[Samba] idmap & migration to rfc2307
Jonathan Hunter
jmhunter1 at gmail.com
Sat Nov 7 02:29:48 UTC 2015
Hi,
Resurrecting an older thread, but this same problem has just
re-occurred following a recent upgrade from 4.2.2 to 4.3.1.
When this issue occurs, I can't access various files on my server
(whether sysvol or other shares) - this seems to be down to incorrect
UID mappings. I am using rfc2307 to set my UIDs, but samba
occasionally seems to ignore this.
I first noticed the problem when a "gpupdate" on one of my client
machines gave me an error, saying it could not read
\\domain\sysvol\domain\Policies\{guid}\gpt.ini from a domain
controller.
After some investigation I found that 'wbinfo -i myuser' on my DC gave
me wrong UID information. Rather than reading from the rfc2307
attributes I have in AD, samba seems to be "making up" UIDs again. In
the example below, my UID should be 41000:
# wbinfo -i myuser
DOMAIN\myuser:*:3000007:100:My Name:/home/DOMAIN/myuser:/bin/bash
The same erroneous UID (3000007) is shown in 'smbstatus' output, also.
The following command fixes it for a little while and reads the info
from AD, as it should.. However, this doesn't last and after some time
it is back to the "made up" UIDs again :-( Here is the command that
fixes it temporarily:
# net cache flush
# wbinfo -i myuser
DOMAIN\myuser:*:41000:61000:My Name:/home/DOMAIN/myuser:/bin/bash
I have the following set in smb.conf - nothing has really changed
since June when I last had this issue.
server services = -dns +winbind -winbindd
idmap_ldb:use rfc2307 = yes
testparm shows the following, after the workgroup/realm/interfaces config:
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, ntp_signd, kcc, dnsupdate, winbind
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
dsdb:schema update allowed = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
include = /usr/local/samba/etc/smb.conf-0.0.0.0
vfs objects = dfs_samba4 acl_xattr
I do have sssd configured in nsswitch.conf on the DC itself; this
works fine for logging in on the DC and 'getent' etc.; this issue is
just within Samba and anything accessed across the network via smbd,
as far as I can tell.
I'm not sure what debugging I will be able to do within Samba.. it
seems that some code path is getting triggered that stops looking up
UIDs from LDAP/AD, and instead uses its internal generation mechanism?
:-(
It's certainly intermittent, but does certainly happen. For example, I
end up with meaningless entries such as the UIDs below:
# smbstatus|head
Samba version 4.3.1
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
16139 3000119 3000016 1.2.3.4 (ipv4:1.2.3.4:62784) SMB2_10
Any help I can give in tracking this down, I gladly will do..!
Cheers
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
More information about the samba
mailing list