[Samba] samba problems. accounts expire after a hour, but work after reset

Collen Blijenberg collen at hermanjordan.nl
Fri Mar 9 10:28:12 GMT 2007

Hmm.. just a few last questions.

the bug came back the other day, after i fired up some machine that uses
winbindd for apache authentication.
(no smb processes here). downside is that it's winbindd from samba 3.0.11.
winbindd from samba 3.0.24 has some strange issues with that machine,
for every page it starts re authing again
resulting in asking username and password again, and again and again and
i think the problem might be there.

the part i don't get is the 'resolve unmapped account' ??
how can you have unmapped accounts ?? isn't it so that all
account that don't have entries in the user database (or machine)
are rejected ?? so don't need anny auth at all ?

so basically, i can leave the old sid's and posix uid alone, but need to
monitor the sid and uid
when creating new users and machines, coz they can collide with the
existing not standard uid and sid's .

great, back to debuging again... thx for da input.


Edmundo Valle Neto wrote:
> Collen Blijenberg escreveu:
>> Sorry, forgot something,
>> indeed there was a mixup with the migrating, old posix uid were 
>> differed than the once we use now.
>> a changed the auto_increment value of the user.uid table from mysql.
>> i took the highest sid (5620) subbed 1000 and /2 and used that for 
>> auto_increment value..
>> so now my new user accounts are in sync with samba RID's again.
>> all i'm interested in now is the once i already have and use...
>> i have a heap of accounts that have a posix uid, that doesn't fit the 
>> rules Edmundo explained (1000 + (2*uid))
>> it looks like all works fine, but i would like to take the advise of 
>> the experts...
>> is the rule only active when creating new accounts, or does samba use 
>> that rule also with in
>> daily basic things ? (like logging in, or accessing shares ??)
>> does it harm to have a posix uid 1050 and a SID ending with -1299  ?????
>> Cheers Collen
>> ...
> [cut]
> That I know, this algorithmic mapping is made to prevent clashes and 
> prevent the use of well know RIDs by Windows domains. I don't know all 
> the situations that the algorithmic mapping will be used in addiction 
> of the creation of new accounts or to resolve unmapped accounts. 
> (Someone correct me if Im wrong).
> But I would guess that if your accounts are being resolved (SID<->GID 
> and SID<->UID) (and if I remember right those mappings are made inside 
> the base used and/or inside groupmap_idmap.tdb, when you are not using 
> winbind) you will not have any problems beyond those related with 
> permissions by lost/changed ids after used (IF that happened).
> Regards.
> Edmundo Valle Neto

More information about the samba mailing list