[Samba] idmap & migration to rfc2307

Jonathan Hunter jmhunter1 at gmail.com
Thu Jun 11 05:40:41 MDT 2015 

I *think* I may have encountered a bug, or a feature, in the idmap/winbind area.

I have recently added rfc2307 attributes to my AD, and am in the
process of switching over. This means that I still have
(unintentionally) some files/directories/etc. around with old UIDs
e.g. 3000007, rather than my rfc2307 specified UIDs.

What I am seeing is that the SID2XID mapping is initially correct for
a given user (i.e. resolves to the rfc2307 UID I have set in AD), but
at some point in the future, without any apparent trigger, the SID2XID
mapping *changes* and turns into the old UID e.g. 3000007.

I am using winbind in /etc/nsswitch.conf; I think that what might be
happening is whenever an old UID is encountered (be it a running
process, a file or whatever), this overwrites the rfc2307 mapping I am
trying to switch to.

Thinking about what behaviour I'd expect, I would say that if
'idmap_ldb:use rfc2307 = yes' is enabled in smb.conf, then any such
old UID mappings should not overwrite a rfc2307-derived mapping.

Here is how I arrived at the above conclusion:

Reset idmap cache (and also copy from known working DC, for good measure):
[root at dc1 ~]# service samba4 stop; \
net cache flush; \
rm /usr/local/samba/private/idmap.ldb; \
scp root at dc2:/usr/local/samba/private/idmap.ldb /usr/local/samba/private/; \
service samba4 start

This results in a working configuration with the UID I'd expect:
[root at dc1 ~]# id auser
uid=41000(auser) gid=61000(domain users) groups=.....
[root at dc1 ~]# net cache list | grep -e 1234
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Timeout: Thu Jun 18 11:02:33 2015 Value: 41000:U
Key: IDMAP/UID2SID/41000 Timeout: Thu Jun 18 11:02:33 2015 Value:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234

However, some time later, without any input from me at all, this changes to:
[root at dc1 ~]# id auser
uid=3000007(auser) gid=61000(domain users) groups=.....
[root at dc1 ~]# net cache list | grep -e 1104
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Timeout: Thu Jun 18 11:10:05 2015 Value: 3000007:B
Key: IDMAP/GID2SID/3000007 Timeout: Thu Jun 18 11:10:05 2015 Value:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Key: IDMAP/UID2SID/41000 Timeout: Thu Jun 18 11:02:33 2015 Value:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Key: IDMAP/UID2SID/3000007 Timeout: Thu Jun 18 11:10:05 2015 Value:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234

I *think* this is happening because there is a process (e.g.
ssh-agent) still running as uid=3000007, or a file on disk, etc. etc.
that winbind reads and then overwrites in the database.

Thoughts?

Global section of smb.conf is as follows:
[global]
        log level = 0
        workgroup = MYDOMAIN
        realm = mydomain.my.tld
        netbios name = DC1
        server role = active directory domain controller
        interfaces = eth0 lo
        bind interfaces only = yes
        # using BIND for DNS
        server services = -dns
        dsdb:schema update allowed = true
        idmap_ldb:use rfc2307 = yes
        # I believe the following winbind lines have no effect on a
DC, but they're here anyway..
        winbind nss info = rfc2307
        winbind use default domain = Yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind refresh tickets = Yes
        # yes I know 8 is 'bad' but it's here at the moment (and I
don't have any 8-deep groups)
        winbind expand groups = 8
        template shell = /bin/bash
        log file = /usr/local/samba/var/log.%I
        include = /usr/local/samba/etc/smb.conf-%I
        load printers = yes

J

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list