# linux client to authenticate windows server using idmap_rid

## mattmatteh

I am trying to get this working https://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html

```
[global]

        workgroup = MYWORK

        realm = MYWORK.COM

        server string = Samba Server

        security = ADS

        allow trusted domains = No

        kerberos method = secrets and keytab

        max protocol = SMB2

        load printers = No

        printcap name = /dev/null

        disable spoolss = Yes

        show add printer wizard = No

        local master = No

        domain master = No

        template homedir = /home/%U

        template shell = /bin/bash

        winbind refresh tickets = Yes

        idmap config * : range = 20000 - 21000

        idmap config MYWORK : range = 1000 - 10000

        idmap config MYWORK : base_rid = 1000

        idmap config MYWORK : backend = rid

        idmap config * : backend = tdb

        invalid users = root

```

I thought this was working earlier this afternoon, but is not now

```
dataservicesmj / # net rpc testjoin MYWORK\\matth

Unable to find a suitable server for domain MYWORK

Join to domain 'MYWORK' is not valid: NT_STATUS_UNSUCCESSFUL

dataservicesmj / # net rpc testjoin matth

Unable to find a suitable server for domain MYWORK

Join to domain 'MYWORK' is not valid: NT_STATUS_UNSUCCESSFUL
```

wbinfo mostly works except for -i and -r

```
dataservicesmj / # wbinfo -i MYWORK\\matth

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Could not get info for user MYWORK\matth

dataservicesmj / # wbinfo -i matth

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Could not get info for user matth

dataservicesmj / # wbinfo -r MYWORK\\matth

2982

5199

6202

dataservicesmj / # wbinfo -r matth

2982

5199

6202

dataservicesmj / # wbinfo -n matth

S-1-5-21-1101513176-159291237-519397536-5811 SID_USER (1)

dataservicesmj / # wbinfo -n MYWORK\\matth

S-1-5-21-1101513176-159291237-519397536-5811 SID_USER (1)

dataservicesmj / #

dataservicesmj / # wbinfo -S S-1-5-21-1101513176-159291237-519397536-5811

5811

dataservicesmj / # wbinfo -s S-1-5-21-1101513176-159291237-519397536-5811

MYWORK\matth 1

dataservicesmj / # wbinfo -u | wc -l

397

```

I kinda had this working a few days ago.  While trying to get pam_mount to work it started acting up.  By that I mean the UID was either 6811 or 4811.  While messing with pam, I never touched nssswitch, pam.d/* or smb.conf, ls -l showed time stamps from last week.  And would not work at all if i blew away /var/cache/samba which shouldnt matter since there is no local id mapping; thats the whole point of using rid I thought.

I am really stumped to why this is not working.  Either I have this st up wrong, the server is weird, or I found a bug.  Also, the sever is windows and I do not maintain it.  The other IT guy stopped by to enter the Administrator passwd to grant machine authentication ( If thats the right term for it )

----------

## vaxbrat

"net rpc" was used for NT style domains, you want to do

```
net ads testjoin
```

idmap_rid still caches sid information in the winbind tdb file in /var/lib/samba.  When I have trouble with the domain, I will be blowing away the tdb files in /var/lib/samba while debugging what's wrong with winbind.  I also blow away everything in /var/log/samba between restarts of the services.

The way idmap_rid works is that it uses the 'relative' id part of a sid when mapping sids to rids.  The algorithm used guarantees that a sid for a domain will map to the same uid or gid no matter what.  When juggling multiple domains, the "idmap domain" newer style syntax allows a multi-domain site to avoid rid collisions by assigning subranges of the "idmap alloc" range to each domain.

So yeah, you do care about the winbind<mumble>.tdb files because winbind will look at them first before going out to query the domain.  If a misconfigure from before generated garbage, you will still have problems until you blow them away.

The default logging for winbind and winbind_idmap is not good enough usually if you are having configuration problems.  Go into your /etc/conf.d/samba to change:

```
winbind_start_options=""
```

to something higher like 

```
winbind_start_options="-d5"
```

You then might get a clue in the idmap log in /var/log/samba about the horrors going on between your samba and the dc.

My typical winbind test looks like:

Stop samba

Fix smb.conf or whatever

turn on winbind daemon debugging as I noted

blow away the .tdb files in /var/lib/samba

rm -rf everything inside /var/log/samba

start samba

"getent passwd"

If that getent doesn't work, look at the idmap  and other /var/log/samba files

----------

## vaxbrat

Take a look at this thread.  That example works fine for Samba running on RHEL5 but the idmap syntax changed in versions newer than 3.4.x such as is found in RHEL6 and gentoo.

https://forums.gentoo.org/viewtopic-t-991562-highlight-.html

----------

## mattmatteh

 *vaxbrat wrote:*   

> "net rpc" was used for NT style domains, you want to do
> 
> ```
> net ads testjoin
> ```
> ...

