[Samba] Samba idmap against ad

[Andrew Masterson]

-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Stuart Bailey
Sent: Wednesday, August 11, 2010 5:28 AM
To: samba at lists.samba.org
Subject: [Samba] Samba idmap against ad

Hello,
I have a samba server (old - running FC6, samba 3.0.24-11.fc6) that 
authenticates against AD. This is all configured and has been working
fine 
until this week.

A new user has been added to AD, but cannot access the samba drives. All
other 
users can still access samba as normal.

net ads testjoin reports OK. 

wbinfo -a newuser%pass and wbinfo -K newuser%pass both succeed. wbinfo
-r 
newuser reports all the user group memberships from AD.

wbinfo -p is OK

wbinfo -i newuser reports that no information on that user can be found.

wbinfo -n newuser returns the SID, and wbinfo -s SID returns the
username

However, wbinfo -S SID fails.

I found a thread that suggests a corrupted idmap cache file. If I delete
this 
file, and restart winbind, the file is re-created, but contains no SID
data.
I've also noticed that the winbindd_idmap.tdb file has an old time stamp

winbindd_cache.tdb has today's date.

I tried setting:
   winbind cache time = 3600
   idmap cache time = 3600
but no improvement.

Also, this is affecting both FC6 servers we have, both with the same
config. The 
config has not changed, and the servers have not been rebooted / power
cycled 
etc. The problem only affects new AD user accounts.

Any sugguestions as to where I should look next?

Many thanks,

Stuart





-----------------------


Sounds like you hit a limit somewhere.  What is your user and group
mapping range?  Have you run out of space in there?

i.e.

        idmap uid = 100000-200000
        idmap gid = 100000-200000

-=Andrew