[Samba] winbind bug?

Chan Min Wai dcmwai at gmail.com
Thu Mar 27 08:15:23 MDT 2014

Hi all,

One things I notice on the idmap number.

winbind follow strickly the number you assign to it.

E.g if you have
idmap config SEAS-S:range = 1000 - 4000000

And you AD DC on "SEAS-S" have a few users which uid/gid <= 1000
like 500, 501 502...

These users/group will not show on the winbind list.
I believes this is their design.

Also winbind use some cache (which I don't understand) and thus
Change idmap on smb.conf

It might not reflect immediately until the idmap cache are expired...
I do see this with my wrong configuration :)

On Thu, Mar 27, 2014 at 10:09 PM, Doug Tucker <tuckerd at lyle.smu.edu> wrote:

> Correct, this is how they get mapped from the documentation.  Here is my
> configuration exactly:
>  idmap config * : backend = ad
>    idmap config * : range = 1000000 - 1999999
>    idmap config SEAS:backend = rid
>    idmap config SEAS:range = 1000 - 4000000
>    idmap config * : schema_mode = rfc2307
>    idmap config SEAS-S:backend = rid
>    idmap config SEAS-S:range = 1000 - 4000000
> And the way the mapping works the way I read it is it takes the unix uid,
> and the last part of the SID from windows AD using a forumula, and maps to
> a new unique ID.  The only way it should fail is if the range was not big
> enough. Mine is 1000-4 million. I could never come even close to this with
> the highest of both values using their algorithm.  I have logging set at 3,
> and it shows the correct value for the unix ID to begin the mapping.  It
> passes authentication, and then samba presents the volume for mounting to
> the client.  Just like you see in every other successful drive map.  But at
> the client opening it, samba and the client suddenly show permission
> denied.  And again in isolating the issue, it absolutely has to do with the
> unix ID being over a certain value.  If I take a user that gets permission
> denied, and change his unix ID to something like 3000, wallah, he can mount
> his home directory.  It's literally as if there is some hard coded value of
> max unix ID somewhere in the software or a BUG in WINBIND.
> One thing I have not been able to get the system to show me (thought at
> this point I don't think it matters), is how to see what the actual virtual
> ID mapping is that samba creates for a user.  I can see a user SID.  I can
> see a user Unix ID. Can anyone tell me how to see the mapped ID created via
> the idmap?
> Sincerely,
> Doug Tucker
> On 03/26/2014 08:02 PM, Linda W wrote:
>> Doug Tucker wrote:
>>> OK, I have isolated it.  And it is related to the unix id number.  I've
>>> googled and I can't find anything. Is there a limitation in winbind or bug
>>> maybe?  Any unix user with a unix id greater than 11000 cannot map their
>>> own home directories on windows 7.  To verify it wasn't some anomaly, I
>>> took a user that could map their home that had a unix id of 3033.  I then
>>> changed the id to 15367 (changed permissions on the unix side to match) and
>>> wallah, same issue.  The user could no longer map their home directory.  I
>>> have about 2000 or so unix id's that are affected (though many don't map
>>> drives).
>> ----
>> I don't know what was in place in samba 3, but in 3.6 in the idmap
>> functions, they
>> can specify ranges.
>> How do your windows users get mapped to UID's?  .. example
>> from the smb.conf manpage:
>>           The following example illustrates how to configure the
>> idmap_ad(8)
>>           backend for the CORP domain and the idmap_tdb(8) backend for all
>>           other domains. This configuration assumes that the admin of CORP
>>           assigns unix ids below 1000000 via the SFU extensions, and
>> winbind
>>           is supposed to use the next million entries for its own mappings
>>           from trusted domains and for local groups for example.
>>                    idmap config * : backend = tdb
>>                    idmap config * : range = 1000000-1999999
>>                    idmap config CORP : backend  = ad
>>                    idmap config CORP : range = 1000-999999
>> So if somewhere there was some range mapping going on, that
>> could explain the behavior.
>> I'd up the loglevels on things to 3-4 and see what userid
>> winbind is mapping them to for requests....See if those
>> win-users are being mapped to the UID's you think
>> they are.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list