 That works

```
dataservicesmj samba # net ads testjoin

Join is OK
```

 *vaxbrat wrote:*   

> idmap_rid still caches sid information in the winbind tdb file in /var/lib/samba.  When I have trouble with the domain, I will be blowing away the tdb files in /var/lib/samba while debugging what's wrong with winbind.  I also blow away everything in /var/log/samba between restarts of the services.

 I have done this many times, and just now too.

 *vaxbrat wrote:*   

> The way idmap_rid works is that it uses the 'relative' id part of a sid when mapping sids to rids.  The algorithm used guarantees that a sid for a domain will map to the same uid or gid no matter what.  When juggling multiple domains, the "idmap domain" newer style syntax allows a multi-domain site to avoid rid collisions by assigning subranges of the "idmap alloc" range to each domain.

 I was wondering what the difference was.  For now I only need to worry about 1 domain. *vaxbrat wrote:*   

> 
> 
> ```
> winbind_start_options="-d5"
> ```
> ...

 Just added that now. *vaxbrat wrote:*   

> 
> 
> You then might get a clue in the idmap log in /var/log/samba about the horrors going on between your samba and the dc.
> 
> My typical winbind test looks like:
> ...

 This looks strange.  My computer name is a domain name ?

```
/var/log/log.wb-DATASERVICESMJ  has several lines like this

name_to_sid: DATASERVICESMJ\ROOT for domain DATASERVICESMJ
```

Does this look right ?  I am reading that as my computer name is a domain name ?

```
dataservicesmj samba # wbinfo --online-status

BUILTIN : online

DATASERVICESMJ : online

JETLITHO : online
```

----------

## mattmatteh

also just found this

```
log.winbindd-idmap:  no backend defined for idmap config DATASERVICESMJ
```

again suggesting that something thinks my computer name is a domain

----------

## mattmatteh

Should this fail ?

```
nmblookup -U jservdc01.mywork.com -R dataservicesmj

name_query failed to find name dataservicesmj
```

This works

```
nmblookup -U dataservicesmj.mywork.com -R dataservicesmj

Got a positive name query response from 10.201.1.93 ( 10.201.1.93 )

10.201.1.93 dataservicesmj<00>
```

----------

## mattmatteh

just tried

```
wbinfo -i matth
```

and go this

```
dataservicesmj / # grep -r -C 10  matth /var/log/samba/*

/var/log/samba/log.winbindd-  msg_try_to_go_online: received for domain MYWORK.

/var/log/samba/log.winbindd-[2014/06/26 15:34:08.404195,  5] winbindd/winbindd_cm.c:164(msg_try_to_go_online)

/var/log/samba/log.winbindd-  msg_try_to_go_online: domain MYWORK already online.

/var/log/samba/log.winbindd-[2014/06/26 15:34:08.404557,  5] winbindd/winbindd_dual.c:506(winbind_child_died)

/var/log/samba/log.winbindd-  Already reaped child 23204 died

/var/log/samba/log.winbindd-[2014/06/26 15:34:09.005788,  3] winbindd/winbindd_misc.c:384(winbindd_interface_version)

/var/log/samba/log.winbindd-  [23205]: request interface version

/var/log/samba/log.winbindd-[2014/06/26 15:34:09.006075,  3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)

/var/log/samba/log.winbindd-  [23205]: request location of privileged pipe

/var/log/samba/log.winbindd-[2014/06/26 15:34:09.006438,  3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)

/var/log/samba/log.winbindd:  getpwnam matth

/var/log/samba/log.winbindd-[2014/06/26 15:34:09.015517,  5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)

/var/log/samba/log.winbindd-  Could not convert sid S-1-5-21-1101513176-159291237-519397536-5811: NT_STATUS_NONE_MAPPED
```

looks like samba never tries the server MYWORK since i dont see any log for /var/log/samba/log.wb-MYWORK 

```
dataservicesmj / # grep -r NT_STATUS_NONE_MAPPED /var/log/samba/* | uniq

/var/log/samba/log.wb-DATASERVICESMJ:  name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED

/var/log/samba/log.winbindd:  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

/var/log/samba/log.winbindd:  Could not convert sid S-1-5-32-544: NT_STATUS_NONE_MAPPED

/var/log/samba/log.winbindd:  Could not convert sid S-1-5-32-545: NT_STATUS_NONE_MAPPED

/var/log/samba/log.winbindd:  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

/var/log/samba/log.winbindd:  Could not convert sid S-1-5-21-1101513176-159291237-519397536-5811: NT_STATUS_NONE_MAPPED
```

