[Samba] idmap & migration to rfc2307
Rowland Penny
rowlandpenny241155 at gmail.com
Sat Nov 7 10:11:39 UTC 2015
On 07/11/15 02:29, Jonathan Hunter wrote:
> Hi,
>
> Resurrecting an older thread, but this same problem has just
> re-occurred following a recent upgrade from 4.2.2 to 4.3.1.
>
> When this issue occurs, I can't access various files on my server
> (whether sysvol or other shares) - this seems to be down to incorrect
> UID mappings. I am using rfc2307 to set my UIDs, but samba
> occasionally seems to ignore this.
>
> I first noticed the problem when a "gpupdate" on one of my client
> machines gave me an error, saying it could not read
> \\domain\sysvol\domain\Policies\{guid}\gpt.ini from a domain
> controller.
>
> After some investigation I found that 'wbinfo -i myuser' on my DC gave
> me wrong UID information. Rather than reading from the rfc2307
> attributes I have in AD, samba seems to be "making up" UIDs again. In
> the example below, my UID should be 41000:
>
> # wbinfo -i myuser
> DOMAIN\myuser:*:3000007:100:My Name:/home/DOMAIN/myuser:/bin/bash
>
> The same erroneous UID (3000007) is shown in 'smbstatus' output, also.
>
> The following command fixes it for a little while and reads the info
> from AD, as it should.. However, this doesn't last and after some time
> it is back to the "made up" UIDs again :-( Here is the command that
> fixes it temporarily:
> # net cache flush
> # wbinfo -i myuser
> DOMAIN\myuser:*:41000:61000:My Name:/home/DOMAIN/myuser:/bin/bash
>
> I have the following set in smb.conf - nothing has really changed
> since June when I last had this issue.
> server services = -dns +winbind -winbindd
> idmap_ldb:use rfc2307 = yes
>
> testparm shows the following, after the workgroup/realm/interfaces config:
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, ntp_signd, kcc, dnsupdate, winbind
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap_ldb:use rfc2307 = yes
> dsdb:schema update allowed = true
> idmap config * : backend = tdb
> map archive = No
> map readonly = no
> store dos attributes = Yes
> include = /usr/local/samba/etc/smb.conf-0.0.0.0
> vfs objects = dfs_samba4 acl_xattr
>
>
>
> I do have sssd configured in nsswitch.conf on the DC itself; this
> works fine for logging in on the DC and 'getent' etc.; this issue is
> just within Samba and anything accessed across the network via smbd,
> as far as I can tell.
>
> I'm not sure what debugging I will be able to do within Samba.. it
> seems that some code path is getting triggered that stops looking up
> UIDs from LDAP/AD, and instead uses its internal generation mechanism?
> :-(
>
> It's certainly intermittent, but does certainly happen. For example, I
> end up with meaningless entries such as the UIDs below:
>
> # smbstatus|head
>
> Samba version 4.3.1
> PID Username Group Machine Protocol Version
> ------------------------------------------------------------------------------
> 16139 3000119 3000016 1.2.3.4 (ipv4:1.2.3.4:62784) SMB2_10
>
>
> Any help I can give in tracking this down, I gladly will do..!
>
> Cheers
>
> Jonathan
>
Is it possible that sssd is failing?
What do you have in /etc/nsswitch?
It could be that sssd isn't running or running correctly, so it cannot
get the required info from AD, so winbind is returning the info from
idmap.ldb, hence the '3000000' numbers.
Rowland
More information about the samba
mailing list