On Thu, Jun 27, 2019 at 02:52:41PM -0000, Carwyn Edwards wrote:
I _think_ I've found an issue with the combination of sssd and
samba on RHEL/CentOS 7.6. There are a few threads in the list history about how to get
these two to play nice despite the current "unsupported" status from RH. The
gist of the issues are:
* Need to make sure only samba or nothing are updating the machine passwords as if sssd
is doing it it won't update the secrets in samba's database.
* Have to allocate an idmap range for the sss backend _and_ give a bit of space for a
default backend to do its thing.
This seems to be as simple as:
Remove sssd-libwbclient and only use libwbclient (RPMs)
# /etc/samba.smb.conf:
[global]
workgroup = AD
security = ads
realm =
ad.mydomain.com
kerberos method = system keytab
idmap config AD : backend = sss
idmap config AD : range = 10000-1999999999
idmap config * : backend = tdb
idmap config * : range = 9000-9999
# /etc/sssd/sssd.conf seems to need to contain (along with whatever realmd generates):
ldap_id_mapping = True # use sssd mastered uids/gids
ad_maximum_machine_account_password_age = 0 # stop sssd messing with host password
We also have:
ignore_group_members = True # for speed
ldap_idmap_range_size = 2000000 # we have lots of users
Then join making sure to use net join not adcli
$ realm join --membership-software=samba -U mydomain_admin
ad.mydomain.com
On Fedora 30 the above works perfectly with all wbinfo commands working as expected and
samba shares behave.
Fedora 30:
$ rpm -q sssd samba
sssd-2.2.0-1.fc30.x86_64
samba-4.10.4-1.fc30.x86_64
BUT (big but)
On CentOS 7.6 with exactly the same configuration .. it only sometimes works.
Yes, we missed a change in Samba's idmap interface
https://bugzilla.redhat.com/show_bug.cgi?id=1707759 /
https://pagure.io/SSSD/sssd/issue/4005 which affects Centos 7.6. It is
already fixed in Fedora and will be fixed in 7.7 as well.
bye,
Sumit
>
> $ rpm -q sssd samba
> sssd-1.16.2-13.el7_6.8.x86_64
> samba-4.8.3-4.el7.x86_64
>
> I end up with behaviour along these lines:
>
> # Config and domain join as above, then try some lookups.
>
> $ wbinfo -n user086
> S-1-5-21-*-*-*-39092 SID_USER (1)
> $ wbinfo -S S-1-5-21-*-*-*-39092
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-39092 to uid
>
> $ systemctl stop smb
> $ systemctl restart winbind
>
> $ wbinfo -S S-1-5-21-*-*-*-39092
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-39092 to uid
>
> $ systemctl restart sssd
>
> $ wbinfo -S S-1-5-21-*-*-*-39092
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-39092 to uid
>
> $ systemctl restart sssd
>
> $ wbinfo -S S-1-5-21-*-*-*-39092
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-39092 to uid
>
> # Wait around 30 seconds ... ****** THIS BIT ******
>
> $ wbinfo -S S-1-5-21-*-*-*-39092
> 42239092
>
>
> Another run after scrubbing all config and tdb files, then after rejoin:
>
> $ wbinfo -n user21b
> S-1-5-21-*-*-*-179094 SID_USER (1)
> $ wbinfo -n user20b
> S-1-5-21-*-*-*-153534 SID_USER (1)
>
> $ wbinfo -s S-1-5-21-*-*-*-179094
> AD\user21b 1
> $ wbinfo -s S-1-5-21-*-*-*-153534
> AD\user20b 1
>
> $ wbinfo -S S-1-5-21-*-*-*-153534
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-153534 to uid
> $ wbinfo -S S-1-5-21-*-*-*-179094
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-*-*-*-179094 to uid
>
> $ systemctl restart winbind
> $ systemctl restart sssd
>
> # wbinfo -n user21b
> S-1-5-21-*-*-*-179094 SID_USER (1)
> # wbinfo -n user20b
> S-1-5-21-*-*-*-153534 SID_USER (1)
> # wbinfo -s S-1-5-21-*-*-*-179094
> AD\user21b 1
> # wbinfo -s S-1-5-21-*-*-*-153534
> AD\user20b
> # wbinfo -S S-1-5-21-*-*-*-179094
> 42379094
> # wbinfo -S S-1-5-21-*-*-*-153534
> 42353534
>
> I'm still trying to nail down what's going on here, but it feels very timing
orientated. Left for a few hours a working config suddenly doesn't seem to want to
resolve the sss based id resolution. The wbinfo -S queries are the ones that stop working
(sid to uid), all the -s, -i -n queries still work and -t and -D AD still say sensible
things.
>
> Importantly I can't get any of this to break on Fedora 30 though with the sssd
and samba versions noted above.
>
> Not sure if this is on the samba side or sssd-winbind-idmap .. or if I'm simply
losing my mind here :)
>
> Are there any known bugs or re-workings to the sss or winbind bits between sssd 1.16
and 2.2 or samba 4.8 and 4.10 that would account for this?
>
> Carwyn
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...