[Samba] Winbind behaviour odd in 3.4.9 and 3.5.6 vs 3.2.14 (Samba domain with Samba member servers)

Alex Crow acrow at integrafin.co.uk
Tue Oct 26 10:02:53 MDT 2010 

On 26/10/10 16:32, Gaiseric Vandal wrote:
> You may need to specify separate idmap sections for each domain, as 
> well as general settings.  Samples of my smb.conf (samba 3.4.x ) are 
> below.
>
> When I was on samba 3.0.x, idmap entries would populate for each 
> domain in the correct OU.  It would use the general idmap range, not 
> domain specific range (which wasn't a problem.)  The problem with 
> samba 3.0.x is that one the idmap cache expired it would not renew.    
> I moved to samba 3.4.x which fixed some issue BUT now stuff does not 
> auto populate.  For "trustedomain1" there is only a handful of users, 
> and that almost never changes so manually adding idmap entries (via an 
> ldap editor or wbinfo --allocate-uid  / --allocate-gid) was OK.

Strange - I have the opposite problem in that I get my Idmap ou 
populated but also "contaminated" with stuff that should not be there 
(because it is in the LDAP db and is in the local domain). However to 
get the population to work at all I had to remove the gencache.tdb and 
winbind_cache.tdb (and the old idmap_cache.tdb) files before starting 
samba and winbind.

I /do/ get my trusted domain working OK - from what you say you are 
having to add Idmap entries by hand, which in my situation would be 
completely impractical (500 accounts in one of the domains - it's a 
bidirectional trust). Perhaps you could try removing the cache files.

I have tried adding this to my config files on a test 3.5.6 domain:

idmap config TESTDOM1 : backend = nss
idmap config TESTDOM1 : range = 500-9999

Which seems to help stop the entries for accounts already in the LDAP db 
being put into Idmap, but I am not sure if I should reduce the lower 
boundary to "0" as I still get entries added for widely known SIDs as 
soon as a client connects to a share on the member server:

dn: sambaSID=S-1-1-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10028
sambaSID: S-1-1-0
structuralObjectClass: sambaSidEntry
entryUUID: b7a12d38-7565-102f-938a-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026155911Z
entryCSN: 20101026155911Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026155911Z

dn: sambaSID=S-1-5-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10029
sambaSID: S-1-5-2
structuralObjectClass: sambaSidEntry
entryUUID: b7a30e6e-7565-102f-938b-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026155911Z
entryCSN: 20101026155911Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026155911Z

And even odder entries like this which do not match any "widely know SIDs":

dn: sambaSID=S-1-22-2-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10032
sambaSID: S-1-22-2-0
structuralObjectClass: sambaSidEntry
entryUUID: f93738b4-7565-102f-938e-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000001#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-1,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10033
sambaSID: S-1-22-2-1
structuralObjectClass: sambaSidEntry
entryUUID: f937bfb4-7565-102f-938f-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10034
sambaSID: S-1-22-2-2
structuralObjectClass: sambaSidEntry
entryUUID: f93828d2-7565-102f-9390-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-3,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10035
sambaSID: S-1-22-2-3
structuralObjectClass: sambaSidEntry
entryUUID: f9389114-7565-102f-9391-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000007#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-4,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10036
sambaSID: S-1-22-2-4
structuralObjectClass: sambaSidEntry
entryUUID: f9390388-7565-102f-9392-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000009#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-6,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10037
sambaSID: S-1-22-2-6
structuralObjectClass: sambaSidEntry
entryUUID: f9399cd0-7565-102f-9393-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000b#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-10,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10038
sambaSID: S-1-22-2-10
structuralObjectClass: sambaSidEntry
entryUUID: f93a2952-7565-102f-9394-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000d#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

I really think there is some breakage here!

Cheers

Alex

-- 
This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856)

More information about the samba mailing list