[Samba] winbind creating duplicate users
Ian Clancy
clancyian at cel.ie
Fri Jul 1 16:17:43 GMT 2005
Hi again,
In responce to queries for more info here is the smb.conf (- shares) of
my pdc :
workgroup = ted
netbios name = tedDC
server string = SAMBA-LDAP %v PDC Server
domain logons = Yes
domain master = Yes
preferred master = Yes
local master = Yes
interfaces = lo, eth0
bind interfaces only = Yes
logon script = scripts\tedmap.bat
logon home =
logon path =
wins support = Yes
name resolve order = lmhosts host wins bcast
remote announce = 192.168.2.2
log level = 1 auth:1 winbind:5 passdb:2
printing = cups
printcap name = CUPS
printer admin = Administrator
show add printer wizard = Yes
passdb backend = ldapsam:"ldap://127.0.0.1"
ldap passwd sync = Yes
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ted,dc=org
ldap suffix = dc=ted,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-15000
idmap gid = 10000-15000
winbind separator = +
winbind use default domain = Yes
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
Dos charset = 850
Unix charset = ISO8859-1
here is the smb.conf of a typical domain member server :
workgroup = TED
netbios name = TEDFS02
server string = Samba %v on Fedora Core 2
security = DOMAIN
encrypt passwords = Yes
password server = *
interfaces = lo, eth0
bind interfaces only = Yes
unix extensions = Yes
username map = /etc/samba/smbusers
wins server = 192.0.2.14
winbind separator = +
winbind use default domain = Yes
idmap backend = ldap:ldap://teddc.ted
idmap uid = 10000-15000
idmap gid = 10000-15000
ldap admin dn = cn=Manager,dc=ted,dc=org
ldap suffix = dc=ted,dc=org
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
log file = /var/log/samba/log.%m
log level = 1
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
Ian Clancy wrote:
> Hi everybody,
> I'm having a problem with winbind creating 2 entries for some of my
> users that really wrecking my head ;-/ .
> My situation is as follows :
> I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain
> (another Samba/LDAP setup) and use winbind to map the users from the
> foreign domain, with the UID to SID mappings stored in LDAP . This
> works very well.
> The relevant part of my nsswitch.conf file is as follows :
>
> passwd: files ldap winbind
> shadow: files ldap winbind
> group: files ldap winbind
>
> When i 'getent passwd' on a domain member server the following are
> listed:
> 1.) local user accounts
> 2.) accounts resolved via LDAP (UID 5'000+)
> 3.) winbind resolved accounts from the foreign domain (i.e.
> FDOMAIN+user) UID = 10'000 +
>
> This was all working fine for a while. However, recently i noticed
> that winbind began storing additional UID to SID mappings for members
> of the local domain in LDAP.
> So when i ran e.g. 'getent passwd | grep brightstop' i would get 2
> entries for the 1 user account, 1 resolved from LDAP, the other from
> winbind
>
> brightstor:x:5586:513:System User:/home/brightstor:/bin/false
> brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false
>
> This occurs for some accounts but not others:
> pdbedit on this account returns :
>
> [root at teddc etc]# pdbedit -Lv brightstor
> init_sam_from_ldap: Entry found for user: brightstor
> Unix username: brightstor
> NT username: brightstor
> Account Flags: [UX ]
> User SID: S-1-5-21-193554404-1789558652-91453608-12172
> Primary Group SID: S-1-5-21-193554404-1789558652-91453608-513
> Full Name: Brightstor
> Home Directory:
> HomeDir Drive:
> Logon Script: scripts\tedmap.bat
> Profile Path:
> Domain: TED
> Account desc: System User
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: Tue, 19 Jan 2038 03:14:07 GMT
> Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
> Password last set: Tue, 28 Jun 2005 10:53:57 GMT
> Password can change: Tue, 28 Jun 2005 10:53:57 GMT
> Password must change: Tue, 19 Jan 2038 03:14:07 GMT
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> Even when i stop winbind, delete winbindd_cache.tdb and
> winbindd_idmap.tdb and delete the bad entries from the LDAP Directory
> the problem returns ?.
>
> Can anone make sence of this behaviour ?.
> Thanks
>
--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.
P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian at cel.ie
W : http://www.cel-europe.com
More information about the samba
mailing list