Project

General

Profile

Bug #362

samba/winbindd rid.so missing

Added by m4f - almost 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Important
Assignee:
Josh Paetzel
Category:
Middleware
Target version:
-
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Hello,

I installed [[FreeNAS]]-8.0-RELEASE from the ISO image into virtualbox for testing with our Active Directory.

I can access the [[FreeNAS]]-VBox via http to configure it.
Then I activated AD and CIFS. Joining the AD and kerberos realm is OK.

wbinfo -u list all domain users, but getent passwd just lists local users.

So I increased the log level to full and looked into the log files in /var/log/samba. In log.winbindd-idmap I found these two log lines:

[2011/05/23 09:04:36.886339,  3] lib/module.c:48(do_smb_load_module)
  Error loading module '/usr/local/lib/samba/idmap/rid.so': Cannot open "/usr/local/lib/samba/idmap/rid.so" 
[2011/05/23 09:04:36.886393,  3] winbindd/idmap.c:307(idmap_init_domain)
  Could not probe idmap module rid

Which I suspect contain a hint to the problem, because I realy can't find rid.so anywhere on the system.

Can somebody help me to fix that problem?

History

#1 Updated by Josh Paetzel almost 10 years ago

I have this on my dev box:

freenas# ls -lah /usr/local/lib/samba/idmap/
total 178
drwxr-xr-x 2 root wheel 512B May 20 04:58 .
drwxr-xr-x 7 root wheel 512B May 20 04:58 ..
-rwxr-xr-x 1 root wheel 33K May 16 09:35 ad.so
-rwxr-xr-x 1 root wheel 80K May 16 09:35 adex.so
-rwxr-xr-x 1 root wheel 20K May 16 09:35 hash.so
-rwxr-xr-x 1 root wheel 13K May 16 09:35 rid.so
-rwxr-xr-x 1 root wheel 27K May 16 09:35 tdb2.so

Which is not running 8.0-RELEASE, but I checked an 8.0-RELEASE image and they are in there.

If those files do not exist on your system perhaps the install is damaged.

#2 Updated by m4f - almost 10 years ago

Hello again,

I downloaded the ISO again, checked the sha256 and did a very fresh installation today.
But this results in the same situation.

During the installation process I don't have much choise to do something wrong?
After booting from CD I choose to install, choose the hard disk, confirm that I want to do all the stuff and the wait until it's done, remove the CD and reboot.
As soon as the machine starts up again, I look into /usr/local/lib/samba/ and therein even the idmap subdirectory doesn't exist.

My installation HDD is 2GB in total, automaticaly partitioned by the installer.
The root (/) partition is used 376M of 458M so there should be enough space to copy the required libs.

How do i copy the files manually from the installation CD?

#3 Updated by Josh Paetzel almost 10 years ago

What is the download link you are using? I'd like to take a look at whatever you are getting that doesn't have the libs you need. The installer gives no chance for the user to do anything that would cause them to not be copied, and copying them over manually is pointless as they clearly aren't on your install media or you'd have them.

#4 Updated by m4f - almost 10 years ago

Hello,

I downloaded the ISO by following the sourceforge links, but I can't reconstruct which mirror has been chosen (I use automatic/dynamic mirror selection).

sorry for the delay
m4f

#5 Updated by m4f - almost 10 years ago

Hello again,

I redownloaded the Image from http://mesh.dl.sourceforge.net/project/freenas/FreeNAS-8/FreeNAS-8.0-RELEASE-i386.iso
checked the sha256 -> OK
compared it with the image I downloaded last time -> equal
So I'm quite sure an installation from this image would also fail. I will check this tomorrow.

Yours
m4f

#6 Updated by m4f - almost 10 years ago

Hello,

now I can confirm that the image I downloaded yesterday also doesn't install the entire /usr/local/lib/samba/idmap directory

m4f

#7 Updated by Josh Paetzel almost 10 years ago

Ok, I was looking at the amd64 image. It seems likely the package build errored out somehow for the i386 image, or an older package from cache was used. I'll rebuild it and get the contents for that directory up so they can be installed.

