[Samba] Problems with winbind, idmap and usrmgr.exe - Samba

This is a discussion on [Samba] Problems with winbind, idmap and usrmgr.exe - Samba ; I am trying to get two Samba PDC/Domains setup with a trust between them. They are separate domains because they are separate companies (one is a subsidiary of the other) located in different cites. I am using Centos 5.1 x86_64 ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] Problems with winbind, idmap and usrmgr.exe

  1. [Samba] Problems with winbind, idmap and usrmgr.exe

    I am trying to get two Samba PDC/Domains setup with a trust between
    them. They are separate domains because they are separate companies
    (one is a subsidiary of the other) located in different cites.

    I am using Centos 5.1 x86_64 and Samba 3.0.28a packages built by me from
    Fedora 8 source RPMs.

    Based on what I have read, in order to do the trust thing I need to use
    Winbind/idmap to handle the non local SIDS (not that I have got to the
    point of trying to do the trust yet). Correct?

    I have set up DOMAs PDC with the following idmap/winbind configuration.
    There doesn't seem to be any up to date documentation on this stuff, so
    I admit that I have been guessing at this, so it is probably is
    completely wrong.

    idmap domains = OTHERDOMAINS DOMA DOMB

    idmap config OTHERDOMAINS:default = yes
    idmap config OTHERDOMAINS:backend = tdb
    idmap config OTHERDOMAINS:range = 10000 - 20000

    idmap config DOMA:default = no
    idmap config DOMA:backend = tdb
    idmap config DOMA:range = 20001 - 30000

    idmap config DOMB:default = no
    idmap config DOMB:backend = tdb
    idmap config DOMB:range = 30001 - 40000

    idmap alloc backend = tdb
    idmap alloc config:range = 40001 - 50000

    winbind separator = \
    winbind enum users = yes
    winbind enum groups = Yes
    winbind nested groups = yes

    Are the ranges all supposed to be separate like that? I was just
    following and example that I found some where.

    The domain "works" in that the PDC comes up, I can join XP clients to
    the domain, login, access shares, Roaming profiles are saved to the
    server, etc. But when I try to use usrmgr.exe to manage users I just
    get a "The specified local group does not exist" error. Not a very
    helpful error message, but after setting the log level to 10 in Samba
    and searching through the logs I found that windbind seems to be failing
    to resolve the Builtin groups to a gid, so am assuming that the Builtin
    groups are the "local group" being referred to.

    [2008/04/22 17:42:52, 10]
    passdb/lookup_sid.c:check_dom_sid_to_level(681)
    Accepting SID S-1-5-32 in level 1
    [2008/04/22 17:42:52, 10] passdb/lookup_sid.c:lookup_sid(959)
    Sid S-1-5-32-549 -> BUILTIN\Server Operators(4)
    [2008/04/22 17:42:52, 3] smbd/sec_ctx.cop_sec_ctx(356)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2008/04/22 17:42:52, 10] passdb/lookup_sid.c:sid_to_gid(1468)
    winbind failed to find a gid for sid S-1-5-32-549
    [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_debug(84)
    000000 samr_io_r_open_alias
    [2008/04/22 17:42:52, 6] rpc_parse/parse_prs.crs_debug(84)
    000000 smb_io_pol_hnd pol
    [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint32(710)
    0000 handle_type: 00000000
    [2008/04/22 17:42:52, 7] rpc_parse/parse_prs.crs_debug(84)
    000004 smb_io_uuid uuid
    [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint32(710)
    0004 data : 00000000
    [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint16(681)
    0008 data : 0000
    [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint16(681)
    000a data : 0000
    [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint8s(857)
    000c data : 00 00
    [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_uint8s(857)
    000e data : 00 00 00 00 00 00
    [2008/04/22 17:42:52, 5] rpc_parse/parse_prs.crs_ntstatus(769)
    0014 status: NT_STATUS_NO_SUCH_ALIAS

    The Builtin groups all exist and show up in net groupmap list output
    correctly.

