[Samba] idmap_ad problem and workaround

Joe Maloney jpm820 at gmail.com
Tue Jan 26 20:44:32 UTC 2016 

The DC's are running Windows Server 2012R2.  The directory itself has
RFC2307 attributes.  The file servers are running FreeBSD with Samba 4.1.
These are just member servers not joined as domain controllers.  I have
tried to upgrade to samba 4.2, and samba 4.3 as a test with no difference.
Here is a peak at the smb4.conf via pastebin.

http://pastebin.com/Ai14LREW

Joe Maloney

On Tue, Jan 26, 2016 at 1:35 PM, Rowland penny <rpenny at samba.org> wrote:

> On 26/01/16 18:48, Joe Maloney wrote:
>
>> Hello all,
>> Samba Version 4.1.21 on 8 servers as member servers configured with
>> idmap_ad.  I have all the RFC2307 attributes configured for every user,
>> and
>> group.  I wrote a script to ensure that.  I have scripts in place to make
>> sure I don't have duplicates, show users without attributes, etc.  I also
>> filter out the users I don't want to see by placing them outside of the
>> range set aside for idmap_ad, and outside of the range used by samba.
>>
>> In the last few weeks users belong to domain users group quit working.
>> Only users who have been previously added to domain admins show up with
>> getent passwd.  All groups show up.  I know this had to be a change at the
>> active directory level because it was working.  Suddenly each server just
>> stopped working like a domino effect at different days all within the same
>> week.
>>
>> If I temporarily add a user to domain admins, and then remove that access
>> it fixes the problem.  Even if I reboot the server the user remains fixed
>> so it's not just a temporary issue.  Has anyone ever seen anything like
>> this?  I am willing to upgrade to a newer samba version.  I am just trying
>> for my own sanity to figure out what may have caused the issue when things
>> have been working for months without issue.
>>
>> Joe Maloney
>>
>
> I think you need to give us some more info, what are the DCs running ? can
> we see a smb.conf from the member servers, this type of thing.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list