[Samba] winbind creating duplicate users

Ian Clancy clancyian at cel.ie
Fri Jul 1 16:17:43 GMT 2005 

Hi again,
In responce to queries for more info here is the smb.conf (- shares) of 
my pdc :

workgroup = ted
netbios name = tedDC
server string = SAMBA-LDAP %v PDC Server
domain logons = Yes
domain master = Yes
preferred master = Yes
local master = Yes
interfaces = lo, eth0
bind interfaces only = Yes
logon script = scripts\tedmap.bat
logon home =
logon path =
wins support = Yes
name resolve order = lmhosts host wins bcast
remote announce = 192.168.2.2
log level = 1 auth:1 winbind:5 passdb:2
printing = cups
printcap name = CUPS
printer admin = Administrator
show add printer wizard = Yes
passdb backend = ldapsam:"ldap://127.0.0.1"
ldap passwd sync = Yes
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ted,dc=org
ldap suffix = dc=ted,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-15000
idmap gid = 10000-15000
winbind separator = +
winbind use default domain = Yes
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
Dos charset = 850
Unix charset = ISO8859-1

here is the smb.conf of a typical domain member server :

       workgroup = TED
       netbios name = TEDFS02
       server string = Samba %v on Fedora Core 2
       security = DOMAIN
       encrypt passwords = Yes
       password server = *
       interfaces = lo, eth0
       bind interfaces only = Yes
       unix extensions = Yes
       username map = /etc/samba/smbusers
       wins server = 192.0.2.14
       winbind separator = +
       winbind use default domain = Yes
       idmap backend = ldap:ldap://teddc.ted
       idmap uid = 10000-15000
       idmap gid = 10000-15000
       ldap admin dn = cn=Manager,dc=ted,dc=org
       ldap suffix = dc=ted,dc=org
       ldap machine suffix = ou=Computers
       ldap user suffix = ou=People
       ldap group suffix = ou=Groups
       ldap idmap suffix = ou=Idmap
       log file = /var/log/samba/log.%m
       log level = 1
       max log size = 50
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192


Ian Clancy wrote:

> Hi everybody,
> I'm having a problem with winbind creating 2 entries for some of my 
> users that really wrecking my head ;-/ .
> My situation is as follows :
> I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain 
> (another Samba/LDAP setup) and use winbind to map the users from the 
> foreign domain, with the UID to SID mappings stored in LDAP . This 
> works very well.
> The relevant part of my nsswitch.conf file is as follows :
>
> passwd:     files ldap winbind
> shadow:     files ldap winbind
> group:      files ldap winbind
>
> When i 'getent passwd' on a domain member server the following are 
> listed:
> 1.) local user accounts
> 2.) accounts resolved via LDAP (UID 5'000+)
> 3.) winbind resolved accounts from the foreign domain (i.e. 
> FDOMAIN+user) UID = 10'000 +
>
> This was all working fine for a while. However, recently i noticed 
> that winbind began storing additional UID to SID mappings for members 
> of the local domain in LDAP.
> So when i ran e.g. 'getent passwd | grep brightstop'  i would get 2 
> entries for the 1 user account, 1 resolved from LDAP, the other from 
> winbind
>
> brightstor:x:5586:513:System User:/home/brightstor:/bin/false
> brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false
>
> This occurs for some accounts but not others:
> pdbedit on this account returns :
>
> [root at teddc etc]# pdbedit -Lv brightstor
> init_sam_from_ldap: Entry found for user: brightstor
> Unix username:        brightstor
> NT username:          brightstor
> Account Flags:        [UX         ]
> User SID:             S-1-5-21-193554404-1789558652-91453608-12172
> Primary Group SID:    S-1-5-21-193554404-1789558652-91453608-513
> Full Name:            Brightstor
> Home Directory:
> HomeDir Drive:
> Logon Script:         scripts\tedmap.bat
> Profile Path:
> Domain:               TED
> Account desc:         System User
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Tue, 19 Jan 2038 03:14:07 GMT
> Kickoff time:         Tue, 19 Jan 2038 03:14:07 GMT
> Password last set:    Tue, 28 Jun 2005 10:53:57 GMT
> Password can change:  Tue, 28 Jun 2005 10:53:57 GMT
> Password must change: Tue, 19 Jan 2038 03:14:07 GMT
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> Even when i stop winbind, delete winbindd_cache.tdb and 
> winbindd_idmap.tdb and delete the bad entries from the LDAP Directory 
> the problem returns ?.
>
> Can anone make sence of this behaviour ?.
> Thanks
>


-- 
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian at cel.ie
W : http://www.cel-europe.com

More information about the samba mailing list