#8 Updated by Josh Paetzel almost 10 years ago

ok, so the operation to fix is:

# mount -uw /
# cd /usr/local/lib/samba
# fetch "http://download.freenas.org/idmap.tar.bz2" 
# rm -rf idmap
# tar jzvf idmap.tar.bz2
# cd /etc
# mount -r /
# /usr/local/etc/rc.d/samba onerestart

#9 Updated by m4f - almost 10 years ago

Sorry, I should have told you that I'm working with i386, mea culpa.

Your patch works nearly fine. The tar line should be

# tar xjvf idmap.tar.bz2

Now I can authenticate agains AD (tried ssh + cifs).

But neither domain users nor domain groups appear in the accounts view.
getent passwd / group don't show them either.

As soon as I activate AD I get a small message box when I want to add/edit windows shares in the [[WebGUI]]. If I disable AD I get the normal parameter dialog.
The error message is "An error occured" (free translation because I see it in german: "Es ist ein Fehler aufgetreten" because I use german operating system/browser).
So I had to disable AD each time I want to edit my shares.

Where can I find any further information what has been gone wrong at that point?

#10 Updated by Josh Paetzel almost 10 years ago

Ok, the add shares dialog is blowing up because it allows you to set the owners of the shares and for some reason that is failing.

There's a script you can run from the CLI called /usr/local/bin/freenas-debug that will print out a ton of diagnostic info that will be of use to sorting this issue out. It will output into /var/tmp, just paste the contents of that in the ticket. Be sure to clean it of whatever data you consider sensitive (PDC name, passwords, etc)

We can run firebug to get the GUI error, but it's almost certainly related to AD lookups not working properly.

#11 Updated by m4f - almost 10 years ago

Hello,

now I run /usr/local/bin/freenas-debug -a and got the following output (I just replaced some names):

+--------------------------------------------------------------------------------+
+                            Active Directory Status                             +
+--------------------------------------------------------------------------------+
Active Directory is ENABLED

+--------------------------------------------------------------------------------+
+                           Active Directory Settings                            +
+--------------------------------------------------------------------------------+
WORKGROUP:              WORKGROUP
NETBIOS NAME:           FREENAS
ADMINNAME:              admin
WINDOWS VERSION:        windows2003
DOMAIN NAME:            WORKGROUP.REAL
DCNAME:                 R-mainserver

+--------------------------------------------------------------------------------+
+                                 /etc/krb5.conf                                 +
+--------------------------------------------------------------------------------+
[appdefaults]
    pam = {
        forwardable = true
        krb4_convert = false
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
    }

[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    clockskew = 300
    forwardable = yes
    default_realm = WORKGROUP.REAL

[logging]
    default = SYSLOG:INFO:LOCAL7

[realms]
    WORKGROUP.REAL = {
        kdc = r-mainserver
        admin_server = r-mainserver
        default_domain = workgroup.realm
    }

[domain_realm]
    workgroup.realm = WORKGROUP.REAL
    .workgroup.realm = WORKGROUP.REAL
    WORKGROUP.REAL = WORKGROUP.REAL
    .WORKGROUP.REAL = WORKGROUP.REAL

+--------------------------------------------------------------------------------+
+                               /etc/nsswitch.conf                               +
+--------------------------------------------------------------------------------+
group: files winbind
hosts: files dns
networks: files
passwd: files winbind
shells: files
services: cache files
protocols: cache files
rpc: cache files

+--------------------------------------------------------------------------------+
+                                   /etc/pam.d                                   +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+                                /etc/pam.d/atrun                                +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/atrun,v 1.1 2007/06/15 12:02:16 yar Exp $
#
# PAM configuration for the "atrun" service
#

# Note well: enabling pam_nologin for atrun will currently result
# in jobs discarded, not just delayed, during a no-login period.
#account    required    pam_nologin.so
account        required    pam_unix.so

+--------------------------------------------------------------------------------+
+                                /etc/pam.d/cron                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/cron,v 1.1 2007/06/17 17:25:52 yar Exp $
#
# PAM configuration for the "cron" service
#

