[Samba] Strange ID-Mapping behavior
Achim Gottinger
achim at ag-web.biz
Mon May 2 13:18:37 UTC 2016
Sounds like there is an old entry in idmap.ldb. You can delete that
entry if you use rfc3207.
On my environment i had alot of old user entrys in idmap.ldb whom i had
moved to rfc3207 mapping.
With 4.1 this did not matter but with 4.2 samba sometimes picks the
values from idmap.ldb.
achim
Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
> Hi list,
>
> on one of our servers I found a strange id-mapping behavior. The
> server acts as an AD-DC and fileserver. We user the sernet-samba
> packages in version 4.2.9 on openSUSE leap 42.1.
>
> We use the rfc3207 extension for Posix attributes. Every group has a
> full set of posix-attributes. Our gidNumbers are calculated by RID
> plus 20000.
>
> If i ask for id-mappings, "wbinfo" shows for all groups the correct
> mapping instead of the group "domain users". This group is mapped to
> gitNumber 100, this is the group "users" in /etc/passwd.
>
> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>
> For all other Groups it looks like:
>
> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>
> A look inside the LDAP DIT shows that the attribute "gidNumber" for
> "domain users" is set corectly to 20513.
>
> Here is what testparm -v shows:
> ...
> idmap backend = tdb
> idmap cache time = 604800
> idmap negative cache time = 120
> idmap uid =
> idmap gid =
> template homedir = /home/%D/%U
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 300
> winbind reconnect delay = 30
> winbind request timeout = 60
> winbind max clients = 200
> winbind enum users = No
> winbind enum groups = No
> winbind use default domain = No
> winbind trusted domains only = No
> winbind nested groups = Yes
> winbind expand groups = 0
> winbind nss info = template
> winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
> winbind rpc only = No
> create krb5 conf = Yes
> ncalrpc dir = /var/run/samba/ncalrpc
> winbind max domain connections = 1
> winbindd socket directory = /var/run/samba/winbindd
> winbindd privileged socket directory =
> /var/lib/samba/winbindd_privileged
> winbind sealed pipes = Yes
> ....
> winbindd:use external pipes = true
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> ...
>
> Has anybody an idea how I can fix this wrong idmapping?
>
> Other servers with the same setup didn't show this behavior.
>
> Regards
>
> Stefan
More information about the samba
mailing list