[Samba] idmap & migration to rfc2307
Jonathan Hunter
jmhunter1 at gmail.com
Thu Jun 11 17:31:17 MDT 2015
Thank you Rowland.
On 11 June 2015 at 19:32, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> Have you checked that your users actually have uidNumber attributes ?
I've been working on the basis that I only need to check the users I
am immediately looking at.. (i.e. if there are still users without
uidNumber attributes, any issue like this would only affect those
users - and I can fix those later..)
But, yes - for this particular user:
[root at dc1 ~]# ldapsearch -LLL -s sub -b 'dc=mydomain,dc=my,dc=tld
'(uidNumber=41000)'
[...]
primaryGroupID: 513
[...]
uid: auser
msSFU30Name: auser
msSFU30NisDomain: MYDOMAIN
uidNumber: 41000
gidNumber: 61000
unixHomeDirectory: /home/auser
loginShell: /bin/sh
[...]
> What OS are you using ?
CentOS 6.6
> Do you have the winbind links in place ?
Yup, I think so:
[root at dc1 ~]# ls -la /lib64/*winb*
lrwxrwxrwx 1 root root 40 Jul 23 2013 /lib64/libnss_winbind.so ->
/usr/local/samba/lib/libnss_winbind.so.2
lrwxrwxrwx 1 root root 17 Jul 24 2013 /lib64/libnss_winbind.so.2 ->
libnss_winbind.so
lrwxrwxrwx 1 root root 22 Jun 2 2014 /lib64/libwinbind-client.so ->
libwinbind-client.so.0
lrwxrwxrwx 1 root root 49 Jun 2 2014 /lib64/libwinbind-client.so.0
-> /usr/local/samba/lib/private/libwinbind-client.so
> If you run 'getent passwd adomainuser' , does it print anything ?
Yep - works fine (but returns rfc2307 uid when working i.e. at first;
3000007 when not, i.e. after some time). I get the same result if I
run 'getent -s winbind passwd adomainuser'
> if you run the command on the other DC, do you get the same result ?
Nope - sadly (!) this one works fine, it always returns the rfc2307
values. It's the same version of samba, obviously in the same domain
with the same users, but I *think* the relevant difference with this
other DC is that nobody actually logs into it or accesses it for files
etc.
> The 3000007 ID number you refer to, is an xidNumber from idmap.ldb and is
> created by samba. Nothing else as far as I am aware will alter idmap.ldb,
> though there are a couple of files you can check for:
>
> gencache_notrans.tdb
> gencache.tdb
>
> If they exist, delete them and then restart samba, do this on both DCs
Thanks - useful info. I did presume that the 3000007 number was
created by samba; I just don't know why it's doing it, as the user
definitely has rfc2307 attributes (and indeed works fine via winbind
for a short period of time..!) :-(
Cheers,
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
More information about the samba
mailing list