Regression in Winbind: Cannot map SID->UID when using read-only idmap-backend "ad", rfc2307 uids

Bug #364105 reported by Edgar Holleis
6
Affects Status Importance Assigned to Milestone
samba
Fix Released
Medium
samba (Ubuntu)
Triaged
Low
Unassigned

Bug Description

Binary package hint: winbind

works: 2:3.2.3-1ubuntu3.4
broken: 2:3.3.2-1ubuntu3

Probably upstream issue.

Winbind specific parts of smb.conf:
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.FQDN
> password server = *
> winbind separator = \\
> winbind enum users = yes
> winbind enum groups = yes
> idmap backend = ad
> idmap config DOMAIN : schema_mode = rfc2307
> winbind nss info = template
> winbind use default domain = yes
> winbind offline logon = yes
> idmap uid = 1100-49999
> idmap gid = 1100-49999
> template shell = /bin/bash
> template homedir = /home/%u

Details:

The following mappings work:
  User-Name->SID, Group-Name->SID, SID->GID
What doesn't work:
  SID->UID

The Samba-Docs suggest adding a writable idmap-backend. That doesn't help, since Samba ends up allocating mappings for all UIDs in the writable backend instead of using the ones in AD.

tags: added: regression-potential
Steve Beattie (sbeattie)
tags: added: jaunty regression-release
removed: regression-potential
Revision history for this message
Etienne Goyer (etienne-goyer-outlands) wrote :

I am not sure I understand the issue fully, so please bear with me if I am missing something.

Since the ad idmap backend *is* read-only, isn't it to be expected that you cannot change the "mapping" ? Was it even possible in an earlier version of Samba?

I am also curious about what you are trying to achieve. Are you trying to override the uid handed out from the AD for a specific user on a specific machine?

Revision history for this message
Edgar Holleis (nospam-indoktrination) wrote :

s/map/resolve/

winbind 2:3.3.2-1ubuntu3 cannot resolve SID->UID. The mapping is there in the AD, automatically created by the user-add script. However, the new new version does not return UIDs any more. GIDs continue to work.

AD is and was alway readonly. To my knowledge Samba has only recently gained the feature of stacking idmapings, where you layer a writable idmap over the readonly AD-map to handle the case where Samba wants to create a new mapping. When Samba 3.3.2 failed to work as before, I consulted the documentation and found the suggestion that I should layer a writable idmap over the AD-map. I tried to do that, but without success. Samba still fails to resovle UIDs from AD, but instead of complaining it silently allocates a new (and wrong) mapping in the writable backend.

As far as I can remember (its been a couple of week since I found the issue), what works is:
name -> SID (wbinfo -n)
SID -> name (wbinfo -s)
SID -> GID (wbinfo -Y)
GID -> SID (wbinfo -G)

What does not work:
SID -> UID (wbinfo -S)
UID -> SID (wbinfo -U)
And yes, I used SIDs that do represent User-Objects and that have a UID-Attribute in AD.

Revision history for this message
Thierry Carrez (ttx) wrote :

The fact that GID conversion works but UID conversion fails makes it almost certainly an upstream regression in the 3.3-branch.
I couldn't find a Samba bug about this. Edgar, could you file a bug on the upstream bugzilla (bugzilla.samba.org) ? They will probably ask you for more logs/information so it's probably better if you do it directly.

Revision history for this message
Edgar Holleis (nospam-indoktrination) wrote :

I tried to reproduce the issue, and now GID-conversion curiously fails as well.

Anyway, created the upstream bug:
https://bugzilla.samba.org/show_bug.cgi?id=6322

Revision history for this message
Thierry Carrez (ttx) wrote :

Thanks Edgar !
https://bugzilla.samba.org/show_bug.cgi?id=6322#c5 hints that it is a known documentation and missing feature issue...

Changed in samba:
status: Unknown → Confirmed
Changed in samba:
status: Confirmed → In Progress
Revision history for this message
Chuck Short (zulcss) wrote :

Thanks for the info.

Changed in samba (Ubuntu):
status: New → Triaged
Thierry Carrez (ttx)
Changed in samba (Ubuntu):
importance: Undecided → Low
Changed in samba:
importance: Unknown → Medium
Changed in samba:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.