[Samba] Strange ID-Mapping behavior

mathias dufresne infractory at gmail.com
Mon May 2 13:25:34 UTC 2016 

Hey,

id mapping is accessible from net command:
net cache list

you can also clean that cache:
net cache flush

After flushing the cache your users and groups having uidNumber and/or
gidNumber should work as expected (ie using their AD declared uid/gid).

Cheers,

mathias

2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:

> Sounds like there is an old entry in idmap.ldb. You can delete that entry
> if you use rfc3207.
> On my environment i had alot of old user entrys in idmap.ldb whom i had
> moved to rfc3207 mapping.
> With 4.1 this did not matter but with 4.2 samba sometimes picks the values
> from idmap.ldb.
>
> achim
>
>
> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>
>> Hi list,
>>
>> on one of our servers I found a strange id-mapping behavior. The server
>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>> version 4.2.9 on openSUSE leap 42.1.
>>
>> We use the rfc3207 extension for Posix attributes. Every group has a full
>> set of posix-attributes. Our gidNumbers are calculated by RID plus 20000.
>>
>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>> mapping instead of the group "domain users". This group is mapped to
>> gitNumber 100, this is the group "users" in /etc/passwd.
>>
>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>>
>> For all other Groups it looks like:
>>
>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>>
>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>> "domain users" is set corectly to 20513.
>>
>> Here is what testparm -v shows:
>> ...
>>         idmap backend = tdb
>>         idmap cache time = 604800
>>         idmap negative cache time = 120
>>         idmap uid =
>>         idmap gid =
>>         template homedir = /home/%D/%U
>>         template shell = /bin/false
>>         winbind separator = \
>>         winbind cache time = 300
>>         winbind reconnect delay = 30
>>         winbind request timeout = 60
>>         winbind max clients = 200
>>         winbind enum users = No
>>         winbind enum groups = No
>>         winbind use default domain = No
>>         winbind trusted domains only = No
>>         winbind nested groups = Yes
>>         winbind expand groups = 0
>>         winbind nss info = template
>>         winbind refresh tickets = No
>>         winbind offline logon = No
>>         winbind normalize names = No
>>         winbind rpc only = No
>>         create krb5 conf = Yes
>>         ncalrpc dir = /var/run/samba/ncalrpc
>>         winbind max domain connections = 1
>>         winbindd socket directory = /var/run/samba/winbindd
>>         winbindd privileged socket directory =
>> /var/lib/samba/winbindd_privileged
>>         winbind sealed pipes = Yes
>> ....
>>         winbindd:use external pipes = true
>>         idmap_ldb:use rfc2307 = yes
>>         idmap config * : backend = tdb
>> ...
>>
>> Has anybody an idea how I can fix this wrong idmapping?
>>
>> Other servers with the same setup didn't show this behavior.
>>
>> Regards
>>
>> Stefan
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list