[Samba] Strange ID-Mapping behavior
Stefan Schäfer
ml at fsproductions.de
Mon May 2 12:31:24 UTC 2016
Hi list,
on one of our servers I found a strange id-mapping behavior. The server
acts as an AD-DC and fileserver. We user the sernet-samba packages in
version 4.2.9 on openSUSE leap 42.1.
We use the rfc3207 extension for Posix attributes. Every group has a
full set of posix-attributes. Our gidNumbers are calculated by RID plus
20000.
If i ask for id-mappings, "wbinfo" shows for all groups the correct
mapping instead of the group "domain users". This group is mapped to
gitNumber 100, this is the group "users" in /etc/passwd.
wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
For all other Groups it looks like:
wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
A look inside the LDAP DIT shows that the attribute "gidNumber" for
"domain users" is set corectly to 20513.
Here is what testparm -v shows:
...
idmap backend = tdb
idmap cache time = 604800
idmap negative cache time = 120
idmap uid =
idmap gid =
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind reconnect delay = 30
winbind request timeout = 60
winbind max clients = 200
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 0
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = Yes
ncalrpc dir = /var/run/samba/ncalrpc
winbind max domain connections = 1
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
....
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
...
Has anybody an idea how I can fix this wrong idmapping?
Other servers with the same setup didn't show this behavior.
Regards
Stefan
--
www.invis-server.org
Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten
More information about the samba
mailing list