[Samba] idmap & migration to rfc2307

Jonathan Hunter jmhunter1 at gmail.com
Thu Jun 11 17:31:17 MDT 2015 

Thank you Rowland.

On 11 June 2015 at 19:32, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> Have you checked that your users actually have uidNumber attributes ?

I've been working on the basis that I only need to check the users I
am immediately looking at.. (i.e. if there are still users without
uidNumber attributes, any issue like this would only affect those
users - and I can fix those later..)

But, yes - for this particular user:

[root at dc1 ~]# ldapsearch -LLL -s sub -b 'dc=mydomain,dc=my,dc=tld
'(uidNumber=41000)'
[...]
primaryGroupID: 513
[...]
uid: auser
msSFU30Name: auser
msSFU30NisDomain: MYDOMAIN
uidNumber: 41000
gidNumber: 61000
unixHomeDirectory: /home/auser
loginShell: /bin/sh
[...]

> What OS are you using ?

CentOS 6.6

> Do you have the winbind links in place ?

Yup, I think so:

[root at dc1 ~]# ls -la /lib64/*winb*
lrwxrwxrwx 1 root root 40 Jul 23  2013 /lib64/libnss_winbind.so ->
/usr/local/samba/lib/libnss_winbind.so.2
lrwxrwxrwx 1 root root 17 Jul 24  2013 /lib64/libnss_winbind.so.2 ->
libnss_winbind.so
lrwxrwxrwx 1 root root 22 Jun  2  2014 /lib64/libwinbind-client.so ->
libwinbind-client.so.0
lrwxrwxrwx 1 root root 49 Jun  2  2014 /lib64/libwinbind-client.so.0
-> /usr/local/samba/lib/private/libwinbind-client.so

> If you run 'getent passwd adomainuser' , does it print anything ?

Yep - works fine (but returns rfc2307 uid when working i.e. at first;
3000007 when not, i.e. after some time). I get the same result if I
run 'getent -s winbind passwd adomainuser'

> if you run the command on the other DC, do you get the same result ?

Nope - sadly (!) this one works fine, it always returns the rfc2307
values. It's the same version of samba, obviously in the same domain
with the same users, but I *think* the relevant difference with this
other DC is that nobody actually logs into it or accesses it for files
etc.

> The 3000007 ID number you refer to, is an xidNumber from idmap.ldb and is
> created by samba. Nothing else as far as I am aware will alter idmap.ldb,
> though there are a couple of files you can check for:
>
> gencache_notrans.tdb
> gencache.tdb
>
> If they exist, delete them and then restart samba, do this on both DCs

Thanks - useful info. I did presume that the 3000007 number was
created by samba; I just don't know why it's doing it, as the user
definitely has rfc2307 attributes (and indeed works fine via winbind
for a short period of time..!) :-(

Cheers,

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list