[Samba] Strange ID-Mapping behavior

Achim Gottinger achim at ag-web.biz
Mon May 2 13:18:37 UTC 2016 

Sounds like there is an old entry in idmap.ldb. You can delete that 
entry if you use rfc3207.
On my environment i had alot of old user entrys in idmap.ldb whom i had 
moved to rfc3207 mapping.
With 4.1 this did not matter but with 4.2 samba sometimes picks the 
values from idmap.ldb.

achim

Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
> Hi list,
>
> on one of our servers I found a strange id-mapping behavior. The 
> server acts as an AD-DC and fileserver. We user the sernet-samba 
> packages in version 4.2.9 on openSUSE leap 42.1.
>
> We use the rfc3207 extension for Posix attributes. Every group has a 
> full set of posix-attributes. Our gidNumbers are calculated by RID 
> plus 20000.
>
> If i ask for id-mappings, "wbinfo" shows for all groups the correct 
> mapping instead of the group "domain users". This group is mapped to 
> gitNumber 100, this is the group "users" in /etc/passwd.
>
> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>
> For all other Groups it looks like:
>
> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>
> A look inside the LDAP DIT shows that the attribute "gidNumber" for 
> "domain users" is set corectly to 20513.
>
> Here is what testparm -v shows:
> ...
>         idmap backend = tdb
>         idmap cache time = 604800
>         idmap negative cache time = 120
>         idmap uid =
>         idmap gid =
>         template homedir = /home/%D/%U
>         template shell = /bin/false
>         winbind separator = \
>         winbind cache time = 300
>         winbind reconnect delay = 30
>         winbind request timeout = 60
>         winbind max clients = 200
>         winbind enum users = No
>         winbind enum groups = No
>         winbind use default domain = No
>         winbind trusted domains only = No
>         winbind nested groups = Yes
>         winbind expand groups = 0
>         winbind nss info = template
>         winbind refresh tickets = No
>         winbind offline logon = No
>         winbind normalize names = No
>         winbind rpc only = No
>         create krb5 conf = Yes
>         ncalrpc dir = /var/run/samba/ncalrpc
>         winbind max domain connections = 1
>         winbindd socket directory = /var/run/samba/winbindd
>         winbindd privileged socket directory = 
> /var/lib/samba/winbindd_privileged
>         winbind sealed pipes = Yes
> ....
>         winbindd:use external pipes = true
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
> ...
>
> Has anybody an idea how I can fix this wrong idmapping?
>
> Other servers with the same setup didn't show this behavior.
>
> Regards
>
> Stefan

More information about the samba mailing list