RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1401505 - idmap_hash failes to map SID to UID
Summary: idmap_hash failes to map SID to UID
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Michael Adam
QA Contact: Robin Hack
URL:
Whiteboard:
: 1406561 1420930 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-05 13:01 UTC by Andreas Schneider
Modified: 2020-04-15 14:56 UTC (History)
8 users (show)

Fixed In Version: samba-4.6.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 18:19:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
smb.conf and logs (26.18 KB, application/octet-stream)
2016-12-05 13:03 UTC, Andreas Schneider 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1950 0 normal SHIPPED_LIVE Low: samba security, bug fix, and enhancement update 2017-08-01 18:09:24 UTC
Samba Project 12582 0 None None None 2017-02-15 09:15:04 UTC

Description Andreas Schneider 2016-12-05 13:01:03 UTC 
Description of problem:

[global]
idmap_hash:name_map = /etc/samba/name_map.cfg
winbind normalize names = yes
winbind nss info = hash
idmap backend = hash
idmap config * : range = 10000-20000
winbind request timeout = 120
realm = ZELGROUP.ZEL
server signing = auto
netbios name = qeos-183
workgroup = ZELGROUP
security = ADS
create krb5 conf = no
password server = *
wins server = 10.34.36.16, 
encrypt passwords = yes
log level = 10


[2016/12/05 07:50:51.415106,  1, pid=7374, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
          in: struct wbint_Sids2UnixIDs
              domains                  : *
                  domains: struct lsa_RefDomainList
                      count                    : 0x00000001 (1)
                      domains                  : *
                          domains: ARRAY(1)
                              domains: struct lsa_DomainInfo
                                  name: struct lsa_StringLarge
                                      length                   : 0x0010 (16)
                                      size                     : 0x0012 (18)
                                      string                   : *
                                          string                   : 'ZELGROUP'
                                  sid                      : *
                                      sid                      : S-1-5-21-3142488501-2994438553-525746589
                      max_size                 : 0x00000020 (32)
              ids                      : *
                  ids: struct wbint_TransIDArray
                      num_ids                  : 0x00000001 (1)
                      ids: ARRAY(1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_UID (1)
                              domain_index             : 0x00000000 (0)
                              rid                      : 0x000001f4 (500)
                              xid: struct unixid
                                  id                       : 0xffffffff (4294967295)
                                  type                     : ID_TYPE_UID (1)
...
[2016/12/05 07:50:51.417857,  5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize)
  idmap_hash_initialize: Adding QEOS-183 (S-1-5-21-3362745840-2787642475-2851412109) -> 3850
[2016/12/05 07:50:51.417880,  5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize)
  idmap_hash_initialize: Adding ZELGROUP (S-1-5-21-3142488501-2994438553-525746589) -> 1384
[2016/12/05 07:50:51.417891,  5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize)
  idmap_hash_initialize: Adding ZELTRUST (S-1-5-21-614608687-1517273735-1130020060) -> 2974
[2016/12/05 07:50:51.417900,  5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize)
  idmap_hash_initialize: Adding CHILD (S-1-5-21-3401324024-2538594276-2111078104) -> 2682
[2016/12/05 07:50:51.418026, 10, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:180(idmap_found_domain_backend)
  idmap_found_domain_backend: Found idmap domain "*"
[2016/12/05 07:50:51.418053, 10, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:465(idmap_find_domain)
  idmap_find_domain called for domain 'ZELGROUP'
[2016/12/05 07:50:51.418063, 10, pid=7374, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:198(_wbint_Sids2UnixIDs)
  sids_to_unixids returned NT_STATUS_OK
[2016/12/05 07:50:51.418082,  1, pid=7374, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
          out: struct wbint_Sids2UnixIDs
              ids                      : *
                  ids: struct wbint_TransIDArray
                      num_ids                  : 0x00000001 (1)
                      ids: ARRAY(1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_UID (1)
                              domain_index             : 0x00000000 (0)
                              rid                      : 0x000001f4 (500)
                              xid: struct unixid
                                  id                       : 0xffffffff (4294967295)
                                  type                     : ID_TYPE_NOT_SPECIFIED (0)
              result                   : NT_STATUS_OK
Comment 1 Andreas Schneider 2016-12-05 13:03:37 UTC 
Created attachment 1228058 [details]
smb.conf and logs

This is an issue Robin discovered. I've logged into machine to get the details, they are in the tarball.
Comment 2 Andreas Schneider 2017-01-17 13:51:47 UTC 
*** Bug 1406561 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Schneider 2017-02-10 10:00:05 UTC 
*** Bug 1420930 has been marked as a duplicate of this bug. ***
Comment 4 Michael Adam 2017-02-14 16:53:07 UTC 
There is no real problem in the bug report. just a few log snippets.

Looking at the config, the range is too small.
Hash divides the the range into subranges for treated domains.
Each range has a size of roughly 500,000 ids. (20 bit).

So we likely need to document this better.
And possibly add some error message or treatment
for invalid configuration (like this one).
Comment 5 Andreas Schneider 2017-02-15 09:15:05 UTC 
I will improve the manpage and add an error in testparm.
Comment 6 Jon Veencamp 2017-02-21 15:05:45 UTC 
Can I add a comment?  Might be premature.  But I opened this bugzilla, and am under pressure to resolve.

I saw the comment about range being too small.  I'll note we get the same error with: 
       idmap config * : backend = hash
       idmap config * : range = 10000000-19999999
Comment 7 Andreas Schneider 2017-02-23 13:33:07 UTC 
The patches are not upstream yet but the change for the manpage will be something like this:

DO NOT USE THIS BACKEND

          The idmap_hash plugin implements a hashing algorithm used to map
          SIDs for domain users and groups to 31-bit uids and gids, respectively.
          This plugin also implements the nss_info API and can be used
          to support a local name mapping files if enabled via the
          "winbind normalize names" and "winbind nss info"
          parameters in smb.conf.
          The module divides the range into subranges for each domain that is 
          being handled by the idmap config.

          The module needs the complete UID and GID range to be able to map all
          SIDs.  The lowest value for the range should be the smallest ID
          available in the system. This is normally 1000. The highest ID should
          be set to 4294967295.
 
          A smaller range will lead to issues because of the hashing algorithm
          used.


idmap config * : range = 1000-4294967295
Comment 8 Andreas Schneider 2017-02-23 13:49:10 UTC 
Sorry, it is 2147483647.

idmap config * : range = 1000-2147483647
Comment 9 Jon Veencamp 2017-02-23 14:01:28 UTC 
This solves the original problem I opened with redhat support.  Thanks!
idmap config * : range = 1000-2147483647
Comment 11 Andrej Dzilský 2017-05-30 14:20:07 UTC 
Thanks Andreas, problem in this bug report now seems to be resolved.
Comment 12 errata-xmlrpc 2017-08-01 18:19:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1950
Note You need to log in before you can comment on or make changes to this bug.