[Samba] idmap & migration to rfc2307
Jonathan Hunter
jmhunter1 at gmail.com
Thu Jun 11 07:16:27 MDT 2015
Replying to my own post - I can reset the mappings by "net cache
flush", and this then persists for a while, but ultimately it ends up
being overwritten somehow.
I'm no longer sure if this is related to files owned by the old UID -
because I've since tried to chown all of these, and this is still
happening - but I guess I may have missed some, perhaps.
On 11 June 2015 at 12:40, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
> I *think* I may have encountered a bug, or a feature, in the idmap/winbind area.
>
> I have recently added rfc2307 attributes to my AD, and am in the
> process of switching over. This means that I still have
> (unintentionally) some files/directories/etc. around with old UIDs
> e.g. 3000007, rather than my rfc2307 specified UIDs.
>
> What I am seeing is that the SID2XID mapping is initially correct for
> a given user (i.e. resolves to the rfc2307 UID I have set in AD), but
> at some point in the future, without any apparent trigger, the SID2XID
> mapping *changes* and turns into the old UID e.g. 3000007.
>
> I am using winbind in /etc/nsswitch.conf; I think that what might be
> happening is whenever an old UID is encountered (be it a running
> process, a file or whatever), this overwrites the rfc2307 mapping I am
> trying to switch to.
>
> Thinking about what behaviour I'd expect, I would say that if
> 'idmap_ldb:use rfc2307 = yes' is enabled in smb.conf, then any such
> old UID mappings should not overwrite a rfc2307-derived mapping.
>
> Here is how I arrived at the above conclusion:
>
> Reset idmap cache (and also copy from known working DC, for good measure):
> [root at dc1 ~]# service samba4 stop; \
> net cache flush; \
> rm /usr/local/samba/private/idmap.ldb; \
> scp root at dc2:/usr/local/samba/private/idmap.ldb /usr/local/samba/private/; \
> service samba4 start
>
> This results in a working configuration with the UID I'd expect:
> [root at dc1 ~]# id auser
> uid=41000(auser) gid=61000(domain users) groups=.....
> [root at dc1 ~]# net cache list | grep -e 1234
> Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
> Timeout: Thu Jun 18 11:02:33 2015 Value: 41000:U
> Key: IDMAP/UID2SID/41000 Timeout: Thu Jun 18 11:02:33 2015 Value:
> S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
>
> However, some time later, without any input from me at all, this changes to:
> [root at dc1 ~]# id auser
> uid=3000007(auser) gid=61000(domain users) groups=.....
> [root at dc1 ~]# net cache list | grep -e 1104
> Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
> Timeout: Thu Jun 18 11:10:05 2015 Value: 3000007:B
> Key: IDMAP/GID2SID/3000007 Timeout: Thu Jun 18 11:10:05 2015 Value:
> S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
> Key: IDMAP/UID2SID/41000 Timeout: Thu Jun 18 11:02:33 2015 Value:
> S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
> Key: IDMAP/UID2SID/3000007 Timeout: Thu Jun 18 11:10:05 2015 Value:
> S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
>
> I *think* this is happening because there is a process (e.g.
> ssh-agent) still running as uid=3000007, or a file on disk, etc. etc.
> that winbind reads and then overwrites in the database.
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
More information about the samba
mailing list