    [root@domapdc samba]# net groupmap list
    Server Operators (S-1-5-32-549) -> BUILTIN server operators
    Replicator (S-1-5-32-552) -> BUILTIN replicator
    Guests (S-1-5-32-546) -> BUILTIN guests
    RAS Servers (S-1-5-32-553) -> BUILTIN ras servers
    Power Users (S-1-5-32-547) -> BUILTIN power users
    Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
    Print Operators (S-1-5-32-550) -> BUILTIN print operators
    Administrators (S-1-5-32-544) -> BUILTIN administrators
    Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
    Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> BUILTIN pre-windows
    2000 compatible access
    Account Operators (S-1-5-32-548) -> BUILTIN account operators
    Backup Operators (S-1-5-32-551) -> BUILTIN backup operators
    Users (S-1-5-32-545) -> BUILTIN users
    Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

    The Administrators and Users Builtins were created automatically by
    winbind. The others were created with net sam createbuiltingroup.

    If I stop the winbind service, with out any other changes, usrmgr.exe
    starts correctly and I can add users, change group memberships, etc.

    net groupmap list with winbind stopped shows:

    [root@domapdc samba]# net groupmap list
    Server Operators (S-1-5-32-549) -> 10083
    Replicator (S-1-5-32-552) -> 10110
    Guests (S-1-5-32-546) -> 10080
    RAS Servers (S-1-5-32-553) -> 10111
    Power Users (S-1-5-32-547) -> 10081
    Domain Guests (S-1-5-21-414638506-200849585-235676652-514) -> nobody
    Print Operators (S-1-5-32-550) -> 10084
    Administrators (S-1-5-32-544) -> 10000
    Domain Admins (S-1-5-21-414638506-200849585-235676652-512) -> domadmins
    Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> 10112
    Account Operators (S-1-5-32-548) -> 10082
    Backup Operators (S-1-5-32-551) -> 10085
    Users (S-1-5-32-545) -> 10001
    Domain Users (S-1-5-21-414638506-200849585-235676652-513) -> domusers

    Let me know if any other information is required. Any help with this
    will be appreciated.

    Thanks

    Mike

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBIDX+J6xLAi5x3faQRAmsuAJ9ddEFTpuJWyc1h1dJTSG pqI4IYPQCeIBK9
    NhK8FUwDd1hbBJQN9emZniY=
    =k5v/
    -----END PGP SIGNATURE-----


  2. Re: [Samba] Problems with winbind, idmap and usrmgr.exe

    First of all apologies for replying to my own query, but I have run out
    of things to try and really need to make some progress on this.

    I have done a clean install and am now using the configuration file
    below for my Samba PDC. This has made no difference to the issue with
    usrmgr.exe. As before this is Samba 3.0.28a on Centos 5.1 x86_64 and
    nsswitch is configured to use winbind.

    [global]
    log level = 5
    workgroup = domb
    server string = Samba Server Version %v
    interfaces = lo, eth0
    passdb backend = tdbsam:/etc/samba/passdb.tdb
    username map = /etc/samba/smbusers
    log file = /var/log/samba/%m.log
    max log size = 50

    # Stuff that makes this machine a PDC.
    add user script = /usr/sbin/useradd "%u" -n -g domusers
    delete user script = /usr/sbin/userdel "%u"
    add group script = /usr/sbin/groupadd "%g"
    delete group script = /usr/sbin/groupdel "%g"
    delete user from group script = /usr/sbin/userdel "%u" "%g"
    add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
    -M -d /nohome -s /bin/false -g machines "%u"
    logon path = \\%L\Profiles\%U
    logon home = \\%L\%U\.profiles
    logon drive = H:
    domain logons = Yes
    os level = 33
    preferred master = Yes
    domain master = Yes
    wins proxy = Yes
    wins support = Yes

    # Equivalent of old behaviour.
    idmap domains = ALLDOMAINS
    idmap config ALLDOMAINS:default = yes
    idmap config ALLDOMAINS:backend = tdb
    idmap config ALLDOMAINS:range = 10000 - 50000

    idmap alloc backend = tdb
    idmap alloc config:range = 10000 - 50000

    winbind enum users = yes
    winbind enum groups = Yes
    winbind nested groups = yes
    hosts allow = 127., 192.168.42., 192.168.43.
    cups options = raw

    [homes]
    comment = Home Directories
    read only = No
    browseable = No

    [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = Yes
    browseable = No
    share modes = No
    read only = yes

    [profiles]
    path = /var/lib/samba/profiles
    read only = no
    create mask = 0600
    directory mask = 0700

    At this stage I believe there to be a problem with winbind as I have
    also tried the following.

    Creating a local group with "net -U root%xxxxxxx sam createlocalgroup
    local1", which succeeds.

    A portion of the output from "net groupmap list verbose" shows:
    local1
    SID : S-1-5-21-2991776595-4262790192-2958925130-1004
    Unix gid : 10053
    Unix group: local1
    Group type: Local Group
    Comment :

    Testing winbind with the following:
    [root@dombpdc ~]# wbinfo -G 10053
    S-1-5-21-2991776595-4262790192-2958925130-1004
    [root@dombpdc ~]# wbinfo -s
    "S-1-5-21-2991776595-4262790192-2958925130-1004"
    Could not lookup sid S-1-5-21-2991776595-4262790192-2958925130-1004

    Shouldn't both these commands work or am missing something? I tried it
    both with and without the quotes around the SID.

    Also

    [root@dombpdc ~]# wbinfo -D .
    Name : DOMB
    Alt_Name :
    SID : S-1-5-21-2991776595-4262790192-2958925130
    Active Directory : No
    Native : No
    Primary : Yes
    Sequence : -1

    [root@dombpdc ~]# wbinfo -u
    Error looking up domain users

    [root@dombpdc ~]# wbinfo -g
    BUILTIN\server operators
    BUILTIN\guests
    BUILTIN\power users
    BUILTIN\print operators
    BUILTIN\administrators
    BUILTIN\account operators
    BUILTIN\backup operators
    BUILTIN\users
    local1

    These are only the local groups. Shouldn't this list the domain groups
    as well?

    [root@dombpdc ~]# wbinfo --getdcname domb
    Could not get dc name for domb

    Which may well be the root of the problem?

    I am happy to supply which ever logs are required, just let me know.

    Thanks

    Mike

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBIDukp6xLAi5x3faQRAnvwAJ9ITP2f8rmDPfdGKcTeDM cK3p4NnwCdFEsl
    XxLLqBG1Uyj+3EotCpxo7Jc=
    =lazC
    -----END PGP SIGNATURE-----


  3. RE: [Samba] Problems with winbind, idmap and usrmgr.exe

    did you add your server to the domain ?
    eq.. net rpc join -S 'pdc-name' -U administrator%password -d 5

    check this page and review your config also.
    http://www.samba.org/samba/docs/man/...ixclients.html

    Louis


    >-----Oorspronkelijk bericht-----
    >Van: samba-bounces+belle=bazuin.nl@lists.samba.org
    >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens
    >Mike Brady
    >Verzonden: woensdag 23 april 2008 9:46
    >Aan: samba@lists.samba.org
    >Onderwerp: Re: [Samba] Problems with winbind, idmap and usrmgr.exe
    >
    >First of all apologies for replying to my own query, but I have run out
    >of things to try and really need to make some progress on this.
    >
    >I have done a clean install and am now using the configuration file
    >below for my Samba PDC. This has made no difference to the issue with
    >usrmgr.exe. As before this is Samba 3.0.28a on Centos 5.1 x86_64 and
    >nsswitch is configured to use winbind.
    >
    >[global]
    > log level = 5
    > workgroup = domb
    > server string = Samba Server Version %v
    > interfaces = lo, eth0
    > passdb backend = tdbsam:/etc/samba/passdb.tdb
    > username map = /etc/samba/smbusers
    > log file = /var/log/samba/%m.log
    > max log size = 50
    >
    > # Stuff that makes this machine a PDC.
    > add user script = /usr/sbin/useradd "%u" -n -g domusers
    > delete user script = /usr/sbin/userdel "%u"
    > add group script = /usr/sbin/groupadd "%g"
    > delete group script = /usr/sbin/groupdel "%g"
    > delete user from group script = /usr/sbin/userdel "%u" "%g"
    > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
    >-M -d /nohome -s /bin/false -g machines "%u"
    > logon path = \\%L\Profiles\%U
    > logon home = \\%L\%U\.profiles
    > logon drive = H:
    > domain logons = Yes
    > os level = 33
    > preferred master = Yes
    > domain master = Yes
    > wins proxy = Yes
    > wins support = Yes
    >
    > # Equivalent of old behaviour.
    > idmap domains = ALLDOMAINS
    > idmap config ALLDOMAINS:default = yes
    > idmap config ALLDOMAINS:backend = tdb
    > idmap config ALLDOMAINS:range = 10000 - 50000
    >
    > idmap alloc backend = tdb
    > idmap alloc config:range = 10000 - 50000
    >
    > winbind enum users = yes
    > winbind enum groups = Yes
    > winbind nested groups = yes
    > hosts allow = 127., 192.168.42., 192.168.43.
    > cups options = raw
    >
    >[homes]
    > comment = Home Directories
    > read only = No
    > browseable = No
    >
    >[netlogon]
    > comment = Network Logon Service
    > path = /var/lib/samba/netlogon
    > guest ok = Yes
    > browseable = No
    > share modes = No
    > read only = yes
    >
    >[profiles]
    > path = /var/lib/samba/profiles
    > read only = no
    > create mask = 0600
    > directory mask = 0700
    >
    >At this stage I believe there to be a problem with winbind as I have
    >also tried the following.
    >
    >Creating a local group with "net -U root%xxxxxxx sam createlocalgroup
    >local1", which succeeds.
    >
    >A portion of the output from "net groupmap list verbose" shows:
    >local1
    > SID : S-1-5-21-2991776595-4262790192-2958925130-1004
    > Unix gid : 10053
    > Unix group: local1
    > Group type: Local Group
    > Comment :
    >
    >Testing winbind with the following:
    >[root@dombpdc ~]# wbinfo -G 10053
    >S-1-5-21-2991776595-4262790192-2958925130-1004
    >[root@dombpdc ~]# wbinfo -s
    >"S-1-5-21-2991776595-4262790192-2958925130-1004"
    >Could not lookup sid S-1-5-21-2991776595-4262790192-2958925130-1004
    >
    >Shouldn't both these commands work or am missing something?
    >I tried it
    >both with and without the quotes around the SID.
    >
    >Also
    >
    >[root@dombpdc ~]# wbinfo -D .
    >Name : DOMB
    >Alt_Name :
    >SID : S-1-5-21-2991776595-4262790192-2958925130
    >Active Directory : No
    >Native : No
    >Primary : Yes
    >Sequence : -1
    >
    >[root@dombpdc ~]# wbinfo -u
    >Error looking up domain users
    >
    >[root@dombpdc ~]# wbinfo -g
    >BUILTIN\server operators
    >BUILTIN\guests
    >BUILTIN\power users
    >BUILTIN\print operators
    >BUILTIN\administrators
    >BUILTIN\account operators
    >BUILTIN\backup operators
    >BUILTIN\users
    >local1
    >
    >These are only the local groups. Shouldn't this list the domain groups
    >as well?
    >
    >[root@dombpdc ~]# wbinfo --getdcname domb
    >Could not get dc name for domb
    >
    >Which may well be the root of the problem?
    >
    >I am happy to supply which ever logs are required, just let me know.
    >
    >Thanks
    >
    >Mike
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread