[Samba] Domain trusts "forgetting" trusted users

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Nov 2 12:28:25 MST 2009

Upon further testing I find that the passwd and group info for the
trusted domain get cached once, and one time only.  When the cache
expires, "getent passwd" and "getent group" no longer return users
from the trusted domain.

By default, "idmap cache time=900" (15 min.)   If I increased this to
7200, then the caching was good for two hours (and not more.)

The timestamp on  /var/samba/locks/idmap_cache.tdb file does get
updated frequently -  at least every 20 minutes while I try "getent
passwd."    idmapd_cache.tdb does have entries for the remote users.

nscd is not running.



---------- Forwarded message ----------
From: Gaiseric Vandal <gaiseric.vandal at gmail.com>
Date: Thu, Oct 29, 2009 at 1:30 PM
Subject: Domain trusts "forgetting" trusted users
To: samba at lists.samba.org

I am running Samba ver 3.0.33 on Solaris 10 (sparc) as a PDC with LDAP
for the backend for both samba and unix accounts.

I have also set up a trust with an Windows domain- lets call it
WINDOMAIN- (the PDC for the Windows domain is Win 2003 but is in
mixed mode for backwards compat.) The SAMBA domain trusts the WINDOWS
domain, not not vice versa.

I had also tried setting up trusts with another, test domain (lets
call it TESTDOMAIN.)

I have winbind enabled. Initially idmap entries were stored in the
local tdb backend. I switched this to ldap (wanted idmappings with
in the domain to be consistent across member servers, and wanted to
add a BDC.)

smb.conf includes


passdb backend = ldapsam:ldap://ldap1.mydomain.com
ldap suffix=o=mydomain.com
ldap user suffix=ou=people
ldap group suffix=ou=smb_groups
ldap machine suffix=ou=machines
ldap admin dn="cn=Directory Manager"
ldap ssl = no
ldap passwd sync = no
ldap idmap suffix=ou=idmap

winbind enum users = Yes
winbind enum groups = no
winbind use default domain = no
winbind trusted domains only = no

#ldap time out default is 15 sec
ldap timeout=30

# idmap domains = WINDOMAIN, TESTDOMAIN
idmap domains = WINDOMAIN

idmap config WINDOMAIN:backend = ldap
idmap config WINDOMAIN:readonly = no
idmap config WINDOMAIN:default=no
idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
idmap config WINDOMAIN:ldap_user_dn = cn=Directory Manager
idmap config WINDOMAIN:ldap_url =ldap1.mydomain.com
idmap config WINDOMAIN:range = 30000-39999

#idmap config TESTDOMAIN:backend = ldap
#idmap config TESTDOMAIN:readonly = no
#idmap config TESTDOMAIN:default=no
#idmap config TESTDOMAIN:ldap_base_dn =ou=testdomain,ou=idmap,o=mydomain.com
#idmap config TESTDOMAIN:ldap_user_dn = cn=Directory Manager
#idmap config TESTDOMAIN:ldap_url =ldap1.mydomain.com
#idmap config TESTDOMAIN:range = 40000-49999

idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=Directory Manager
idmap alloc config:ldap_url = ldap1.mydomain.com
idmap alloc config:range = 70000 - 79999


getting the correct (or mostly correct syntax) took a little while.
/etc/nsswitch.conf is configured for winbind.

When I first run "wbinfo -u" and "wbinfo -g", samba would populate
entries for the WINDOMAIN account in
windomain,ou=idmap,o=mydomain.com. The id's would be in the 70000
range not the 30000 range- which is fine with me since entries for
each domain were still in the correct ldap container.

"getent passwd" and "getent group" would show the WINDOMAIN domain
accounts. Everything would be fine for several days. However, after
a few days, getent commands no longer showed the WINDOMAIN accounts.

The only solution would be to stop windbind, delete the idmap entries
from ldap, restart winbind and let the entries repopulate.

I am unclear on if the "idmap config SOMEDOMAIN:range" setting for
each domain should be within the "idmap alloc config:range"

The syntax for this seems to change with different versions of samba.

Any thoughts?


More information about the samba mailing list