error was do to another typo, please ignore that; its been a long week of testing and trying to figure out this.

I joined #samba on freenode and got some help this afternoon. This was the change that made it work
Code:
idmap config MYWORK : base_rid = 512
Any number between 0 and 512 will work and anything greater or equal to 513 or unset will cause WBC_ERR_DOMAIN_NOT_FOUND.

The overlapping range doesnt seem to matter, wondering why its even needed then.

Here is the output from testparm
Code:
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
WARNING: state directory /var/lib/samba should have permissions 0755 for browsing to work
WARNING: cache directory /var/lib/samba should have permissions 0755 for browsing to work
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = MYWORK
        realm = MYWORK.COM
        security = ADS
        allow trusted domains = No
        kerberos method = secrets and keytab
        max protocol = SMB2
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        show add printer wizard = No
        local master = No
        domain master = No
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        idmap config MYWORK :range = 512-10000
        idmap config MYWORK :backend = rid
        idmap config *:range = 512-10000
        idmap config MYWORK : base_rid = 512
        idmap config * : backend = tdb
        invalid users = root
So at the moment this mostly works now. Ill have to play with it more next week. I would like to figure out base_rid.
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Sat Jun 28, 2014 3:09 am    Post subject: Don't know that one Reply with quote

I've never used base_rid and this is the first I've heard of it. Don't think it ever made the Perens book, but then again, the version i have is probably more for the 3.4.x and earler. I didn't see it in the man pages for smb.conf either.

OTOH they snuck that new idmap "domain" style syntax in on me so I'm not surprised if things broke yet again. I wonder if it has something to do with the list of "well known" sids for active directory?

http://support.microsoft.com/kb/243330

Notice where "Domain Users" starts there? :idea:
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum