[Samba] Strange ID-Mapping behavior

Achim Gottinger achim at ag-web.biz
Mon May 2 13:47:03 UTC 2016


In my case flushing the cache did not help. I had around an dozend of 
user accounts with uidNumbers assigned and left over (dynamic winbind) 
mappings in idmap.ldb. At first after an flush samba used the uidNumber 
but after an logoff/logon of the userd getent passwd [user] showed the 
mapping from idmap.ldb. After i deleted the mapping in idmap.ldb 
everythiing went back to normal. Under 4.1 the leftover entries in 
idmap.ldb where never used.

smbcontrol idmap delete <ID>

can be used to delete the offending entries in idmap.ldb

Am 02.05.2016 um 15:25 schrieb mathias dufresne:
> Hey,
>
> id mapping is accessible from net command:
> net cache list
>
> you can also clean that cache:
> net cache flush
>
> After flushing the cache your users and groups having uidNumber and/or
> gidNumber should work as expected (ie using their AD declared uid/gid).
>
> Cheers,
>
> mathias
>
> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
>
>> Sounds like there is an old entry in idmap.ldb. You can delete that entry
>> if you use rfc3207.
>> On my environment i had alot of old user entrys in idmap.ldb whom i had
>> moved to rfc3207 mapping.
>> With 4.1 this did not matter but with 4.2 samba sometimes picks the values
>> from idmap.ldb.
>>
>> achim
>>
>>
>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>>
>>> Hi list,
>>>
>>> on one of our servers I found a strange id-mapping behavior. The server
>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>>> version 4.2.9 on openSUSE leap 42.1.
>>>
>>> We use the rfc3207 extension for Posix attributes. Every group has a full
>>> set of posix-attributes. Our gidNumbers are calculated by RID plus 20000.
>>>
>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>>> mapping instead of the group "domain users". This group is mapped to
>>> gitNumber 100, this is the group "users" in /etc/passwd.
>>>
>>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>>>
>>> For all other Groups it looks like:
>>>
>>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>>>
>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>>> "domain users" is set corectly to 20513.
>>>
>>> Here is what testparm -v shows:
>>> ...
>>>          idmap backend = tdb
>>>          idmap cache time = 604800
>>>          idmap negative cache time = 120
>>>          idmap uid =
>>>          idmap gid =
>>>          template homedir = /home/%D/%U
>>>          template shell = /bin/false
>>>          winbind separator = \
>>>          winbind cache time = 300
>>>          winbind reconnect delay = 30
>>>          winbind request timeout = 60
>>>          winbind max clients = 200
>>>          winbind enum users = No
>>>          winbind enum groups = No
>>>          winbind use default domain = No
>>>          winbind trusted domains only = No
>>>          winbind nested groups = Yes
>>>          winbind expand groups = 0
>>>          winbind nss info = template
>>>          winbind refresh tickets = No
>>>          winbind offline logon = No
>>>          winbind normalize names = No
>>>          winbind rpc only = No
>>>          create krb5 conf = Yes
>>>          ncalrpc dir = /var/run/samba/ncalrpc
>>>          winbind max domain connections = 1
>>>          winbindd socket directory = /var/run/samba/winbindd
>>>          winbindd privileged socket directory =
>>> /var/lib/samba/winbindd_privileged
>>>          winbind sealed pipes = Yes
>>> ....
>>>          winbindd:use external pipes = true
>>>          idmap_ldb:use rfc2307 = yes
>>>          idmap config * : backend = tdb
>>> ...
>>>
>>> Has anybody an idea how I can fix this wrong idmapping?
>>>
>>> Other servers with the same setup didn't show this behavior.
>>>
>>> Regards
>>>
>>> Stefan
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list