[Samba] Problems with ID mapping after upgrade to Debian jessie
Lukas Haase
lukashaase at gmx.at
Sun Jan 15 00:03:04 UTC 2017
Hi,
I still do not know why the problem came up, why all the idmap
configuration was ignored and why wbinfo and net idmap dump returned
different entries. However, after a long time I ended up doing the
following:
1.) In the LDAP, changed the SID from
S-1-5-21-3909901412-745783496-1225843668-500 to SID
S-1-5-21-3909901412-745783496-1225843668-501.
2.) Hooray, login worked! wbinfo returned the correct result for RID 501
but not for 500. Chaning the SID entry back stopped it from working again.
3.) Grepped /var for S-1-5-21-3909901412-745783496-1225843668-501. Found
it in /var/cache/samba/gencache.tdb. Deleted the file
4.) Restarted samba, works again with original SID!
If somebody has an explanation for this behavior, I would still be
interested to know why ...
Luke
On 2017-01-14 14:49, Lukas Haase via samba wrote:
> Hi,
>
> I have been running a Debian 3 server without problems for a long time.
> Now, after upgrading to Debian jessie (Debian 4.2.14) I cannot log in
> any more:
>
> smbclient -U admin -L //localhost/
> Enter admin's password:
> session setup failed: NT_STATUS_UNSUCCESSFUL
>
> In the logs:
>
> [2017/01/14 23:37:21.636022, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [admin] -> [admin] ->
> [admin] succeeded
> [2017/01/14 23:37:21.637610, 1]
> ../source3/auth/token_util.c:430(add_local_groups)
> SID S-1-5-21-3909901412-745783496-1225843668-500 -> getpwuid(25003) failed
>
> This is odd because the correct UID for this SID would be 1013.
>
> The relevant Samba config thus far was:
>
> passdb backend = ldapsam:ldap://ldap/
> ldap ssl = Start_tls
> obey pam restrictions = no
> ldap admin dn = uid=admin,dc=intra
> ldap suffix = dc=intra
> ldap group suffix = ou=groups
> ldap user suffix = ou=users
> ldap machine suffix = ou=machines
> ldap idmap suffix = ou=idmap
> idmap uid = 25000-27000
> idmap gid = 25000-27000
>
> However, ou=idmap in the LDAP tree is empty and winbind was running.
>
> I thought maybe it is because of the deprecated idmap uid option but no
> matter what I set for "idmap config", wbinfo always returns the wrong UID:
>
> # wbinfo --sid-to-uid S-1-5-21-3909901412-745783496-1225843668-500
> 25003
>
>
> For example, I tried
>
> idmap config * : backend = tdb
> idmap config * : range = 25000 27000
>
> or
>
> idmap config * : backend = rid
> idmap config * : range = 0 1000
>
> The output just does not change.
>
> Any help would be appreciated. Thanks!
>
> Luke
>
>
>
>
>
>
>
More information about the samba
mailing list