[Samba] Winbind behaviour odd in 3.4.9 and 3.5.6 vs 3.2.14 (Samba domain with Samba member servers)

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Oct 26 10:28:59 MDT 2010 

I may have indeed forgot to clear the  cache files after upgrading from 
samba 3.0x to 3.4.x.

I had various issues with samba servers as member servers -  mostly in 
keeping idmap entries consistent across machines.   The solution in the 
end had been to covert the member servers to BDC's and have ldap backend 
for everything.      Altho I suspect that the "idmap .. backend: nss" 
may have been an alternate solution.  I don't think it was an option for 
samba 3.0.x and I needed a BDC anyway.

I have found the online  samba documention on idmap  less than optimal.  
(The man pages are ok tho.)   There are ranges set for each trusted  
domain as well as the "idmap alloc config:range."    I am not quite sure 
if the "idmap alloc config:range" should encompass all the domain ranges 
or if idmap is supposed to allocate id's from the domain ranges.   My 
experience so far is that new entries are from "idmap alloc 
config:range."   I guess the domain specific ranges are where idmap is 
supposed to check for existing mappings first?




On 10/26/2010 12:02 PM, Alex Crow wrote:
> On 26/10/10 16:32, Gaiseric Vandal wrote:
>> You may need to specify separate idmap sections for each domain, as 
>> well as general settings.  Samples of my smb.conf (samba 3.4.x ) are 
>> below.
>>
>> When I was on samba 3.0.x, idmap entries would populate for each 
>> domain in the correct OU.  It would use the general idmap range, not 
>> domain specific range (which wasn't a problem.)  The problem with 
>> samba 3.0.x is that one the idmap cache expired it would not 
>> renew.    I moved to samba 3.4.x which fixed some issue BUT now stuff 
>> does not auto populate.  For "trustedomain1" there is only a handful 
>> of users, and that almost never changes so manually adding idmap 
>> entries (via an ldap editor or wbinfo --allocate-uid  / 
>> --allocate-gid) was OK.
>
> Strange - I have the opposite problem in that I get my Idmap ou 
> populated but also "contaminated" with stuff that should not be there 
> (because it is in the LDAP db and is in the local domain). However to 
> get the population to work at all I had to remove the gencache.tdb and 
> winbind_cache.tdb (and the old idmap_cache.tdb) files before starting 
> samba and winbind.
>
> I /do/ get my trusted domain working OK - from what you say you are 
> having to add Idmap entries by hand, which in my situation would be 
> completely impractical (500 accounts in one of the domains - it's a 
> bidirectional trust). Perhaps you could try removing the cache files.
>
> I have tried adding this to my config files on a test 3.5.6 domain:
>
> idmap config TESTDOM1 : backend = nss
> idmap config TESTDOM1 : range = 500-9999
>
> Which seems to help stop the entries for accounts already in the LDAP 
> db being put into Idmap, but I am not sure if I should reduce the 
> lower boundary to "0" as I still get entries added for widely known 
> SIDs as soon as a client connects to a share on the member server:
>
> dn: sambaSID=S-1-1-0,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10028
> sambaSID: S-1-1-0
> structuralObjectClass: sambaSidEntry
> entryUUID: b7a12d38-7565-102f-938a-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026155911Z
> entryCSN: 20101026155911Z#000003#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026155911Z
>
> dn: sambaSID=S-1-5-2,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10029
> sambaSID: S-1-5-2
> structuralObjectClass: sambaSidEntry
> entryUUID: b7a30e6e-7565-102f-938b-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026155911Z
> entryCSN: 20101026155911Z#000005#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026155911Z
>
> And even odder entries like this which do not match any "widely know 
> SIDs":
>
> dn: sambaSID=S-1-22-2-0,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10032
> sambaSID: S-1-22-2-0
> structuralObjectClass: sambaSidEntry
> entryUUID: f93738b4-7565-102f-938e-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026160101Z
> entryCSN: 20101026160101Z#000001#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026160101Z
>
> dn: sambaSID=S-1-22-2-1,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10033
> sambaSID: S-1-22-2-1
> structuralObjectClass: sambaSidEntry
> entryUUID: f937bfb4-7565-102f-938f-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026160101Z
> entryCSN: 20101026160101Z#000003#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026160101Z
>
> dn: sambaSID=S-1-22-2-2,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10034
> sambaSID: S-1-22-2-2
> structuralObjectClass: sambaSidEntry
> entryUUID: f93828d2-7565-102f-9390-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026160101Z
> entryCSN: 20101026160101Z#000005#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026160101Z
>
> dn: sambaSID=S-1-22-2-3,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10035
> sambaSID: S-1-22-2-3
> structuralObjectClass: sambaSidEntry
> entryUUID: f9389114-7565-102f-9391-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026160101Z
> entryCSN: 20101026160101Z#000007#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026160101Z
>
> dn: sambaSID=S-1-22-2-4,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10036
> sambaSID: S-1-22-2-4
> structuralObjectClass: sambaSidEntry
> entryUUID: f9390388-7565-102f-9392-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026160101Z
> entryCSN: 20101026160101Z#000009#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026160101Z
>
> dn: sambaSID=S-1-22-2-6,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10037
> sambaSID: S-1-22-2-6
> structuralObjectClass: sambaSidEntry
> entryUUID: f9399cd0-7565-102f-9393-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026160101Z
> entryCSN: 20101026160101Z#00000b#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026160101Z
>
> dn: sambaSID=S-1-22-2-10,ou=Idmap,dc=testdom1,dc=net
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> gidNumber: 10038
> sambaSID: S-1-22-2-10
> structuralObjectClass: sambaSidEntry
> entryUUID: f93a2952-7565-102f-9394-0b1afbda8e53
> creatorsName: cn=Manager,dc=testdom1,dc=net
> createTimestamp: 20101026160101Z
> entryCSN: 20101026160101Z#00000d#00#000000
> modifiersName: cn=Manager,dc=testdom1,dc=net
> modifyTimestamp: 20101026160101Z
>
> I really think there is some breakage here!
>
> Cheers
>
> Alex
>

More information about the samba mailing list