[Samba] Winbind mappings change over time
Richard Greaney
richard at net-solutions.net.nz
Tue Oct 31 02:52:51 GMT 2006
Hi all
I have a peculiar problem that has been ongoing over the last few years.
I have a mail server which is running winbind and giving distributed
authentication from a Windows server. Winbind UID mapping is in the
typical 10000-20000 range. Everything works fine... for the first little
while at least anyway.
From what I can tell, when winbind is first set up it allocates UIDs
for all existing Windows users, in order of their SID on the Windows
server (eg, the lowest SID on the Windows server gets the UID of 10000,
the next gets 10001 and so on). Again, this works fine.
However, this is where things start to get messy. The problem I'm
getting is that over time, these Windows - Unix ID maps get muddled up.
I've deployed some 40 odd Linux servers, some talking to AD, some
talking to Windows NT, some using Postfix for mail, some using Exim. In
all cases, this problem comes up at one time or another. You notice it
because the mailboxes (/var/mail/username) start having different
owners. This effectively kills a particular person's mail. For example,
the user 'jsmith' should have 'jsmith' as the mailbox owner, but they
might have 'jbloggs' as the owner. This is because the UID that was
assigned to jsmith has now been assigned to jbloggs. And yet there was
never any change to the jsmith or jbloggs account on the Windows server.
Has anybody else had this problem?
I'm using a range of samba builds up to 3.0.14a which, I realise is
rather old. However I'm loathed to upgrade when this is the only problem
I'm getting, if the problem isn't fixed in later versions.
I've tried a search in bugzilla but couldn't seem to come up with a
query that returned less than 200 bugs.
relevant part of smb.conf:
winbind separator = ~
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/false
winbind use default domain = yes
Thanks in advance
Richard
More information about the samba
mailing list