[Samba] samba 3.4.5 idmap alloc broken - more details

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed May 5 15:44:28 MDT 2010 

There may be several parts to the problem:


1.  Winbind  on Samba 3.4.x seems unable to allocate idmap entries 
(UID/SID or GID/SID) , whether or not the backend is LDAP or TDB.

Winbind on Samba 3.0.x is able to create idmap allocation mappings with 
an LDAP backend.    The two problems with Samba 3.0.x are as follows
   - "getent" would stop showing trusted users once the cache period 
expired.
   -  it can't talk to domains in "native" mode.

However,  when I run "wbinfo -u" and "getent passwd" on my 3.0.x machine 
it will add or update idmap entries in LDAP.

2.  Samba 3.4 can read some of the idmap entries from LDAP.

Domain_A is Windows 2003 in mixed-mode.  Samba 3.0.x is able to populate 
idmap allocation entries in ldap.  Samba 3.4 when running "getent 
passwd" can see the users from that domain.

Domain_B is a Windows 2003 Native domain.  Samba 3.4 can not handle 
those entries.

If I manually create the entry in ldap, it does get added to 
gencache.tdb with the uid (e.g. 4000.)

e.g.

---------------------------------------------------------------------------------
key(61) = "IDMAP/SID2UID/S-1-5-21-xxxx-1111\00"
data(16) = "  1273070774/40000\00"

key(20) = "IDMAP/UID2SID/40000\00"
data(60) = "  1272981160/S-1-5-21-xxxx-1111\00"

---------------------------------------------------------------------------------

But "getent passwd" will not show the user.

If the entry was not predefined in LDAP, a negative entry gets added to 
gencache.tdb

---------------------------------------------------------------------------------
key(60) = "IDMAP/SID2UID/S-1-5-21-xxxx-1112\00"
data(16) = "  1273080966/-1\00"

---------------------------------------------------------------------------------
3.  Samba 3.4 has idmap allocation issues even with TDB backend.

If I change DomainB to use TDB backend for idmap allocation,

gencache.tdb file will get a valid uid2sid but not sid2uid entry.


e.g.

---------------------------------------------------------------------------------
key(61) = "IDMAP/SID2UID/S-1-5-21-xxxx-1113\00"
data(16) = "  1273070774/-1\00"

key(20) = "IDMAP/UID2SID/30580\00"
data(60) = "  1272981160/S-1-5-21-xxxx-1113\00"

---------------------------------------------------------------------------------



So in summary it looks like idmap has issues with both allocating new id 
mappings and using  existing ones.

I compiled samba 3.4.5 from source.  Config.log shows  it was  compiled 
against the openldap and kerberos packages from sunfreeware.com (not the 
sun ldap and kerberos packages bundled with the OS.)


Help is appreciated.

Thanks



-------- Original Message --------
Subject: 	samba 3.4.5 idmap alloc broken
Date: 	Tue, 04 May 2010 16:36:21 -0400
From: 	Gaiseric Vandal <gaiseric.vandal at gmail.com>
Reply-To: 	gaiseric.vandal at gmail.com
To: 	Samba <samba at lists.samba.org>



Some time back I upgraded a domain controller (Solaris 10) from samba
3.0.x to 3.4.5

In order to support interdomain trusts I am using winbind and idmap
allocation with a samba backend.  Since the upgrade it appears that
samba is no allocating uid and gid's for trusted domain.

my smb.conf looks something like:


----------------------------------------------------------------------------------------------------------------------------

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = no
winbind trusted domains only = no

# The "idmap domains" has been deprecated in 3.4
# idmap domains = DOMAIN_A DOMAIN_B DOMAIN_C
# Next two lines restored in  3.4 - but prob don't need
idmap uid = 30000-59999
idmap gid = 30000-59999



idmap config DOMAIN_A:backend = ldap
idmap config DOMAIN_A:readonly = no
idmap config DOMAIN_A:default=no
idmap config DOMAIN_A:ldap_base_dn = ou=domain_a,ou=idmap,o=mydomain.com
idmap config DOMAIN_A:ldap_user_dn = cn=Directory Manager
idmap config DOMAIN_A:ldap_url =ldap://ldap1.domain.com
idmap config DOMAIN_A:range = 30000-39999

idmap config DOMAIN_B:backend = ldap
idmap config DOMAIN_B:readonly = no
idmap config DOMAIN_B:default=no
idmap config DOMAIN_B:ldap_base_dn = ou=domain_b,ou=idmap,o=mydomain.com
idmap config DOMAIN_B:ldap_user_dn = cn=Directory Manager
idmap config DOMAIN_B:ldap_url = lldap://ldap1.domain.com
idmap config DOMAIN_B:range = 40000-45999
....



----------------------------------------------------------------------------------------------------------------------------


Domain_A (Windows 2003 AD in Mixed mode) has entries from prior to the
upgrade and hasn't had new accounts added recently.  Domain_B (Windows
2008 in Windows 2003 mode) is a new addition.    No idmap entries ever
populated.  They should have populated after I ran "wbinfo -u" and
"getent passwd" on the samba PDC.


Any ideas?

Thanks

More information about the samba mailing list