Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1401505 - idmap_hash failes to map SID to UID
idmap_hash failes to map SID to UID
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Michael Adam
Robin Hack
:
: 1406561 1420930 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-05 08:01 EST by Andreas Schneider
Modified: 2017-08-01 14:19 EDT (History)
8 users (show)

See Also:
Fixed In Version: samba-4.6.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 14:19:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
smb.conf and logs (26.18 KB, application/octet-stream)
2016-12-05 08:03 EST, Andreas Schneider 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 12582 None None None 2017-02-15 04:15 EST
Red Hat Product Errata RHSA-2017:1950 normal SHIPPED_LIVE Low: samba security, bug fix, and enhancement update 2017-08-01 14:09:24 EDT

  None (edit)
Description Andreas Schneider 2016-12-05 08:01:03 EST 
Description of problem:

[global]
idmap_hash:name_map = /etc/samba/name_map.cfg
winbind normalize names = yes
winbind nss info = hash
idmap backend = hash
idmap config * : range = 10000-20000
winbind request timeout = 120
realm = ZELGROUP.ZEL
server signing = auto
netbios name = qeos-183
workgroup = ZELGROUP
security = ADS
create krb5 conf = no
password server = *
wins server = 10.34.36.16, 
encrypt passwords = yes
log level = 10


[2016/12/05 07:50:51.415106,  1, pid=7374, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
          in: struct wbint_Sids2UnixIDs
              domains                  : *
                  domains: struct lsa_RefDomainList
                      count                    : 0x00000001 (1)
                      domains                  : *
                          domains: ARRAY(1)
                              domains: struct lsa_DomainInfo
                                  name: struct lsa_StringLarge
                                      length                   : 0x0010 (16)
                                      size                     : 0x0012 (18)
                                      string                   : *
                                          string                   : 'ZELGROUP'
                                  sid                      : *
                                      sid                      : S-1-5-21-3142488501-2994438553-525746589
                      max_size                 : 0x00000020 (32)
              ids                      : *
                  ids: struct wbint_TransIDArray
                      num_ids                  : 0x00000001 (1)
                      ids: ARRAY(1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_UID (1)
                              domain_index             : 0x00000000 (0)
                              rid                      : 0x000001f4 (500)
                              xid: struct unixid
                                  id                       : 0xffffffff (4294967295)
                                  type                     : ID_TYPE_UID (1)
...
[2016/12/05 07:50:51.417857,  5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize)
  idmap_hash_initialize: Adding QEOS-183 (S-1-5-21-3362745840-2787642475-2851412109) -> 3850
[2016/12/05 07:50:51.417880,  5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize)
  idmap_hash_initialize: Adding ZELGROUP (S-1-5-21-3142488501-2994438553-525746589) -> 1384
[2016/12/05 07:50:51.417891,  5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize)
  idmap_hash_initialize: Adding ZELTRUST (S-1-5-21-614608687-1517273735-1130020060) -> 2974
[2016/12/05 07:50:51.417900,  5, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_hash/idmap_hash.c:166(idmap_hash_initialize)
  idmap_hash_initialize: Adding CHILD (S-1-5-21-3401324024-2538594276-2111078104) -> 2682
[2016/12/05 07:50:51.418026, 10, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:180(idmap_found_domain_backend)
  idmap_found_domain_backend: Found idmap domain "*"
[2016/12/05 07:50:51.418053, 10, pid=7374, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:465(idmap_find_domain)
  idmap_find_domain called for domain 'ZELGROUP'
[2016/12/05 07:50:51.418063, 10, pid=7374, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:198(_wbint_Sids2UnixIDs)
  sids_to_unixids returned NT_STATUS_OK
[2016/12/05 07:50:51.418082,  1, pid=7374, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
          out: struct wbint_Sids2UnixIDs
              ids                      : *
                  ids: struct wbint_TransIDArray
                      num_ids                  : 0x00000001 (1)
                      ids: ARRAY(1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_UID (1)
                              domain_index             : 0x00000000 (0)
                              rid                      : 0x000001f4 (500)
                              xid: struct unixid
                                  id                       : 0xffffffff (4294967295)
                                  type                     : ID_TYPE_NOT_SPECIFIED (0)
              result                   : NT_STATUS_OK
Comment 1 Andreas Schneider 2016-12-05 08:03 EST 
Created attachment 1228058 [details]
smb.conf and logs

This is an issue Robin discovered. I've logged into machine to get the details, they are in the tarball.
Comment 2 Andreas Schneider 2017-01-17 08:51:47 EST 
*** Bug 1406561 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Schneider 2017-02-10 05:00:05 EST 
*** Bug 1420930 has been marked as a duplicate of this bug. ***
Comment 4 Michael Adam 2017-02-14 11:53:07 EST 
There is no real problem in the bug report. just a few log snippets.

Looking at the config, the range is too small.
Hash divides the the range into subranges for treated domains.
Each range has a size of roughly 500,000 ids. (20 bit).

So we likely need to document this better.
And possibly add some error message or treatment
for invalid configuration (like this one).
Comment 5 Andreas Schneider 2017-02-15 04:15:05 EST 
I will improve the manpage and add an error in testparm.
Comment 6 Jon Veencamp 2017-02-21 10:05:45 EST 
Can I add a comment?  Might be premature.  But I opened this bugzilla, and am under pressure to resolve.

I saw the comment about range being too small.  I'll note we get the same error with: 
       idmap config * : backend = hash
       idmap config * : range = 10000000-19999999
Comment 7 Andreas Schneider 2017-02-23 08:33:07 EST 
The patches are not upstream yet but the change for the manpage will be something like this:

DO NOT USE THIS BACKEND

          The idmap_hash plugin implements a hashing algorithm used to map
          SIDs for domain users and groups to 31-bit uids and gids, respectively.
          This plugin also implements the nss_info API and can be used
          to support a local name mapping files if enabled via the
          "winbind normalize names" and "winbind nss info"
          parameters in smb.conf.
          The module divides the range into subranges for each domain that is 
          being handled by the idmap config.

          The module needs the complete UID and GID range to be able to map all
          SIDs.  The lowest value for the range should be the smallest ID
          available in the system. This is normally 1000. The highest ID should
          be set to 4294967295.
 
          A smaller range will lead to issues because of the hashing algorithm
          used.


idmap config * : range = 1000-4294967295
Comment 8 Andreas Schneider 2017-02-23 08:49:10 EST 
Sorry, it is 2147483647.

idmap config * : range = 1000-2147483647
Comment 9 Jon Veencamp 2017-02-23 09:01:28 EST 
This solves the original problem I opened with redhat support.  Thanks!
idmap config * : range = 1000-2147483647
Comment 11 Andrej Dzilský 2017-05-30 10:20:07 EDT 
Thanks Andreas, problem in this bug report now seems to be resolved.
Comment 12 errata-xmlrpc 2017-08-01 14:19:59 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1950
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.