[Samba] [WINBIND] adds "weird" attributes in LDAP

Michael Gasch gasch at eva.mpg.de
Wed Sep 8 06:28:08 GMT 2004 

hi list,

i recently recognized, that winbind on my fileserver (needed for 
allocating SID->UIDs when setting ACL's from windows box) adds ldap 
attributes although the SID already exists !!??!?!

example

i have a user "install"

# install, users, eva.mpg.de
dn: uid=install,ou=users,dc=eva,dc=mpg,dc=de
objectClass: posixAccount
objectClass: person
objectClass: sambaSamAccount
cn: install
uid: install
sn: install
displayName: install
uidNumber: 837
gidNumber: 500
sambaSID: S-1-5-21-3833542193-1936992747-4175797896-2674
sambaPrimaryGroupSID: S-1-5-21-3833542193-1936992747-4175797896-513
homeDirectory: /data/install/home
loginShell: /bin/false
sambaAcctFlags: [U          ]
sambaLogonScript: install.bat
sambaPwdMustChange: 9223372036854775807
sambaPwdCanChange: 1090994939


if i connect to his share everything is fine, but winbind complains about

Sep  8 08:17:48 nevanfs01 winbindd[25824]: [2004/09/08 08:17:48, 0] 
sam/idmap_ldap.c:ldap_get_sid_from_id(525)
Sep  8 08:17:48 nevanfs01 winbindd[25824]:   ldap_get_sid_from_id: 
mapping not found for gidNumber: 500
Sep  8 08:17:48 nevanfs01 winbindd[25824]: [2004/09/08 08:17:48, 0] 
sam/idmap_ldap.c:ldap_get_sid_from_id(525)
Sep  8 08:17:48 nevanfs01 winbindd[25824]:   ldap_get_sid_from_id: 
mapping not found for gidNumber: 0
    .
    .
    .
Sep  8 08:25:02 nevanfs01 winbindd[25824]:   ldap_get_sid_from_id: 
mapping not found for gidNumber: 500
Sep  8 08:25:02 nevanfs01 winbindd[25824]: [2004/09/08 08:25:02, 0] 
sam/idmap_ldap.c:ldap_set_mapping(103)
Sep  8 08:25:02 nevanfs01 winbindd[25824]:   ldap_set_mapping_internals: 
Failed to add mapping from S-1-5-21-3833542193-1936992747-4175797896-513 
to 500 [gidNumber]
Sep  8 08:25:02 nevanfs01 winbindd[25824]: [2004/09/08 08:25:02, 0] 
sam/idmap_ldap.c:ldap_set_mapping(105)
Sep  8 08:25:02 nevanfs01 winbindd[25824]:   ldap_set_mapping_internals: 
Error was:  (Already exists)




and adds the following entry to the ldap base

# S-1-5-21-3833542193-1936992747-4175797896-513, eva.mpg.de
dn: 
sambaSID=S-1-5-21-3833542193-1936992747-4175797896-513,dc=eva,dc=mpg,dc=de
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 500
sambaSID: S-1-5-21-3833542193-1936992747-4175797896-513


**** smb.conf on fileserver ****

[global]

    workgroup = NEVAN
    netbios name = nevanfs01
    server string = NevanFS01 on Samba Version: %v

    username map = /etc/samba/username.map

    log level = 5
    log file = /var/lib/samba/log.%m
    max log size = 10000

    passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389 
ldap://nevanbdc.eva.mpg.de:389"
    ldap passwd sync = yes
    ldap suffix = dc=eva,dc=mpg,dc=de
    ldap admin dn = uid=sambamanager,ou=users,dc=eva,dc=mpg,dc=de
    #ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
    ldap machine suffix = ou=machines
    ldap user suffix  = ou=users
    ldap group suffix = ou=groups
    ldap replication sleep = 2000

#  idmap backend = ldap:ldap://nevanpdc.eva.mpg.de:389 
ldap:ldap://nevanbdc.eva.mpg.de:389 -> funktioniert (noch) nicht
    idmap backend = ldap:ldap://nevanpdc.eva.mpg.de:389
#  ldap idmap suffix = ou=users
    idmap uid = 10000-50000
    idmap gid = 10000-50000

    winbind use default domain = yes
#   winbind enum users = no
#   winbind enum groups = no
    winbind trusted domains only = yes

    interfaces = eth0
    bind interfaces only = yes

    guest ok = no
    guest account = Guest

    security = domain
    local master = yes
    os level = 32
    domain master = no
    domain logons = no

    encrypt passwords = yes
    password server = nevanpdc, nevanbdc, *

#  socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY

    wins support = yes
    dns proxy = no

    #add user script = /root/bin/BDC/adduser.sh '%u'
    #add machine script = /root/bin/BDC/addmachine.sh '%u'
    #add group script = /root/bin/BDC/addgroup.sh '%g'
    add user to group script = /root/bin/BDC/add_to_group.sh '%u' '%g'
    #delete user script = /root/bin/BDC/deleteuser_rpc.sh '%u'
    #delete group script = /root/bin/BDC/deletegroup.sh '%g'
    #delete user from group script = /root/bin/BDC/delete_from_group.sh 
'%u' '%g'

    display charset = UTF8
    unix charset = UTF8

    # store DOS ATTRIB (Archive, ReadOnly, ...) in extended attributes 
(FS must support it)
    # map options must be set "no"
    store dos attributes = yes
    map archive = no
    map system = no
    map hidden = no

    #printing = CUPS
    #printcap name = CUPS
    #load printers = yes
    #use client driver = yes


[homes]
    comment = Home-Drive for personal Data
    browseable = no
    writeable = yes
    force create mode = 0700
    force directory mode = 0700
    force group = root


******************************************************************************************************************


nevanfs01:/etc/samba # net groupmap list -d0
DomÀnen-GÀste (S-1-5-21-3833542193-1936992747-4175797896-514) -> nobody
DomÀnen-Benutzer (S-1-5-21-3833542193-1936992747-4175797896-513) -> users


could you enlight me please ??????
may be i have to set "winbind enum users = no" ????
thank you very much

-- 


          "Matrix - more than a vision"

**************************************************
                  Michael Gasch

            - Central IT Department -

Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig

Germany
**************************************************

More information about the samba mailing list