FS#50787 - [samba] winbind and active directory id mapping broken
Attached to Project:
Arch Linux
Opened by heapify man (heapifyman) - Thursday, 15 September 2016, 12:31 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 28 March 2022, 08:02 GMT
Opened by heapify man (heapifyman) - Thursday, 15 September 2016, 12:31 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 28 March 2022, 08:02 GMT
|
Details
Description:
With updates from 12th September, 2016 after two week holiday my Active Directory integration is broken. I could not login via graphical login any more and when logging in via the terminal, the prompt showed "[I have no name!@my-box]" "id $username" did show all groups and correct ids but couldn't map ids to user and group names. Also "ls -al" in my home dir only showed ids instead of user and group names as owner information. As far as I can tell, the config files (krb5.conf, smb.conf, etc.) haven't changed and neither have the Active Directory settings. In "/var/log/samba/log.winbindd-idmap" I see messages like this: [2016/09/15 16:07:24.411226, 3] ../source3/winbindd/idmap_rid.c:146(idmap_rid_unixids_to_sids) Unexpected error resolving an ID (16208) Running "wbinfo -g" or "wbinfo -u" works as expected and shows all the correct group and user names. So do "getent group" and "getent passwd" Additional info: * libwbclient 4.5.0-2 * I followed the Active Directory Integration manual from the wiki: https://wiki.archlinux.org/index.php/Active_Directory_Integration Steps to reproduce: 1. Follow: https://wiki.archlinux.org/index.php/Active_Directory_Integration 2. Install latest updates up to 14th September, 2016 3. Try to login as Domain user |
This task depends upon
Extra; disable upgrade of Samba in /etc/pacman.conf (IgnorePkg iirc).
Lots of changes on AD, better you contact samba mailinglists.
someone commented on the samba issue - https://bugzilla.samba.org/show_bug.cgi?id=12284#c2 - asking to test with samba 4.4.6.
Is that version available somewhere for Arch / Antergos?
Thanks in advance
Here's what I did:
- cloned https://git.archlinux.org/svntogit/packages.git
- used the current HEAD and edited samba/trunk/PKGBUILD
- changed "pkgver" to 4.4.6 and changed the first md5sum in the array
- ran "makepkg"
- ran "sudo pacman -U samba-4.4.6-2-x86_64.pkg.tar smbclient-4.4.6-2-x86_64.pkg.tar libwbclient-4.4.6-2-x86_64.pkg.tar"
After reboot I could login as before and did not experience any issues with the mapping of ids to active directory domain group or user names.
I hope that was the correct way to verify that version 4.4.6 does not contain the bug I reported above.
I had downgraded to the previous 4.4.5 build for some time. However, eventually nmbd would crash while starting.
Following the suggestions for building the 4.4.6 release from the arch package trunk, all services resumed expected operation.
I am currently building the 4.4.7 samba release with the same success.
The 4.4.x branch seems unaffected to this breaking change, while the 4.5.x branch continues to not provide user and group binding.
idmap config <DOMAIN_NAME> : backend = rid
idmap config <DOMAIN_NAME> : range = 10000-1999999
idmap config * : range = 10000-1999999
instead of
idmap config * : backend = rid
idmap config * : range = 10000-20000
in smb.conf. This works for me.
This seems to work with the latest samba 4.5.x packages, thanks.