[Samba] idmap & migration to rfc2307

Jonathan Hunter jmhunter1 at gmail.com
Sat Jun 13 03:00:41 MDT 2015


On 13 June 2015 at 09:34, buhorojo <buhorojo.lcb at gmail.com> wrote:
>> On 12 June 2015 at 08:55, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
>> Sadly, even though sssd is now running and I'm no longer reliant on
>> winbind, the rest of samba doesn't seem to be taking notice of these
>> mappings - again, only after a period of time (it's OK at first, but
>> then switches to the wrong mappings).
>
> Then you must have some winbind(d) nonsense stlll. Remove the .tdb s and
> killall winbindd processes. Make sure the idmap_ldb line is removed. Make
> sure only winbind is running at samba start up  (I think it's +winbind,
> -winbindd) and lose all refrences to winbind in nsswitch.conf. net cache
> flush doesn't work. You need to remove the databases.
> HTH

Thank you!

I now set in smb.conf:

        server services = -dns +winbind -winbindd

I stopped samba, then removed databases:

# rm /usr/local/samba/var/cache/gencache.tdb \
  /usr/local/samba/var/lock/gencache_notrans.tdb \
  /usr/local/samba/private/idmap.ldb

However I must have done something wrong... no users can connect to
shares at all, this way:

[root at dc1 ~]# smbstatus
Samba version 4.2.2
PID     Username      Group         Machine            Protocol Version
------------------------------------------------------------------------------
27024     -1            -1            1.2.3.4 (ipv4:1.2.3.4:2394) NT1

Service      pid     machine       Connected at
-------------------------------------------------------
No locked files


I've restored the defaults (+winbindd, -winbind) but by this point,
that didn't allow users to connect, either - this time coming up with
the following (many times) in the logs:

Jun 13 09:52:06 dc1 smbd[9628]: [2015/06/13 09:52:06.129760,  0]
../source4/auth/unix_token.c:107(security_token_to_unix_token)
Jun 13 09:52:06 dc1 smbd[9628]:   Unable to convert SID (S-1-1-0) at
index 5 in user token to a GID.  Conversion was returned as type 0,
full token:
Jun 13 09:52:06 dc1 smbd[9628]: [2015/06/13 09:52:06.129880,  0]
../libcli/security/security_token.c:63(security_token_debug)
Jun 13 09:52:06 dc1 smbd[9628]:   Security token SIDs (10):
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  0]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1138
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  1]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-513
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  2]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2613
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  3]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2615
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  4]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1168
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  5]: S-1-1-0
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  6]: S-1-5-2
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  7]: S-1-5-11
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  8]: S-1-5-32-545
Jun 13 09:52:06 dc1 smbd[9628]:     SID[  9]: S-1-5-32-554
Jun 13 09:52:06 dc1 smbd[9628]:    Privileges (0x          800000):
Jun 13 09:52:06 dc1 smbd[9628]:     Privilege[  0]: SeChangeNotifyPrivilege
Jun 13 09:52:06 dc1 smbd[9628]:    Rights (0x             400):
Jun 13 09:52:06 dc1 smbd[9628]:     Right[  0]: SeRemoteInteractiveLogonRight
Jun 13 09:52:06 dc1 rsyslogd-2177: imuxsock begins to drop messages
from pid 9628 due to rate-limiting

>From what I can tell, samba isn't able to resolve S-1-1-0 which is "Everyone".

I have copied idmap.ldb back over from another DC and restarted samba;
all works now - but I'm sure that this should be created by samba
somehow if idmap.ldb has been removed and does not exist.

What's the mechanism through which idmap.ldb is created - what am I
missing there? I initially thought it might be something to do with
rfc2307 and missing attributes, but I can't find 'Everybody' in AD (I
thought it might be in the 'Builtin' container) to add attributes to
it. I have added rfc2307 UIDs to the other 'Builtin' groups e.g.
Administrators.

Cheers

J

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein


More information about the samba mailing list