On Thu, Jun 27, 2019 at 02:52:41PM -0000, Carwyn Edwards wrote:
I _think_ I've found an issue with the combination of sssd and samba on RHEL/CentOS 7.6. There are a few threads in the list history about how to get these two to play nice despite the current "unsupported" status from RH. The gist of the issues are:
- Need to make sure only samba or nothing are updating the machine passwords as if sssd is doing it it won't update the secrets in samba's database.
- Have to allocate an idmap range for the sss backend _and_ give a bit of space for a default backend to do its thing.
This seems to be as simple as:
Remove sssd-libwbclient and only use libwbclient (RPMs)
# /etc/samba.smb.conf:
[global] workgroup = AD security = ads realm = ad.mydomain.com kerberos method = system keytab
idmap config AD : backend = sss idmap config AD : range = 10000-1999999999 idmap config * : backend = tdb idmap config * : range = 9000-9999# /etc/sssd/sssd.conf seems to need to contain (along with whatever realmd generates):
ldap_id_mapping = True # use sssd mastered uids/gids ad_maximum_machine_account_password_age = 0 # stop sssd messing with host password
We also have:
ignore_group_members = True # for speed ldap_idmap_range_size = 2000000 # we have lots of users
Then join making sure to use net join not adcli
$ realm join --membership-software=samba -U mydomain_admin ad.mydomain.com
On Fedora 30 the above works perfectly with all wbinfo commands working as expected and samba shares behave.
Fedora 30: $ rpm -q sssd samba sssd-2.2.0-1.fc30.x86_64 samba-4.10.4-1.fc30.x86_64
BUT (big but)
On CentOS 7.6 with exactly the same configuration .. it only sometimes works.
Yes, we missed a change in Samba's idmap interface https://bugzilla.redhat.com/show_bug.cgi?id=1707759 / https://pagure.io/SSSD/sssd/issue/4005 which affects Centos 7.6. It is already fixed in Fedora and will be fixed in 7.7 as well.
bye, Sumit
$ rpm -q sssd samba sssd-1.16.2-13.el7_6.8.x86_64 samba-4.8.3-4.el7.x86_64
I end up with behaviour along these lines:
# Config and domain join as above, then try some lookups.
$ wbinfo -n user086 S-1-5-21-*-*-*-39092 SID_USER (1) $ wbinfo -S S-1-5-21-*-*-*-39092 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-*-*-*-39092 to uid
$ systemctl stop smb $ systemctl restart winbind
$ wbinfo -S S-1-5-21-*-*-*-39092 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-*-*-*-39092 to uid
$ systemctl restart sssd
$ wbinfo -S S-1-5-21-*-*-*-39092 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-*-*-*-39092 to uid
$ systemctl restart sssd
$ wbinfo -S S-1-5-21-*-*-*-39092 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-*-*-*-39092 to uid
# Wait around 30 seconds ... ****** THIS BIT ******
$ wbinfo -S S-1-5-21-*-*-*-39092 42239092
Another run after scrubbing all config and tdb files, then after rejoin:
$ wbinfo -n user21b S-1-5-21-*-*-*-179094 SID_USER (1) $ wbinfo -n user20b S-1-5-21-*-*-*-153534 SID_USER (1)
$ wbinfo -s S-1-5-21-*-*-*-179094 AD\user21b 1 $ wbinfo -s S-1-5-21-*-*-*-153534 AD\user20b 1
$ wbinfo -S S-1-5-21-*-*-*-153534 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-*-*-*-153534 to uid $ wbinfo -S S-1-5-21-*-*-*-179094 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-*-*-*-179094 to uid
$ systemctl restart winbind $ systemctl restart sssd
# wbinfo -n user21b S-1-5-21-*-*-*-179094 SID_USER (1) # wbinfo -n user20b S-1-5-21-*-*-*-153534 SID_USER (1) # wbinfo -s S-1-5-21-*-*-*-179094 AD\user21b 1 # wbinfo -s S-1-5-21-*-*-*-153534 AD\user20b # wbinfo -S S-1-5-21-*-*-*-179094 42379094 # wbinfo -S S-1-5-21-*-*-*-153534 42353534
I'm still trying to nail down what's going on here, but it feels very timing orientated. Left for a few hours a working config suddenly doesn't seem to want to resolve the sss based id resolution. The wbinfo -S queries are the ones that stop working (sid to uid), all the -s, -i -n queries still work and -t and -D AD still say sensible things.
Importantly I can't get any of this to break on Fedora 30 though with the sssd and samba versions noted above.
Not sure if this is on the samba side or sssd-winbind-idmap .. or if I'm simply losing my mind here :)
Are there any known bugs or re-workings to the sss or winbind bits between sssd 1.16 and 2.2 or samba 4.8 and 4.10 that would account for this?
Carwyn _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...