[Samba] winbind creating duplicate users
Ian Clancy
clancyian at cel.ie
Fri Jul 1 19:30:05 GMT 2005
Hi,
I've been working on this for the last couple of hours and think i have
found the root of the problem. Users that do not have a problem with
have an SID such as the following :
S-1-5-21-193554404-1789558652-91453608-1264
However, any users that i have created recently have an SID similar to
the following :
S-1-5-21-193554404-1789558652-91453608-12188
As you may have noticed the value of the last user part of the SID seems
to have jumped considerably , another digit has been added. This seems
to be messing up winbind somehow and winbind is allocating the SID a UID
from the idmap pool.
Can anyone explain how the SID is generated ?. Is there some kind of
Algorithm ?
thanks,
Ian
Ian Clancy wrote:
> Hi again,
> In responce to queries for more info here is the smb.conf (- shares)
> of my pdc :
>
> workgroup = ted
> netbios name = tedDC
> server string = SAMBA-LDAP %v PDC Server
> domain logons = Yes
> domain master = Yes
> preferred master = Yes
> local master = Yes
> interfaces = lo, eth0
> bind interfaces only = Yes
> logon script = scripts\tedmap.bat
> logon home =
> logon path =
> wins support = Yes
> name resolve order = lmhosts host wins bcast
> remote announce = 192.168.2.2
> log level = 1 auth:1 winbind:5 passdb:2
> printing = cups
> printcap name = CUPS
> printer admin = Administrator
> show add printer wizard = Yes
> passdb backend = ldapsam:"ldap://127.0.0.1"
> ldap passwd sync = Yes
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=ted,dc=org
> ldap suffix = dc=ted,dc=org
> ldap group suffix = ou=Groups
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> idmap backend = ldap:ldap://127.0.0.1
> idmap uid = 10000-15000
> idmap gid = 10000-15000
> winbind separator = +
> winbind use default domain = Yes
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> ldap delete dn = Yes
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> Dos charset = 850
> Unix charset = ISO8859-1
>
> here is the smb.conf of a typical domain member server :
>
> workgroup = TED
> netbios name = TEDFS02
> server string = Samba %v on Fedora Core 2
> security = DOMAIN
> encrypt passwords = Yes
> password server = *
> interfaces = lo, eth0
> bind interfaces only = Yes
> unix extensions = Yes
> username map = /etc/samba/smbusers
> wins server = 192.0.2.14
> winbind separator = +
> winbind use default domain = Yes
> idmap backend = ldap:ldap://teddc.ted
> idmap uid = 10000-15000
> idmap gid = 10000-15000
> ldap admin dn = cn=Manager,dc=ted,dc=org
> ldap suffix = dc=ted,dc=org
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> log file = /var/log/samba/log.%m
> log level = 1
> max log size = 50
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>
> Ian Clancy wrote:
>
>> Hi everybody,
>> I'm having a problem with winbind creating 2 entries for some of my
>> users that really wrecking my head ;-/ .
>> My situation is as follows :
>> I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain
>> (another Samba/LDAP setup) and use winbind to map the users from the
>> foreign domain, with the UID to SID mappings stored in LDAP . This
>> works very well.
>> The relevant part of my nsswitch.conf file is as follows :
>>
>> passwd: files ldap winbind
>> shadow: files ldap winbind
>> group: files ldap winbind
>>
>> When i 'getent passwd' on a domain member server the following are
>> listed:
>> 1.) local user accounts
>> 2.) accounts resolved via LDAP (UID 5'000+)
>> 3.) winbind resolved accounts from the foreign domain (i.e.
>> FDOMAIN+user) UID = 10'000 +
>>
>> This was all working fine for a while. However, recently i noticed
>> that winbind began storing additional UID to SID mappings for members
>> of the local domain in LDAP.
>> So when i ran e.g. 'getent passwd | grep brightstop' i would get 2
>> entries for the 1 user account, 1 resolved from LDAP, the other from
>> winbind
>>
>> brightstor:x:5586:513:System User:/home/brightstor:/bin/false
>> brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false
>>
>> This occurs for some accounts but not others:
>> pdbedit on this account returns :
>>
>> [root at teddc etc]# pdbedit -Lv brightstor
>> init_sam_from_ldap: Entry found for user: brightstor
>> Unix username: brightstor
>> NT username: brightstor
>> Account Flags: [UX ]
>> User SID: S-1-5-21-193554404-1789558652-91453608-12172
>> Primary Group SID: S-1-5-21-193554404-1789558652-91453608-513
>> Full Name: Brightstor
>> Home Directory:
>> HomeDir Drive:
>> Logon Script: scripts\tedmap.bat
>> Profile Path:
>> Domain: TED
>> Account desc: System User
>> Workstations:
>> Munged dial:
>> Logon time: 0
>> Logoff time: Tue, 19 Jan 2038 03:14:07 GMT
>> Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
>> Password last set: Tue, 28 Jun 2005 10:53:57 GMT
>> Password can change: Tue, 28 Jun 2005 10:53:57 GMT
>> Password must change: Tue, 19 Jan 2038 03:14:07 GMT
>> Last bad password : 0
>> Bad password count : 0
>> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>
>> Even when i stop winbind, delete winbindd_cache.tdb and
>> winbindd_idmap.tdb and delete the bad entries from the LDAP Directory
>> the problem returns ?.
>>
>> Can anone make sence of this behaviour ?.
>> Thanks
>>
>
>
--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.
P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian at cel.ie
W : http://www.cel-europe.com
More information about the samba
mailing list