[Samba] idmap & migration to rfc2307
jmhunter1 at gmail.com
Sun Nov 8 03:13:54 UTC 2015
On 7 November 2015 at 18:57, Michael Adam <obnox at samba.org> wrote:
> The mapping should indeed be consistent for a user on the DC,
> so it should not intermittently switch between idmap.ldb and
> the rfc attributes. That would be a bug that we need to
> One step as written in a previous mail would be to change
> the dc code to _never_ fall back to idmap.ldb when configured
> with "idmap_ldb:use rfc2307 = yes".
> Then you write that when you see the wrong uid,
> a 'net cache flush' gets you back the correct uid.
> That is interesting. That flush command flushes
> winbindd's idmap cache (which is also used r/o by
> We need to understand what happens here.
> Rowland has already correctly asked for higher-level
I now have these logs available - I will email the full extracts
direct to you Michael, but I don't want to post them on a public forum
as there is rather a lot of information to sanitise and I will no
doubt break consistency in the logs if I do so. If anybody else on the
dev team would like a copy, that's fine - just email me and I will
send them to you also.
In summary, /usr/local/samba/var/log.winbindd-idmap shows the
following 3000007 UID being allocated to my user that already has a
UID from rfc2307 attributes e.g. 41234. I don't know why.. but this is
where the problem occurs:
[2015/11/08 01:07:02.077532, 4, pid=24816, effective(0, 0), real(0,
child daemon request 59
[2015/11/08 01:07:02.077573, 10, pid=24816, effective(0, 0), real(0,
child_process_request: request fn NDRCMD
[2015/11/08 01:07:02.077616, 10, pid=24816, effective(0, 0), real(0,
winbindd_dual_ndrcmd: Running command WBINT_GID2SID (no domain)
[2015/11/08 01:07:02.077666, 10, pid=24816, effective(0, 0), real(0,
idmap_gid_to_sid: gid = 
[2015/11/08 01:07:02.077732, 10, pid=24816, effective(0, 0), real(0,
idmap_backend_unixid_to_sid: xid = 3000007 (type 2)
[2015/11/08 01:07:02.081098, 4, pid=24816, effective(0, 0), real(0,
Finished processing child request 59
I can raise this in bugzilla if that is helpful, now.
My working theory is that there is maybe a file on the server,
somewhere, that is mapped to an old UID i.e. 3000007, either via an
acl or by simple UID ownership.. and in some way samba is coming
across this file and it's triggering the behaviour above??
I think the previous suggestion of never falling back to idmap.ldb if
rfc2307 is configured makes perfect sense. Perhaps a warning should be
printed if this kind of situation is encountered (assuming we can
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
More information about the samba