[Samba] Strange ID-Mapping behavior
infractory at gmail.com
Mon May 2 13:25:34 UTC 2016
id mapping is accessible from net command:
net cache list
you can also clean that cache:
net cache flush
After flushing the cache your users and groups having uidNumber and/or
gidNumber should work as expected (ie using their AD declared uid/gid).
2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
> Sounds like there is an old entry in idmap.ldb. You can delete that entry
> if you use rfc3207.
> On my environment i had alot of old user entrys in idmap.ldb whom i had
> moved to rfc3207 mapping.
> With 4.1 this did not matter but with 4.2 samba sometimes picks the values
> from idmap.ldb.
> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>> Hi list,
>> on one of our servers I found a strange id-mapping behavior. The server
>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>> version 4.2.9 on openSUSE leap 42.1.
>> We use the rfc3207 extension for Posix attributes. Every group has a full
>> set of posix-attributes. Our gidNumbers are calculated by RID plus 20000.
>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>> mapping instead of the group "domain users". This group is mapped to
>> gitNumber 100, this is the group "users" in /etc/passwd.
>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>> For all other Groups it looks like:
>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>> "domain users" is set corectly to 20513.
>> Here is what testparm -v shows:
>> idmap backend = tdb
>> idmap cache time = 604800
>> idmap negative cache time = 120
>> idmap uid =
>> idmap gid =
>> template homedir = /home/%D/%U
>> template shell = /bin/false
>> winbind separator = \
>> winbind cache time = 300
>> winbind reconnect delay = 30
>> winbind request timeout = 60
>> winbind max clients = 200
>> winbind enum users = No
>> winbind enum groups = No
>> winbind use default domain = No
>> winbind trusted domains only = No
>> winbind nested groups = Yes
>> winbind expand groups = 0
>> winbind nss info = template
>> winbind refresh tickets = No
>> winbind offline logon = No
>> winbind normalize names = No
>> winbind rpc only = No
>> create krb5 conf = Yes
>> ncalrpc dir = /var/run/samba/ncalrpc
>> winbind max domain connections = 1
>> winbindd socket directory = /var/run/samba/winbindd
>> winbindd privileged socket directory =
>> winbind sealed pipes = Yes
>> winbindd:use external pipes = true
>> idmap_ldb:use rfc2307 = yes
>> idmap config * : backend = tdb
>> Has anybody an idea how I can fix this wrong idmapping?
>> Other servers with the same setup didn't show this behavior.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba