[Samba] IDMAP problems after upgrade to Debian jessie

Lukas Haase lukashaase at gmx.at
Mon Jan 23 20:24:12 UTC 2017 

Hello,

After I fixed this by deleting /var/cache/samba/gencache.tdb the problem
re-appeared randomly.

"net cache flush" unfortunately had no effect.

Deleting /var/cache/samba/gencache.tdb (and all kinds of other tbd's)
did not work this time and eventually it worked out by removing winbind
(!) and deleting these files.

Can anybody help me to understand where this *arbitrary* mapping is
coming from? And why my "idmap" lines in smb.conf seem to be ignored?

And why killing winbindd has an effect on this (since winbind and smb
share the same config file).

Is it possible that this is a plain bug in samba?

Thanks,
Luke


On 2017-01-16 07:02, mathias dufresne via samba wrote:
> Hi,
> 
> To clean idmap cache I'd bet you would have to type: "net cache flush"
> 
> Then as idmap cache is cleared, it would be regenerated.
> 
> 2017-01-14 23:43 GMT+01:00 Lukas Haase via samba <samba at lists.samba.org>:
> 
>> Hi,
>>
>> I have been running a Debian 3 server without problems for a long time.
>> Now, after upgrading to Debian jessie (Debian 4.2.14) I cannot log in
>> any more:
>>
>> smbclient -U admin -L //localhost/
>> Enter admin's password:
>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>
>> In the logs:
>>
>> [2017/01/14 23:37:21.636022,  2]
>> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>>   check_ntlm_password:  authentication for user [admin] -> [admin] ->
>> [admin] succeeded
>> [2017/01/14 23:37:21.637610,  1]
>> ../source3/auth/token_util.c:430(add_local_groups)
>>   SID S-1-5-21-3909901412-745783496-1225843668-500 -> getpwuid(25003)
>> failed
>>
>> This is odd because the correct UID for this SID would be 1013.
>>
>> The relevant Samba config thus far was:
>>
>> passdb backend = ldapsam:ldap://ldap/
>> ldap ssl = Start_tls
>> obey pam restrictions = no
>> ldap admin dn = uid=admin,dc=intra
>> ldap suffix = dc=intra
>> ldap group suffix = ou=groups
>> ldap user suffix = ou=users
>> ldap machine suffix = ou=machines
>> ldap idmap suffix = ou=idmap
>> idmap uid = 25000-27000
>> idmap gid = 25000-27000
>>
>> However, ou=idmap in the LDAP tree is empty and winbind was running.
>>
>> I thought maybe it is because of the deprecated idmap uid option but no
>> matter what I set for "idmap config", wbinfo always returns the wrong UID:
>>
>> # wbinfo --sid-to-uid S-1-5-21-3909901412-745783496-1225843668-500
>> 25003
>>
>>
>> For example, I tried
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 25000 27000
>>
>> or
>>
>> idmap config * : backend = rid
>> idmap config * : range = 0 1000
>>
>> The output just does not change.
>>
>> Any help would be appreciated. Thanks!
>>
>> Luke
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list