Bug 1401505
| Summary: | idmap_hash failes to map SID to UID | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Andreas Schneider <asn> | ||||
| Component: | samba | Assignee: | Michael Adam <madam> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.4 | CC: | adzilsky, asn, cobrown, cparadka, gdeschner, jarrpa, jdveencamp, rhack | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | samba-4.6.0-1.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-08-01 18:19:59 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1228058 [details]
smb.conf and logs
This is an issue Robin discovered. I've logged into machine to get the details, they are in the tarball.
*** Bug 1406561 has been marked as a duplicate of this bug. *** *** Bug 1420930 has been marked as a duplicate of this bug. *** There is no real problem in the bug report. just a few log snippets. Looking at the config, the range is too small. Hash divides the the range into subranges for treated domains. Each range has a size of roughly 500,000 ids. (20 bit). So we likely need to document this better. And possibly add some error message or treatment for invalid configuration (like this one). I will improve the manpage and add an error in testparm. Can I add a comment? Might be premature. But I opened this bugzilla, and am under pressure to resolve.
I saw the comment about range being too small. I'll note we get the same error with:
idmap config * : backend = hash
idmap config * : range = 10000000-19999999
The patches are not upstream yet but the change for the manpage will be something like this:
DO NOT USE THIS BACKEND
The idmap_hash plugin implements a hashing algorithm used to map
SIDs for domain users and groups to 31-bit uids and gids, respectively.
This plugin also implements the nss_info API and can be used
to support a local name mapping files if enabled via the
"winbind normalize names" and "winbind nss info"
parameters in smb.conf.
The module divides the range into subranges for each domain that is
being handled by the idmap config.
The module needs the complete UID and GID range to be able to map all
SIDs. The lowest value for the range should be the smallest ID
available in the system. This is normally 1000. The highest ID should
be set to 4294967295.
A smaller range will lead to issues because of the hashing algorithm
used.
idmap config * : range = 1000-4294967295
Sorry, it is 2147483647. idmap config * : range = 1000-2147483647 This solves the original problem I opened with redhat support. Thanks! idmap config * : range = 1000-2147483647 Thanks Andreas, problem in this bug report now seems to be resolved. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:1950 |
Description of problem: [global] idmap_hash:name_map = /etc/samba/name_map.cfg winbind normalize names = yes winbind nss info = hash idmap backend = hash idmap config * : range = 10000-20000 winbind request timeout = 120 realm = ZELGROUP.ZEL server signing = auto netbios name = qeos-183 workgroup = ZELGROUP security = ADS create krb5 conf = no password server = * wins server = 10.34.36.16, encrypt passwords = yes log level = 10 [2016/12/05 07:50:51.415106, 1, pid=7374, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0010 (16) size : 0x0012 (18) string : * string : 'ZELGROUP' sid : * sid : S-1-5-21-3142488501-2994438553-525746589 max_size : 0x00000020 (32) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_UID (1) domain_index : 0x00000000 (0) rid : 0x000001f4 (500) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_UID (1) ... [2016/12/05 07:50:51.417857, 5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize) idmap_hash_initialize: Adding QEOS-183 (S-1-5-21-3362745840-2787642475-2851412109) -> 3850 [2016/12/05 07:50:51.417880, 5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize) idmap_hash_initialize: Adding ZELGROUP (S-1-5-21-3142488501-2994438553-525746589) -> 1384 [2016/12/05 07:50:51.417891, 5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize) idmap_hash_initialize: Adding ZELTRUST (S-1-5-21-614608687-1517273735-1130020060) -> 2974 [2016/12/05 07:50:51.417900, 5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize) idmap_hash_initialize: Adding CHILD (S-1-5-21-3401324024-2538594276-2111078104) -> 2682 [2016/12/05 07:50:51.418026, 10, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:180(idmap_found_domain_backend) idmap_found_domain_backend: Found idmap domain "*" [2016/12/05 07:50:51.418053, 10, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:465(idmap_find_domain) idmap_find_domain called for domain 'ZELGROUP' [2016/12/05 07:50:51.418063, 10, pid=7374, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:198(_wbint_Sids2UnixIDs) sids_to_unixids returned NT_STATUS_OK [2016/12/05 07:50:51.418082, 1, pid=7374, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_UID (1) domain_index : 0x00000000 (0) rid : 0x000001f4 (500) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) result : NT_STATUS_OK