# account
account        required    pam_nologin.so
account        required    pam_unix.so

+--------------------------------------------------------------------------------+
+                                 /etc/pam.d/ftp                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/ftpd,v 1.20 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "ftpd" service
#

# auth
auth        sufficient    pam_opie.so        no_warn no_fake_prompts
auth        requisite    pam_opieaccess.so    no_warn allow_local
auth        sufficient    pam_krb5.so        no_warn
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
account        required    pam_nologin.so
account        required    pam_krb5.so
account        required    pam_unix.so

# session
session        required    pam_permit.so
session        required    /usr/local/lib/pam_mkhomedir.so

+--------------------------------------------------------------------------------+
+                                /etc/pam.d/ftpd                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/ftpd,v 1.20 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "ftpd" service
#

# auth
auth        sufficient    pam_opie.so        no_warn no_fake_prompts
auth        requisite    pam_opieaccess.so    no_warn allow_local
auth        sufficient    pam_krb5.so        no_warn
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
account        required    pam_nologin.so
account        required    pam_krb5.so
account        required    pam_unix.so

# session
session        required    pam_permit.so
session        required    /usr/local/lib/pam_mkhomedir.so

+--------------------------------------------------------------------------------+
+                                /etc/pam.d/imap                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/imap,v 1.7 2007/06/15 11:33:13 yar Exp $
#
# PAM configuration for the "imap" service
#

# auth
auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
#account    required    pam_nologin.so
account        required    pam_unix.so

+--------------------------------------------------------------------------------+
+                                 /etc/pam.d/kde                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/kde,v 1.9 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "kde" service
#

# auth
auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
account        required    pam_nologin.so
account    required    pam_krb5.so
account        required    pam_unix.so

# session
#session    optional    pam_ssh.so        want_agent
session        required    pam_permit.so

+--------------------------------------------------------------------------------+
+                                /etc/pam.d/login                                +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/login,v 1.17 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "login" service
#

# auth
auth        sufficient    pam_self.so        no_warn
auth        include        system

# account
account        requisite    pam_securetty.so
account        required    pam_nologin.so
account        include        system

# session
session        include        system

# password
password    include        system

+--------------------------------------------------------------------------------+
+                                /etc/pam.d/other                                +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/other,v 1.13 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "other" service
#

# auth
auth        sufficient    pam_opie.so        no_warn no_fake_prompts
auth        requisite    pam_opieaccess.so    no_warn allow_local
auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
account        required    pam_nologin.so
account    required    pam_krb5.so
account        required    pam_login_access.so
account        required    pam_unix.so

# session
#session    optional    pam_ssh.so        want_agent
session        required    pam_permit.so

# password
password    required    pam_permit.so

+--------------------------------------------------------------------------------+
+                               /etc/pam.d/passwd                                +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/passwd,v 1.3 2003/04/24 12:22:42 des Exp $
#
# PAM configuration for the "passwd" service
#

# passwd(1) does not use the auth, account or session services.

# password
#password    requisite    pam_passwdqc.so        enforce=users
password    required    pam_unix.so        no_warn try_first_pass nullok

+--------------------------------------------------------------------------------+
+                                /etc/pam.d/pop3                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/pop3,v 1.7 2007/06/15 11:33:13 yar Exp $
#
# PAM configuration for the "pop3" service
#

# auth
auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
#account    required    pam_nologin.so
account        required    pam_unix.so

+--------------------------------------------------------------------------------+
+                                 /etc/pam.d/rsh                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/rsh,v 1.6 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "rsh" service
#

# auth
auth        required    pam_rhosts.so        no_warn

# account
account        required    pam_nologin.so
account        required    pam_unix.so

# session
session        required    pam_permit.so

# password
password    required    pam_deny.so

+--------------------------------------------------------------------------------+
+                                /etc/pam.d/sshd                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.18 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth        sufficient    pam_opie.so        no_warn no_fake_prompts
auth        requisite    pam_opieaccess.so    no_warn allow_local
auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
account        required    pam_nologin.so
account    required    pam_krb5.so
account        required    pam_login_access.so
account        required    pam_unix.so

# session
#session    optional    pam_ssh.so        want_agent
session        required    pam_permit.so
session        required    /usr/local/lib/pam_mkhomedir.so

# password
password    sufficient    pam_krb5.so        no_warn try_first_pass
password    required    pam_unix.so        no_warn try_first_pass

+--------------------------------------------------------------------------------+
+                                 /etc/pam.d/su                                  +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $
#
# PAM configuration for the "su" service
#

# auth
auth        sufficient    pam_rootok.so        no_warn
auth        sufficient    pam_self.so        no_warn
auth        sufficient    pam_krb5.so        no_warn try_first_pass
auth        requisite    pam_group.so        no_warn group=wheel root_only fail_safe
auth        include        system

# account
account        include        system

# session
session        required    pam_permit.so
session        required    /usr/local/lib/pam_mkhomedir.so

+--------------------------------------------------------------------------------+
+                               /etc/pam.d/system                                +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/system,v 1.3 2009/10/05 09:28:54 des Exp $
#
# System-wide defaults
#

# auth
auth        sufficient    pam_opie.so        no_warn no_fake_prompts
auth        requisite    pam_opieaccess.so    no_warn allow_local
#auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass nullok

# account
#account    required    pam_krb5.so
account        required    pam_login_access.so
account        required    pam_unix.so

# session
#session    optional    pam_ssh.so        want_agent
session        required    pam_lastlog.so        no_fail

# password
#password    sufficient    pam_krb5.so        no_warn try_first_pass
password    required    pam_unix.so        no_warn try_first_pass

+--------------------------------------------------------------------------------+
+                               /etc/pam.d/telnetd                               +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/telnetd,v 1.10 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "telnetd" service
#

# auth
auth        sufficient    pam_opie.so        no_warn no_fake_prompts
auth        requisite    pam_opieaccess.so    no_warn allow_local
#auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
account        required    pam_nologin.so
#account    required    pam_krb5.so
account        required    pam_login_access.so
account        required    pam_unix.so

# session
#session    optional    pam_ssh.so        want_agent
session        required    pam_lastlog.so        no_fail

# password
#password    sufficient    pam_krb5.so        no_warn try_first_pass
password    required    pam_unix.so        no_warn try_first_pass

+--------------------------------------------------------------------------------+
+                                 /etc/pam.d/xdm                                 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/xdm,v 1.12 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "xdm" service
#

# auth
#auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
account        required    pam_nologin.so
#account    required    pam_krb5.so
account        required    pam_unix.so

# session
#session    required    pam_ssh.so        want_agent
session        required    pam_lastlog.so        no_fail

# password
password    required    pam_deny.so

+--------------------------------------------------------------------------------+
+                                /etc/resolv.conf                                +
+--------------------------------------------------------------------------------+
search workgroup.realm
nameserver 192.168.42.247
nameserver 192.168.42.250

+--------------------------------------------------------------------------------+
+                                   /etc/hosts                                   +
+--------------------------------------------------------------------------------+
# $FreeBSD: src/etc/hosts,v 1.16.34.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file.  Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1            localhost localhost.my.domain freenas freenas.local
127.0.0.1        localhost localhost.my.domain freenas freenas.local
#
# Imaginary network.
#10.0.0.2        myname.my.domain myname
#10.0.0.3        myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
#    10.0.0.0    -   10.255.255.255
#    172.16.0.0    -   172.31.255.255
#    192.168.0.0    -   192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers.  Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or [[AfriNIC]].)
#

+--------------------------------------------------------------------------------+
+                                  ifconfig -a                                   +
+--------------------------------------------------------------------------------+
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 08:00:27:ca:xx:yy
    inet 192.168.42.35 netmask 0xffffff00 broadcast 192.168.42.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
    inet6 ::1 prefixlen 128 
    inet 127.0.0.1 netmask 0xff000000 
    nd6 options=3<PERFORMNUD,ACCEPT_RTADV>

+--------------------------------------------------------------------------------+
+                            /usr/local/etc/smb.conf                             +
+--------------------------------------------------------------------------------+
[global]
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    read raw = yes
    write raw = yes
    oplocks = yes
    max xmit = 65535
    deadtime = 15
    display charset = LOCALE
    max log size = 10
    syslog only = yes
    syslog = yes
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    getwd cache = yes
    guest account = nobody
    map to guest = Bad Password
    server string = [[FreeNAS]] Server
    use sendfile = yes
    large readwrite = no
    store dos attributes = yes
    security = ADS
    realm = WORKGROUP.REAL
    workgroup = WORKGROUP    
    netbios name = FREENAS
    client use spnego = yes

    wins server = R-mainserver
    password server = R-mainserver

    local master = no
    domain master = no
    preferred master = no

    inherit acls = yes
    acl compatibility = auto
    acl check permissions = true
    acl map full control = true
    dos filemode = yes

    idmap uid = 10000-19999
    idmap gid = 10000-19999
    idmap config WORKGROUP: backend = rid
    idmap config WORKGROUP: range = 20000-20000000

    winbind cache time = 10
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind separator = +
    allow trusted domains = no

    template shell = /bin/sh
    template homedir = /home/%U

    create mask = 0666
    create mask = 0666
    directory mask = 0777
    dos charset = CP437
    unix charset = UTF-8
    log level = 3
oplocks = true
level2 oplocks = true

[share]
path = /mnt/DATA0
printable = no
veto files = /.snap/
writeable = yes
browseable = yes
inherit permissions = no
valid users = @benutzer;

+--------------------------------------------------------------------------------+
+                                Kerberos Tickets                                +
+--------------------------------------------------------------------------------+
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: admin@WORKGROUP.REAL

  Issued           Expires          Principal
Jun  7 15:32:31  Jun  8 01:32:31  krbtgt/WORKGROUP.REAL@WORKGROUP.REAL
Jun  7 15:32:35  Jun  8 01:32:31  ldap/r-mainserver.workgroup.realm@WORKGROUP.REAL
Jun  7 15:32:35  Jun  8 01:32:31  ldap/r-mainserver.workgroup.realm@WORKGROUP.REAL

+--------------------------------------------------------------------------------+
+                          /usr/local/etc/nss_ldap.conf                          +
+--------------------------------------------------------------------------------+
# @(#)$Id: ldap.conf,v 2.49 2009/04/25 01:53:15 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1

# The distinguished name of the search base.
base dc=padl,dc=com

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /usr/local/etc/nss_ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit in seconds (0 for indefinite; default 0)
#timelimit 0

# Bind/connect timelimit (0 for indefinite; default 30)
#bind_timelimit 30

# Reconnect policy:
#  hard_open: reconnect to DSA with exponential backoff if
#             opening connection failed
#  hard_init: reconnect to DSA with exponential backoff if
#             initializing connection failed
#  hard:      alias for hard_open
#  soft:      return immediately on server failure
#bind_policy hard

# Connection policy:
#  persist:   DSA connections are kept open (default)
#  oneshot:   DSA connections destroyed after request
#nss_connect_policy persist

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Use paged rseults
#nss_paged_results yes

# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the [[OpenLDAP]] password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# Use backlinks for answering initgroups()
#nss_initgroups backlink

# Enable support for RFC2307bis (distinguished names in group
# members)
#nss_schema rfc2307bis

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX        base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd    ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd    ou=People,dc=padl,dc=com?one
#nss_base_shadow    ou=People,dc=padl,dc=com?one
#nss_base_group        ou=Group,dc=padl,dc=com?one
#nss_base_hosts        ou=Hosts,dc=padl,dc=com?one
#nss_base_services    ou=Services,dc=padl,dc=com?one
#nss_base_networks    ou=Networks,dc=padl,dc=com?one
#nss_base_protocols    ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc        ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers    ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks    ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases    ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup    ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute    rfc2307attribute    mapped_attribute
#nss_map_objectclass    rfc2307objectclass    mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# [[AuthPassword]] mappings
#nss_map_attribute userPassword authPassword

# AIX [[SecureWay]] mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# For pre-RFC2307bis automount schema
#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs

# [[OpenLDAP]] SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# [[OpenLDAP]] SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /usr/local/etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# [[OpenLDAP]] 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes" 
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

+--------------------------------------------------------------------------------+
+                         Active Directory Domain Status                         +
+--------------------------------------------------------------------------------+
LDAP server: 192.168.42.247
LDAP server name: R-Mainserver.workgroup.realm
Realm: WORKGROUP.REAL
Bind Path: dc=WORKGROUP,dc=REALM
LDAP port: 389
Server time: Tue, 07 Jun 2011 15:35:49 CEST
KDC server: 192.168.42.247
Server time offset: -36

+--------------------------------------------------------------------------------+
+                         Active Directory Trust Secret                          +
+--------------------------------------------------------------------------------+
checking the trust secret for domain WORKGROUP via RPC calls succeeded

+--------------------------------------------------------------------------------+
+                       Active Directory Users and Groups                        +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+                                  Using wbinfo                                  +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+                                     Users                                      +
+--------------------------------------------------------------------------------+
krbtgt
gast
administrator
admin
+--------------------------------------------------------------------------------+
+                                     Groups                                     +
+--------------------------------------------------------------------------------+
domänen-admins
schema-admins
organisations-admins
richtlinien-ersteller-besitzer
abgelehnte rodc-kennwortreplikationsgruppe
zulässige rodc-kennwortreplikationsgruppe
zertifikatherausgeber
schreibgeschützte domänencontroller der organisation
schreibgeschützte domänencontroller
ras- und ias-server
domänen-gäste
domänencontroller
domänencomputer
domänen-benutzer
dnsadmins
+--------------------------------------------------------------------------------+
+                                  Using getent                                  +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+                                     Users                                      +
+--------------------------------------------------------------------------------+
root:yyyy:0:0:FreeNAS root:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:2:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
avahi:*:200:200:avahi user:/nonexistant:/usr/sbin/nologin
messagebus:*:201:201:messagebus user:/nonexistant:/usr/sbin/nologin
+--------------------------------------------------------------------------------+
+                                     Groups                                     +
+--------------------------------------------------------------------------------+
wheel:*:0
daemon:*:1
kmem:*:2
sys:*:3
tty:*:4
operator:*:5
mail:*:6
bin:*:7
news:*:8
man:*:9
games:*:13
ftp:*:14
staff:*:20
sshd:*:22
smmsp:*:25
mailnull:*:26
guest:*:31
bind:*:53
proxy:*:62
authpf:*:63
_pflogd:*:64
_dhcp:*:65
uucp:*:66
dialer:*:68
network:*:69
audit:*:77
www:*:80
nogroup:*:65533
nobody:*:65534
avahi:*:200
messagebus:*:201

I hope this contain some indications
m4f

#12 Updated by Josh Paetzel almost 10 years ago

There has been a substantial rework of the interfaces between AD and [[FreeNAS]] in 8.0.1. Could you try 8.0.1-BETA3 to see if that resolves the issue?

#13 Updated by msb - over 9 years ago

8.0.1-BETA4, the problem still actual

When I try to change any permission... "Sorry, an error occurred"

if I turn off Active directory service, it works fine, but without any AD users

#14 Updated by msb - over 9 years ago

I found that it happens when you have any non-ASCII chars in user's logins in AD.
Check this out please.

#15 Updated by m4f - over 9 years ago

Replying to [comment:14 msb]:

I found that it happens when you have any non-ASCII chars in user's logins in AD.
Check this out please.

As you can see in the debug output above (wbinfo/Groups) we have special characters in our domain configuration (german umlauts because AD is on a german Win2k8R2) so I can substantiate your suspicion.

#16 Updated by Anonymous over 9 years ago

The original issue with rid.so has been resolved based on the transcript above, so this ticket can be closed. Please contact me when testing out the 8.0.3 bugfix release coming out soon... I want to check and make sure that the umlauts / non-ascii characters username issue is or isn't resolved with that version so that the fix (if needed) can make it into 8.0.3 RELEASE (I can add test with a few non-ASCII usernames, but I'd prefer to know whether or not your issue is also resolved).

Also available in: Atom PDF