[Samba] tdb idmap returns different GID's for the same SID from time to time

Pavel Bychykhin bychykhin.p.n at hts.kh.ua
Mon Sep 16 02:49:41 MDT 2013


I have a samba 3.6.18 acts as a domain member.
I'm using a samba nss and creating local groups for a domain users.
Here part of my nsswitch.conf:

group: files winbind
passwd: files winbind

The problem is that the tdb unix GID mappings returns different ID from time to time for the same SIDs.
Suppose we have a local group "samba_svn1", created with "NET SAM CREATELOCALGROUP".
After creation, group "samba_svn1" has SID S-1-5-21-3743722752-3344840800-2625497366-1074 and GID 30025. But, from time to time this SID receives a 
different GID mapping: 30027.
Following are the result of service commands, which demonstrates a real problem:

NSS is always works correctly:

[root at dynamo ~]# getfacl /zfsmount/svn/svn1
# file: /zfsmount/svn/svn1
# owner: www
# group: www
[root at dynamo ~]# getent group samba_svn1
[root at dynamo ~]# wbinfo --sid-to-gid S-1-5-21-3743722752-3344840800-2625497366-1074

But, just after that, when i try to get info from idmap DB and the cache, i see a very strange results. SID 
S-1-5-21-3743722752-3344840800-2625497366-1074 is mapped to GID 30027:

[root at dynamo ~]# net idmap dump|grep S-1-5-21-3743722752-3344840800-2625497366-1074
dumping id mapping from /var/db/samba/winbindd_idmap.tdb
GID 30027 S-1-5-21-3743722752-3344840800-2625497366-1074
[root at dynamo ~]# net cache list|grep S-1-5-21-3743722752-3344840800-2625497366-1074
Key: IDMAP/SID2GID/S-1-5-21-3743722752-3344840800-2625497366-1074        Timeout: Mon Sep 23 09:14:17 2013       Value: 30025
Key: IDMAP/GID2SID/30025         Timeout: Mon Sep 23 09:14:17 2013       Value: S-1-5-21-3743722752-3344840800-2625497366-1074
Key: IDMAP/GID2SID/30027         Timeout: Thu Sep 19 13:44:48 2013       Value: S-1-5-21-3743722752-3344840800-2625497366-1074

"net idmap check" doesn't resolve the problem, but gives an additional info: 30027 is a highest GID from my DB (maybe it's a key to problem):

[root at dynamo ~]# net idmap check
check database: /var/db/samba/winbindd_idmap.tdb
uid hwm: 30018
gid hwm: 30027
mappings: 39
other: 3
invalid records: 0
missing links: 0
invalid links: 0
0 changes:

Question: is my problem because of bug, or it's because of misconfigured server. Here my config:

         dos charset = CP866
         workgroup = HTS
         realm = HTS.KH.UA
         server string =
         security = ADS
         map to guest = Bad Password
         local master = No
         wins server =
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind expand groups = 10
         winbind nss info = rfc2307
         winbind max domain connections = 50
         idmap config HTS : schema_mode = rfc2307
         idmap config HTS : range = 10000-29999
         idmap config HTS : backend = ad
         idmap config HTS : default = yes
         idmap config * : range = 30000-49999
         idmap config * : backend = tdb

         path = /zfsmount/svn/svn1
         valid users = @samba_svn1
         read only = No
         create mask = 0700
         force create mode = 0700
         inherit owner = Yes
         map archive = No
         map readonly = no
         vfs objects = zfsacl
         nfs4: chown = no
         nfs4:acedup = dontcare
         nfs4: mode = special

P.S. An upgrade to newer ver. 4.0 is undesirable for me, and i do it only if ver. 4.0 really solve my problem.

Thanks in advance.
Best regards,

More information about the samba mailing list