[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3016-ga2c3131

simo idra at samba.org
Mon Sep 15 13:02:44 GMT 2008

On Mon, 2008-09-15 at 14:26 +0200, Karolin Seeger wrote:
> Simo,
> On Fri, Sep 12, 2008 at 01:10:02PM +0000, simo wrote:
> > I think you have to change 'winbind expand groups'.
> > By default it is set to 1 (therefore no nesting), I had it set to
> > something like 32 IIRC.
> You are right, setting 'winbind expand groups = 32' fixes the issue.
> What I noticed today:
> Without your patch, listing nested group memberships works with 'security
> = domain', but not with 'security = ads'. Your patch fixes this issue.

Yes, the problem, afaik, happened only with security = ADS

> The strange gid changes cannot be reproduced reliably. I saw it again
> today, but couldn't reproduce after that. I didn't see this without your
> patch, but that might have been pure chance.

My patch doesn't really touch any group/id mapping code, so I am quite
sure it is unrelated.

> Additionally, I noticed another issue. 'net groupmap list' showed a
> strange group mapping entry:
> -----8<------------------snip--------------8<--------------
> bando:/usr/local/samba # ./bin/net groupmap list
> Administrators (S-1-5-32-544) -> domänen-benutzer
> Users (S-1-5-32-545) -> hilfedienstgruppe
> ----->8------------------snap-------------->8--------------
> After removing the group_mapping.ldb, I couldn't reproduce that either...

I think the gid mapping problem may have been a consequence of some
dirty caches being around. Have you changed your server configuration
wrt idmap w/o removing group_mapping.ldb and/or the idmap caches/mapping
files ?


Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>

More information about the samba-technical mailing list