Bug 1399336

Summary: Cannot authenticate with winbind in AD
Product: [Fedora] Fedora Reporter: Manuel Pelayo <manuel.pelayo>
Component: samba4Assignee: Orphan Owner <extras-orphan>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 25CC: abokovoy, asn, extras-orphan, gdeschner, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-15 10:00:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Manuel Pelayo 2016-11-28 19:09:30 UTC 
Description of problem:

Since the Fedora 25 upgrade, AD users cannot authenticate.

How reproducible:
Allways


Actual results:
- The Fedora 25 client was integrated on AD without problem.
- "wbinfo -u" returns users AD list.
- "wbinfo -g" returns group AD list.
- "getent passwd" returns users AD list.
- "getent group" returns group AD list.

But "id user_ad" returns "id: 'user_ad': no such user" (with user_ad a real user AD).
Comment 1 Andreas Schneider 2016-11-29 13:36:07 UTC 
Please provide log files as described here:

https://www.samba.org/~asn/reporting_samba_bugs.txt


Thanks
Comment 2 Manuel Pelayo 2016-12-14 18:31:29 UTC 
Solved here :
https://bugzilla.samba.org/show_bug.cgi?id=12284#c12
Comment 3 Andreas Schneider 2016-12-15 10:00:25 UTC 
So you had an invalid IDMAP configuration?

In Samba 4.6 the 'testparm' tool will warn about issues with ID mapping configuration and winbind will not start if an invalid IDMAP backend is configured.
Comment 4 Manuel Pelayo 2016-12-15 10:48:10 UTC 
No, the IDMAP configuration was not invalid.
The 4.5 version requires more precision than 4.4.x. :
--- smb-4.4.conf
+++ smb-4.5.conf
@@ -11,3 +11,5 @@
 	winbind use default domain = Yes
 	idmap config * : range = 100000-109999
 	idmap config * : backend = rid
+	idmap config DOMAIN : range = 100000-109999
+	idmap config DOMAIN : backend = rid
Comment 5 Andreas Schneider 2016-12-16 14:03:30 UTC 
The 'rid' backend is not a valid backend for 'idmap config *'. Winbind in Samba 4.6 will not start if 'rid' is configured for the default backend. So the config is invalid and we just did not tell the user.

Also the change you did is not ok. You have overlapping ID map ranges! Those ranges should never overlap.
Comment 6 Andreas Schneider 2016-12-16 14:06:40 UTC 
https://wiki.samba.org/index.php/Idmap_config_rid