[Samba] Strange ID-Mapping behavior
Stefan Schäfer
ml at fsproductions.de
Mon May 2 14:08:47 UTC 2016
Hi Mathias,
greping in the output of "net cache list" shows:
Key: IDMAP/GID2SID/20513 Timeout: Mon May 9 07:29:11 2016
Value: S-1-5-21-1891182457-2156988848-2018633412-513
Key: IDMAP/GID2SID/100 Timeout: Mon May 9 07:29:32 2016 Value:
S-1-5-21-1891182457-2156988848-2018633412-513
Key: IDMAP/SID2XID/S-1-5-21-1891182457-2156988848-2018633412-513
Timeout: Mon May 9 07:29:32 2016 Value: 100:G
There are both values, the correct and the wrong one. Before I clear the
cache, the question is: where could the wrong value come from?
Stefan
Am 02.05.2016 um 15:25 schrieb mathias dufresne:
> Hey,
>
> id mapping is accessible from net command:
> net cache list
>
> you can also clean that cache:
> net cache flush
>
> After flushing the cache your users and groups having uidNumber and/or
> gidNumber should work as expected (ie using their AD declared uid/gid).
>
> Cheers,
>
> mathias
>
> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
>
>> Sounds like there is an old entry in idmap.ldb. You can delete that entry
>> if you use rfc3207.
>> On my environment i had alot of old user entrys in idmap.ldb whom i had
>> moved to rfc3207 mapping.
>> With 4.1 this did not matter but with 4.2 samba sometimes picks the values
>> from idmap.ldb.
>>
>> achim
>>
>>
>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>>
>>> Hi list,
>>>
>>> on one of our servers I found a strange id-mapping behavior. The server
>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>>> version 4.2.9 on openSUSE leap 42.1.
>>>
>>> We use the rfc3207 extension for Posix attributes. Every group has a full
>>> set of posix-attributes. Our gidNumbers are calculated by RID plus 20000.
>>>
>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>>> mapping instead of the group "domain users". This group is mapped to
>>> gitNumber 100, this is the group "users" in /etc/passwd.
>>>
>>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>>>
>>> For all other Groups it looks like:
>>>
>>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>>>
>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>>> "domain users" is set corectly to 20513.
>>>
>>> Here is what testparm -v shows:
>>> ...
>>> idmap backend = tdb
>>> idmap cache time = 604800
>>> idmap negative cache time = 120
>>> idmap uid =
>>> idmap gid =
>>> template homedir = /home/%D/%U
>>> template shell = /bin/false
>>> winbind separator = \
>>> winbind cache time = 300
>>> winbind reconnect delay = 30
>>> winbind request timeout = 60
>>> winbind max clients = 200
>>> winbind enum users = No
>>> winbind enum groups = No
>>> winbind use default domain = No
>>> winbind trusted domains only = No
>>> winbind nested groups = Yes
>>> winbind expand groups = 0
>>> winbind nss info = template
>>> winbind refresh tickets = No
>>> winbind offline logon = No
>>> winbind normalize names = No
>>> winbind rpc only = No
>>> create krb5 conf = Yes
>>> ncalrpc dir = /var/run/samba/ncalrpc
>>> winbind max domain connections = 1
>>> winbindd socket directory = /var/run/samba/winbindd
>>> winbindd privileged socket directory =
>>> /var/lib/samba/winbindd_privileged
>>> winbind sealed pipes = Yes
>>> ....
>>> winbindd:use external pipes = true
>>> idmap_ldb:use rfc2307 = yes
>>> idmap config * : backend = tdb
>>> ...
>>>
>>> Has anybody an idea how I can fix this wrong idmapping?
>>>
>>> Other servers with the same setup didn't show this behavior.
>>>
>>> Regards
>>>
>>> Stefan
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
--
www.invis-server.org
Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten
More information about the samba
mailing list