[Samba] idmap & migration to rfc2307

Jonathan Hunter jmhunter1 at gmail.com
Sat Nov 7 11:31:11 UTC 2015

On 7 November 2015 at 10:11, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> Is it possible that sssd is failing?
> What do you have in /etc/nsswitch?

# cat /etc/nsswitch.conf | egrep "(passwd|group)"
passwd:     files sss
group:      files sss

But I don't think this is anything to do with sssd. As I understand it:

Local machine UNIX use (i.e. logging in via ssh; looking at files on
disk via "ls"; etc.) uses sssd, because this is what I have set in
nsswitch.conf. This all works fine, I have no problems with this.

"SMB file access" (i.e. a Windows client machine elsewhere on the
network, accessing resources via \\server\share\path) does not use
sssd, but uses smbd + winbind/winbindd for UID resolution? This is the
part that is failing intermittently.

> It could be that sssd isn't running or running correctly, so it cannot get
> the required info from AD, so winbind is returning the info from idmap.ldb,
> hence the '3000000' numbers.

Does winbind/wbinfo ever query what is defined in /etc/nsswitch.conf,
or does it always use the samba internal UID resolution? I thought it
would bypass nsswitch.conf entirely - hence my suspicion that this is
nothing to do with sssd.

It's hard to reproduce this at will - right now "wbinfo -i myuser" is
returning correct UID information. The problem (as far as i can tell)
is that, every so often, despite me having "idmap_ldb:use rfc2307 =
yes" in smb.conf, this same wbinfo command returns incorrect UID
information (as also shown in "net cache list") and therefore this is
why I cannot access files via smbd until I clear the idmap cache via
"net cache flush".

I'm trying to narrow it down to a particular set of circumstances but
it's so intermittent, I'm really struggling.

I would raise a bug on bugzilla but I'm not sure there's enough
information here for someone familiar with the code to resolve it,

It is of course possible that I'm doing something wrong - but the
thing that makes me convinced it's a bug is that I have /not/ changed
my configuration in any way since June (when I last saw this issue).
After my recent upgrade to 4.3 the problem came back - I saw it again
last night - but has not reoccurred since then until now.. I really do
think there is a subtle bug here.

Is it worth me putting all this into a bugzilla entry, even though I
haven't yet narrowed down the full circumstances under which it



"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list