[Samba] winbind creating duplicate users

Ian Clancy clancyian at cel.ie
Thu Jun 30 22:10:46 GMT 2005

Hi everybody,
I'm having a problem with winbind creating 2 entries for some of my 
users that really wrecking my head ;-/ .
My situation is as follows :
I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain 
(another Samba/LDAP setup) and use winbind to map the users from the 
foreign domain, with the UID to SID mappings stored in LDAP . This works 
very well.
The relevant part of my nsswitch.conf file is as follows :

passwd:     files ldap winbind
shadow:     files ldap winbind
group:      files ldap winbind

When i 'getent passwd' on a domain member server the following are listed:
1.) local user accounts
2.) accounts resolved via LDAP (UID 5'000+)
3.) winbind resolved accounts from the foreign domain (i.e. 
FDOMAIN+user) UID = 10'000 +

This was all working fine for a while. However, recently i noticed that 
winbind began storing additional UID to SID mappings for members of the 
local domain in LDAP.
So when i ran e.g. 'getent passwd | grep brightstop'  i would get 2 
entries for the 1 user account, 1 resolved from LDAP, the other from winbind

brightstor:x:5586:513:System User:/home/brightstor:/bin/false

This occurs for some accounts but not others:
pdbedit on this account returns :

[root at teddc etc]# pdbedit -Lv brightstor
init_sam_from_ldap: Entry found for user: brightstor
Unix username:        brightstor
NT username:          brightstor
Account Flags:        [UX         ]
User SID:             S-1-5-21-193554404-1789558652-91453608-12172
Primary Group SID:    S-1-5-21-193554404-1789558652-91453608-513
Full Name:            Brightstor
Home Directory:
HomeDir Drive:
Logon Script:         scripts\tedmap.bat
Profile Path:
Domain:               TED
Account desc:         System User
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 03:14:07 GMT
Kickoff time:         Tue, 19 Jan 2038 03:14:07 GMT
Password last set:    Tue, 28 Jun 2005 10:53:57 GMT
Password can change:  Tue, 28 Jun 2005 10:53:57 GMT
Password must change: Tue, 19 Jan 2038 03:14:07 GMT
Last bad password   : 0
Bad password count  : 0

Even when i stop winbind, delete winbindd_cache.tdb and 
winbindd_idmap.tdb and delete the bad entries from the LDAP Directory 
the problem returns ?.

Can anone make sence of this behaviour ?.

Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Co. Galway,

P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian at cel.ie
W : http://www.cel-europe.com

More information about the samba mailing list