[Samba] Winbind uselessly using up Idmap range in ldap
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Jan 17 09:33:26 MST 2011
I started on samba 3.0.x and upgrades to 3.4.x. Still having only
partial success myself. I have different "ou" objects in ldap for the
allocation range and each trusted domain .
My smb.conf (editted somewhat) is below.
I would that the idmapping would be created in the correct OU for each
domain. I also found that the idmap id would be allocated from the
"idmap alloc config" range, regardless of the range specified for the
particular domain. So the an idmap entry would be created for the
TRUSTEDOMAIN1 in the ou=trusteddomain container but with a UID in the
30000 range not the 40000 range.
Not sure if this provides any insight.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
#IDMAP DEFAULT SETTINGS
idmap backend=ldap:ldap://ldap1.mydomain.com
idmap uid = 70000-79999
idmap gid = 70000-79999
#IDMAP ALLOC SETTINGS
idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=xxxxx
idmap alloc config:range = 30000 - 79999
#IDMAP SETTINGS FOR TRUSTEDDOMAIN1
idmap config TRUSTEDDOMAIN1:backend = ldap
idmap config TRUSTEDDOMAIN1:readonly = no
idmap config TRUSTEDDOMAIN1:default=no
idmap config TRUSTEDDOMAIN1:ldap_base_dn =
ou=trusteddomain1,ou=idmap,o=mydomain.com
idmap config TRUSTEDDOMAIN1:ldap_user_dn = cn=xxxxx
idmap config TRUSTEDDOMAIN1:ldap_url = ldap://ldap1.mydomain.com
idmap config TRUSTEDDOMAIN1:range = 40000-49999
On 01/17/2011 05:27 AM, Alex Crow wrote:
> Hi,
>
> We have just managed to get winbind behaving correctly in a Samba
> domain with Samba member servers with help from Sernet. It is now not
> adding spurious entries for the "own domain".
>
> However, a member server keeps trying to add group mappings that
> already exist in the LDAP idmap ou. This would not be a problem, apart
> from the fact that every time it fails adding an entry, the
> "gidnumber" attribute in the idmap ou (that determines the next
> available gid number) is incremented. Thus, in a short while, it hits
> 20000 which is the upper limit. I also don't know why it tries to add
> a mapping if one already exists!
>
> Here are logs from the DMS:
>
> [2011/01/17 10:13:50.303702, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:13:50.303749, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:13:50.303768, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:13:50.303783, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:13:50.312693, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add
> S-1-5-21-8015792-1768810241-176008768-513 to 12350 mapping [gidNumber]
> [2011/01/17 10:13:50.312747, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:13:50.318187, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:13:50.318225, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:13:50.318245, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:13:50.318263, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:13:50.329100, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12351
> mapping [gidNumber]
> [2011/01/17 10:13:50.329152, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:16:01.024241, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:16:01.024285, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:16:01.024302, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:16:01.024317, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:16:01.033804, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add
> S-1-5-21-8015792-1768810241-176008768-513 to 12352 mapping [gidNumber]
> [2011/01/17 10:16:01.033847, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:16:01.035771, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:16:01.035807, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:16:01.035832, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:16:01.035855, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:16:01.043636, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12353
> mapping [gidNumber]
> [2011/01/17 10:16:01.043675, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:18:15.019605, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:18:15.019664, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:18:15.019682, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:18:15.019697, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:18:17.207189, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add
> S-1-5-21-8015792-1768810241-176008768-513 to 12354 mapping [gidNumber]
> [2011/01/17 10:18:17.207235, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:18:17.208951, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:18:17.208978, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:18:17.208994, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:18:17.209009, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:18:17.216845, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12355
> mapping [gidNumber]
> [2011/01/17 10:18:17.216874, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:20:34.446465, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:20:34.446506, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:20:34.446522, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:20:34.446537, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:20:36.631996, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add
> S-1-5-21-8015792-1768810241-176008768-513 to 12356 mapping [gidNumber]
> [2011/01/17 10:20:36.632037, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:20:36.637324, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:20:36.637353, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:20:36.637370, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:20:36.637385, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:20:36.646479, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12357
> mapping [gidNumber]
> [2011/01/17 10:20:36.646524, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:22:36.726247, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:22:36.726286, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:22:36.726305, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:22:36.726320, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:22:36.764044, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add
> S-1-5-21-8015792-1768810241-176008768-513 to 12358 mapping [gidNumber]
> [2011/01/17 10:22:36.764087, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:22:36.765893, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:22:36.765929, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:22:36.765982, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:22:36.766008, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:22:36.774857, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12359
> mapping [gidNumber]
> [2011/01/17 10:22:36.774896, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:24:41.446106, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:24:41.446146, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:24:41.446163, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:24:41.446178, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:24:41.454458, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add
> S-1-5-21-8015792-1768810241-176008768-513 to 12360 mapping [gidNumber]
> [2011/01/17 10:24:41.454502, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
> [2011/01/17 10:24:41.456096, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/01/17 10:24:41.456132, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/01/17 10:24:41.456158, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/01/17 10:24:41.456181, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/01/17 10:24:41.467068, 0]
> winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12361
> mapping [gidNumber]
> [2011/01/17 10:24:41.467107, 0]
> winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)
> ldap_set_mapping_internals: Error was: (Already exists)
>
> Here is the relevant part of the DMS smb.conf:
>
> idmap backend = ldap:ldap://pdc
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> ldap admin dn = cn=manager,dc=my,dc=net
> ldap suffix = dc=ifa,dc=net
> ldap idmap suffix = ou=Idmap
>
> # the own domain, users come via nss_ldap:
> idmap config MY_NET : backend = nss
> idmap config MY_NET : range = 500-9999
>
> winbind nested groups = yes
> winbind use default domain = yes
> winbind enum users = no
> winbind enum groups = no
> allow trusted domains = yes
>
> and on the pdc:
>
> ldap suffix = dc=my,dc=net
> ldap machine suffix = ou=Computers,ou=Accounts
> ldap user suffix = ou=People,ou=Accounts
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
>
> idmap backend = ldap:ldap://127.0.0.1
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind nested groups = yes
> winbind trusted domains only = yes
> winbind use default domain = no
> winbind enum users = yes
> winbind enum groups = yes
> allow trusted domains = yes
>
> Any help to resolve this issue would be gratefully received.
>
> Thanks
>
> Alex
>
More information about the samba
mailing list