Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#50787 - [samba] winbind and active directory id mapping broken

Attached to Project: Arch Linux
Opened by heapify man (heapifyman) - Thursday, 15 September 2016, 12:31 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 19 September 2016, 13:11 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Tobias Powalowski (tpowa)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 5
Private No


With updates from 12th September, 2016 after two week holiday my Active Directory integration is broken.

I could not login via graphical login any more and when logging in via the terminal, the prompt showed "[I have no name!@my-box]"

"id $username" did show all groups and correct ids but couldn't map ids to user and group names.
Also "ls -al" in my home dir only showed ids instead of user and group names as owner information.

As far as I can tell, the config files (krb5.conf, smb.conf, etc.) haven't changed and neither have the Active Directory settings.

In "/var/log/samba/log.winbindd-idmap" I see messages like this:
[2016/09/15 16:07:24.411226, 3] ../source3/winbindd/idmap_rid.c:146(idmap_rid_unixids_to_sids)
Unexpected error resolving an ID (16208)

Running "wbinfo -g" or "wbinfo -u" works as expected and shows all the correct group and user names.
So do "getent group" and "getent passwd"

Additional info:
* libwbclient 4.5.0-2
* I followed the Active Directory Integration manual from the wiki:

Steps to reproduce:
1. Follow:
2. Install latest updates up to 14th September, 2016
3. Try to login as Domain user
This task depends upon

Comment by heapify man (heapifyman) - Thursday, 15 September 2016, 12:34 GMT
Addendum: "net ads info" and "net ads lookup" also work as expected
Comment by Jan-Jaap Stam (j.stam.84) - Monday, 19 September 2016, 09:46 GMT
I got the same issue. Temporary fix is to downgrade Samba, libwbclient, and smbclient (libwbclient-4.4.5-2-x86_64.pkg.tar.xz smbclient-4.4.5-2-x86_64.pkg.tar.xz samba-4.4.5-2-x86_64.pkg.tar.xz)
Extra; disable upgrade of Samba in /etc/pacman.conf (IgnorePkg iirc).
Comment by heapify man (heapifyman) - Tuesday, 20 September 2016, 21:36 GMT
Downgrade worked. Thanks.
Comment by Tobias Powalowski (tpowa) - Wednesday, 21 September 2016, 06:07 GMT
Lots of changes on AD, better you contact samba mailinglists.
Comment by heapify man (heapifyman) - Wednesday, 21 September 2016, 14:25 GMT Comment by heapify man (heapifyman) - Thursday, 06 October 2016, 19:53 GMT

someone commented on the samba issue - - asking to test with samba 4.4.6.
Is that version available somewhere for Arch / Antergos?

Thanks in advance
Comment by heapify man (heapifyman) - Tuesday, 11 October 2016, 10:55 GMT
I tried out version 4.4.6 and did not experience any issues.

Here's what I did:
- cloned
- used the current HEAD and edited samba/trunk/PKGBUILD
- changed "pkgver" to 4.4.6 and changed the first md5sum in the array
- ran "makepkg"
- ran "sudo pacman -U samba-4.4.6-2-x86_64.pkg.tar smbclient-4.4.6-2-x86_64.pkg.tar libwbclient-4.4.6-2-x86_64.pkg.tar"

After reboot I could login as before and did not experience any issues with the mapping of ids to active directory domain group or user names.

I hope that was the correct way to verify that version 4.4.6 does not contain the bug I reported above.
Comment by Christopher Price (pricechrispy) - Saturday, 19 November 2016, 18:15 GMT
I have had this same behavior since the upgrade to the 4.5.x samba branch. Active directory users and groups are not getting mapped, so the system cannot resolve the user and group ids on the filesystem ( like in /home ).

I had downgraded to the previous 4.4.5 build for some time. However, eventually nmbd would crash while starting.

Following the suggestions for building the 4.4.6 release from the arch package trunk, all services resumed expected operation.

I am currently building the 4.4.7 samba release with the same success.

The 4.4.x branch seems unaffected to this breaking change, while the 4.5.x branch continues to not provide user and group binding.
Comment by heapify man (heapifyman) - Sunday, 20 November 2016, 12:56 GMT
Yes, problem still existing in 4.5.1 - but seemingly no activity in
Comment by Jonas Hahnfeld (hahnjo) - Wednesday, 21 December 2016, 15:59 GMT
There was an answer to the upstream bug: It should be

idmap config <DOMAIN_NAME> : backend = rid
idmap config <DOMAIN_NAME> : range = 10000-1999999
idmap config * : range = 10000-1999999

instead of

idmap config * : backend = rid
idmap config * : range = 10000-20000

in smb.conf. This works for me.
Comment by heapify man (heapifyman) - Wednesday, 04 January 2017, 09:19 GMT
The above change in smb.conf seems to be working for me, as well.
Comment by Christopher Price (pricechrispy) - Thursday, 12 January 2017, 20:47 GMT
I have also changed the idmap backend config to state the workgroup, and added an identical idmap range for the workgroup.

This seems to work with the latest samba 4.5.x packages, thanks.