[Samba] Strange ID-Mapping behavior

Stefan Schäfer ml at fsproductions.de
Mon May 2 12:31:24 UTC 2016 

Hi list,

on one of our servers I found a strange id-mapping behavior. The server 
acts as an AD-DC and fileserver. We user the sernet-samba packages in 
version 4.2.9 on openSUSE leap 42.1.

We use the rfc3207 extension for Posix attributes. Every group has a 
full set of posix-attributes. Our gidNumbers are calculated by RID plus 
20000.

If i ask for id-mappings, "wbinfo" shows for all groups the correct 
mapping instead of the group "domain users". This group is mapped to 
gitNumber 100, this is the group "users" in /etc/passwd.

wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100

For all other Groups it looks like:

wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514

A look inside the LDAP DIT shows that the attribute "gidNumber" for 
"domain users" is set corectly to 20513.

Here is what testparm -v shows:
...
         idmap backend = tdb
         idmap cache time = 604800
         idmap negative cache time = 120
         idmap uid =
         idmap gid =
         template homedir = /home/%D/%U
         template shell = /bin/false
         winbind separator = \
         winbind cache time = 300
         winbind reconnect delay = 30
         winbind request timeout = 60
         winbind max clients = 200
         winbind enum users = No
         winbind enum groups = No
         winbind use default domain = No
         winbind trusted domains only = No
         winbind nested groups = Yes
         winbind expand groups = 0
         winbind nss info = template
         winbind refresh tickets = No
         winbind offline logon = No
         winbind normalize names = No
         winbind rpc only = No
         create krb5 conf = Yes
         ncalrpc dir = /var/run/samba/ncalrpc
         winbind max domain connections = 1
         winbindd socket directory = /var/run/samba/winbindd
         winbindd privileged socket directory = 
/var/lib/samba/winbindd_privileged
         winbind sealed pipes = Yes
....
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
...

Has anybody an idea how I can fix this wrong idmapping?

Other servers with the same setup didn't show this behavior.

Regards

Stefan
-- 
www.invis-server.org

Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten

More information about the samba mailing list