Bug 1979959
| Summary: | Samba autorid fails to map AD users if id rangesize fits in the id range only once | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Aleksandr Sharov <asharov> | |
| Component: | samba | Assignee: | Andreas Schneider <asn> | |
| Status: | CLOSED ERRATA | QA Contact: | Denis Karpelevich <dkarpele> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.4 | CC: | aboscatt, asn, dkarpele, gdeschner, jarrpa | |
| Target Milestone: | beta | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | samba-4.15.5-2.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2044231 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 15:27:35 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2044231 | |||
Note that the range is too big by 1! idmap config * : rangesize = 100000 idmap config * : range = 100000-199999 100000-200000 => This is a rangesize of 100001 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: samba security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:2074 |
Description of problem: If you set up a valid config like this: [root@client78 ~]# testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] debug pid = Yes kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 250000 realm = WIN23.LOCAL security = ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = WIN23 idmap config * : rangesize = 100000 idmap config * : range = 100000-200000 idmap config * : backend = autorid Samba will fail to get ID for domain user: [root@client78 ~]# wbinfo -u | grep winuser WIN23\winuser [root@client78 ~]# wbinfo -i WIN23\\winuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user WIN23\winuser In the logs, you can see message like: /var/log/samba/log.winbindd-idmap: High uid-low uid difference of 100001 is not a multiple of the rangesize 100000, limiting ranges to lower boundary number of 1 It seems that if we use idrangesize that is bigger that at least 1/2 of the range, all BUILTIN users get mapped in the first range, and all domains users cannot be mapped because second range is out of range size. Version-Release number of selected component (if applicable): samba-4.10.4-11.el7_8.x86_64 How reproducible: fully reproducable Steps to Reproduce: 1. Join the domain with samba 2. Setup the ranges as an example 3. Clear cache 4. Request wbinfo -i adusername Actual results: mapping failed Expected results: if the configuration is invalid, it should prove some feedback on it, if it is valid, it should provide a valid ID mapping Additional info: