Ubuntu
realmd package

Use current idmap configuration for winbind

Bug #1894153 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
realmd (Ubuntu)
Fix Released
Medium
Andreas Hasenack

Bug Description

realmd in ubuntu, when --client-software=winbind was used, is writing out an obsolete /etc/samba/smb.conf file with regards to the idmap (identity mapping) configuration.

After the join:
$ sudo realm join -v --client-software=winbind ad1.example.com
 * Resolving: _ldap._tcp.ad1.example.com
 * Performing LDAP DSE lookup on: 10.51.0.5
 * Successfully discovered: ad1.example.com
Password for Administrator:
 * Unconditionally checking packages
 * Resolving required packages
 * Installing necessary packages: samba-common-bin libpam-winbind winbind
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.7QYTQ0 -U Administrator ads join ad1.example.com
Enter Administrator's password:
Using short domain name -- AD1
Joined 'G-ADCLIENT1' to dns domain 'ad1.example.com'
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.7QYTQ0 -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/sbin/update-rc.d winbind enable
 * /usr/sbin/service winbind restart
 * Successfully enrolled machine in realm

It's writing the following:
idmap backend = tdb
idmap gid = 10000-2000000
idmap uid = 10000-2000000

Samba's testparm tool already flags this as incorrect:
$ testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap gid" option is deprecated
WARNING: The "idmap uid" option is deprecated

The correct config would be:
idmap config AD1 : range = 2000000-2999999
idmap config AD1 : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

And testparm is happy:
$ testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Related branches

~ahasenack/ubuntu/+source/realmd:groovy-realmd-fixes
Christian Ehrhardt  (community): Approve
Rafael David Tinoco (community): Approve
Canonical Server Core Reviewers: Pending requested
Canonical Server: Pending requested
Diff: 3377 lines (+3187/-1)
30 files modified
debian/changelog (+63/-0)
debian/control (+2/-1)
debian/patches/0001-Add-missing-xsl-file-to-Makefile.am.patch (+29/-0)
debian/patches/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch (+163/-0)
debian/patches/0001-Fix-issues-found-by-Coverity.patch (+37/-0)
debian/patches/0001-Fix-man-page-reference-in-systemd-service-file.patch (+27/-0)
debian/patches/0001-IPA-do-not-call-sssd-enable-logins.patch (+58/-0)
debian/patches/0001-LDAP-don-t-close-LDAP-socket-twice.patch (+43/-0)
debian/patches/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch (+49/-0)
debian/patches/0001-Use-current-idmap-options-for-smb.conf.patch (+178/-0)
debian/patches/0001-doc-make-sure-cross-reference-ids-are-predictable.patch (+1502/-0)
debian/patches/0002-Change-qualified-names-default-for-IPA.patch (+105/-0)
debian/patches/0002-Use-startTLS-with-FreeIPA.patch (+76/-0)
debian/patches/0002-configure-do-not-inherit-DISTRO-from-the-environment.patch (+34/-0)
debian/patches/0002-tools-remove-duplicated-va_start.patch (+27/-0)
debian/patches/0003-discover-try-to-get-domain-name-from-hostname.patch (+71/-0)
debian/patches/0003-doc-extend-user-principal-section.patch (+77/-0)
debian/patches/0003-service-remove-dead-code.patch (+35/-0)
debian/patches/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch (+34/-0)
debian/patches/0004-doc-fix-discover-name-only.patch (+28/-0)
debian/patches/0004-service-check-return-value-of-fcntl.patch (+38/-0)
debian/patches/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch (+169/-0)
debian/patches/0005-doc-add-see-also-to-man-pages.patch (+48/-0)
debian/patches/0005-service-avoid-dereference-of-a-null-pointer.patch (+41/-0)
debian/patches/0006-doc-extend-description-of-config-handling.patch (+106/-0)
debian/patches/0006-service-avoid-dereferencing-a-NULL-pointer.patch (+26/-0)
debian/patches/0007-service-use-kerberos-method-secrets-and-keytab.patch (+32/-0)
debian/patches/dont-add-services-line.patch (+41/-0)
debian/patches/install-libnss-winbind.patch (+19/-0)
debian/patches/series (+29/-0)
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.3 KiB)

This bug was fixed in the package realmd - 0.16.3-3ubuntu1

---------------
realmd (0.16.3-3ubuntu1) groovy; urgency=medium

  * d/p/0001-LDAP-don-t-close-LDAP-socket-twice.patch: don't close LDAP
    socket twice.
  * d/p/0001-Fix-man-page-reference-in-systemd-service-file.patch: the
    manpage is realm(8), not realmd(8)
  * d/p/0001-Use-current-idmap-options-for-smb.conf.patch: use the
    idmap options in smb.conf for modern versions of samba (LP: #1894153)
  * d/p/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch: find
    NetBIOS name in keytab while leaving the domain (LP: #1894340)
  * d/p/0001-Fix-issues-found-by-Coverity.patch: fix issues found by
    Coverity
  * d/p/0002-Change-qualified-names-default-for-IPA.patch: change
    qualified names default for IPA
  * d/p/0003-discover-try-to-get-domain-name-from-hostname.patch: if
    there is no domain name returned by DHCP check if the hostname
    contains a domain part and use this to discover a realm.
  * d/p/0001-IPA-do-not-call-sssd-enable-logins.patch: IPA: do not call
    sssd-enable-logins
  * d/p/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch:
    install the latest version of a package when resolving packages with
    PackageKit
  * d/p/0001-doc-make-sure-cross-reference-ids-are-predictable.patch: make
    sure cross-reference ids are predictable
  * d/p/0002-tools-remove-duplicated-va_start.patch: remove duplicated
    va_start()
  * d/p/0003-service-remove-dead-code.patch: remove unused code
  * d/p/0004-service-check-return-value-of-fcntl.patch: check return
    value of fcntl()
  * d/p/0005-service-avoid-dereference-of-a-null-pointer.patch: avoid
    dereference of a null pointer
  * d/p/0006-service-avoid-dereferencing-a-NULL-pointer.patch: avoid
    dereferencing a NULL pointer
  * d/p/0001-Add-missing-xsl-file-to-Makefile.am.patch: add missing xsl
    file to Makefile.am
  * d/p/0002-configure-do-not-inherit-DISTRO-from-the-environment.patch:
    do not inherit DISTRO from the environment
  * d/p/0003-doc-extend-user-principal-section.patch: doc: extend
    user-principal section
  * d/p/0004-doc-fix-discover-name-only.patch: doc: fix discover
    name-only parameter
  * d/p/0005-doc-add-see-also-to-man-pages.patch: doc: add see also to
    man pages
  * d/p/0006-doc-extend-description-of-config-handling.patch: doc: extend
    description of config handling
  * d/p/0007-service-use-kerberos-method-secrets-and-keytab.patch: when
    using Samba with Winbind, set "kerberos method" to "secrets and keytab"
  * d/p/install-libnss-winbind.patch: install libnss-winbind when needed
    (LP: #1894150)
  * d/p/dont-add-services-line.patch: in Ubuntu and Debian, the sssd_*
    services are socket activated and don't need a "services" line in
    sssd.conf (LP: #1880157)
  * d/p/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch:
    when using samba to join a domain, and the client is from a different
    domain, also set "additional dns hostnames"
  * d/p/0002-Use-startTLS-with-FreeIPA.patch: attempt StartTLS first
    when talking to FreeIPA
  * d/p/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch:
    when joining using samba, ...

Read more...

Changed in realmd (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.