here is /etc/krb5.conf

```
[libdefaults]

        default_realm = MYWORK.COM

        forwardable = true

        fcc-mit-ticketflags = true

        default_keytab_name = FILE:/etc/krb5.keytab

[realms]

        MYWORK.COM = {

                kdc = jservdc01.mywork.com

                admin_server = jservdc01.mywork.com

                default_domain = MYWORK.COM

        }

[domain_realm]

        .mywork.com = MYWORK.COM

        mywork.com = MYWORK.COM

[logging]

        default = FILE:/var/log/krb5libs.log

        kdc = FILE:/var/log/krb5kdc.log
```

----------

## vaxbrat

I don't have a new flavor of example config nearby to post at the moment, but I think you have a syntax problem with your idmap config stanzas based on this:

 *Quote:*   

> also just found this
> 
> ```
>    
> 
> ...

 

I had a similar problem trying to specify the backend of a domain as a rid at one point with bad syntax and got a similar error.  You might want to stare at the idmap config sections of the manpage for smb.conf for a good while.  The syntax error is probably what was making everything else go horribly wrong and I have seen cases where a "testparm" didn't find anything wrong with a bad config.

I think you might want to do something like:

```
#

#  Sets the entire range and uses tdb for the backend cache

#

idmap config * : backend = tdb

idmap config * : range = 20000 - 21000

#

#  use rid for MYWORK

#

idmap config MYWORK : backend = rid

#

#  only one domain so grab the entire range for it

#

idmap config MYWORK : range = 20000 - 21000
```

in place of all this:

```
        idmap config * : range = 20000 - 21000

        idmap config MYWORK : range = 1000 - 10000

        idmap config MYWORK : base_rid = 1000

        idmap config MYWORK : backend = rid

        idmap config * : backend = tdb

```

----------

## mattmatteh

 *vaxbrat wrote:*   

> I think you might want to do something like:
> 
> ```
> #
> 
> ...

 I have not seen any example where the range is the same for the domain and default.  I did try it and samba didnt even start correctly.

----------

## vaxbrat

Like I said, the default range is the "entire" range for mapping.  Then if you have multiple domains to map, they get subranges of that.  When you said samba didn't start, did you run testparm on the conf file first?  What was the error?

----------

## mattmatteh

 *vaxbrat wrote:*   

> Like I said, the default range is the "entire" range for mapping.  Then if you have multiple domains to map, they get subranges of that.  When you said samba didn't start, did you run testparm on the conf file first?  What was the error?

 I think that error was do to another typo, please ignore that; its been a long week of testing and trying to figure out this.

I joined #samba on freenode and got some help this afternoon.  This was the change that made it work

```
idmap config MYWORK : base_rid = 512
```

Any number between 0 and 512 will work and anything greater or equal to 513 or unset will cause WBC_ERR_DOMAIN_NOT_FOUND.

The overlapping range doesnt seem to matter, wondering why its even needed then.

Here is the output from testparm

```
Load smb config files from /etc/samba/smb.conf

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Loaded services file OK.

WARNING: state directory /var/lib/samba should have permissions 0755 for browsing to work

WARNING: cache directory /var/lib/samba should have permissions 0755 for browsing to work

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

[global]

        workgroup = MYWORK

        realm = MYWORK.COM

        security = ADS

        allow trusted domains = No

        kerberos method = secrets and keytab

        max protocol = SMB2

        load printers = No

        printcap name = /dev/null

        disable spoolss = Yes

        show add printer wizard = No

        local master = No

        domain master = No

        template homedir = /home/%U

        template shell = /bin/bash

        winbind use default domain = Yes

        winbind refresh tickets = Yes

        idmap config MYWORK :range = 512-10000

        idmap config MYWORK :backend = rid

        idmap config *:range = 512-10000

        idmap config MYWORK : base_rid = 512

        idmap config * : backend = tdb

        invalid users = root
```

So at the moment this mostly works now.  Ill have to play with it more next week.  I would like to figure out base_rid.

----------

## vaxbrat

I've never used base_rid and this is the first I've heard of it.  Don't think it ever made the Perens book, but then again, the version i have is probably more for the 3.4.x and earler.  I didn't see it in the man pages for smb.conf either.

OTOH they snuck that new idmap "domain" style syntax in on me so I'm not surprised if things broke yet again.  I wonder if it has something to do with the list of "well known" sids for active directory?

http://support.microsoft.com/kb/243330

Notice where "Domain Users" starts there?   :Idea: 

----------

