[Samba] idmap & migration to rfc2307

Jonathan Hunter jmhunter1 at gmail.com
Sat Nov 7 02:29:48 UTC 2015 

Hi,

Resurrecting an older thread, but this same problem has just
re-occurred following a recent upgrade from 4.2.2 to 4.3.1.

When this issue occurs, I can't access various files on my server
(whether sysvol or other shares) - this seems to be down to incorrect
UID mappings. I am using rfc2307 to set my UIDs, but samba
occasionally seems to ignore this.

I first noticed the problem when a "gpupdate" on one of my client
machines gave me an error, saying it could not read
\\domain\sysvol\domain\Policies\{guid}\gpt.ini from a domain
controller.

After some investigation I found that 'wbinfo -i myuser' on my DC gave
me wrong UID information. Rather than reading from the rfc2307
attributes I have in AD, samba seems to be "making up" UIDs again. In
the example below, my UID should be 41000:

# wbinfo -i myuser
DOMAIN\myuser:*:3000007:100:My Name:/home/DOMAIN/myuser:/bin/bash

The same erroneous UID (3000007) is shown in 'smbstatus' output, also.

The following command fixes it for a little while and reads the info
from AD, as it should.. However, this doesn't last and after some time
it is back to the "made up" UIDs again :-( Here is the command that
fixes it temporarily:
# net cache flush
# wbinfo -i myuser
DOMAIN\myuser:*:41000:61000:My Name:/home/DOMAIN/myuser:/bin/bash

I have the following set in smb.conf - nothing has really changed
since June when I last had this issue.
        server services = -dns +winbind -winbindd
        idmap_ldb:use rfc2307 = yes

testparm shows the following, after the workgroup/realm/interfaces config:
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, ntp_signd, kcc, dnsupdate, winbind
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        dsdb:schema update allowed = true
        idmap config * : backend = tdb
        map archive = No
        map readonly = no
        store dos attributes = Yes
        include = /usr/local/samba/etc/smb.conf-0.0.0.0
        vfs objects = dfs_samba4 acl_xattr



I do have sssd configured in nsswitch.conf on the DC itself; this
works fine for logging in on the DC and 'getent' etc.; this issue is
just within Samba and anything accessed across the network via smbd,
as far as I can tell.

I'm not sure what debugging I will be able to do within Samba.. it
seems that some code path is getting triggered that stops looking up
UIDs from LDAP/AD, and instead uses its internal generation mechanism?
:-(

It's certainly intermittent, but does certainly happen. For example, I
end up with meaningless entries such as the UIDs below:

# smbstatus|head

Samba version 4.3.1
PID     Username      Group         Machine            Protocol Version
------------------------------------------------------------------------------
16139     3000119       3000016       1.2.3.4  (ipv4:1.2.3.4:62784) SMB2_10


Any help I can give in tracking this down, I gladly will do..!

Cheers

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list