[Samba] Strange ID-Mapping behavior
Stefan Schäfer
ml at fsproductions.de
Mon May 2 14:14:53 UTC 2016
Am 02.05.2016 um 15:47 schrieb Achim Gottinger:
> In my case flushing the cache did not help. I had around an dozend of
> user accounts with uidNumbers assigned and left over (dynamic winbind)
> mappings in idmap.ldb. At first after an flush samba used the
> uidNumber but after an logoff/logon of the userd getent passwd [user]
> showed the mapping from idmap.ldb. After i deleted the mapping in
> idmap.ldb everythiing went back to normal. Under 4.1 the leftover
> entries in idmap.ldb where never used.
That's what i fear.
>
> smbcontrol idmap delete <ID>
>
> can be used to delete the offending entries in idmap.ldb
I never worked with smbcontrol, is it possble to use smbcontrol to show
all idmappings? Does "ID" means the SID?
Stefan
>
> Am 02.05.2016 um 15:25 schrieb mathias dufresne:
>> Hey,
>>
>> id mapping is accessible from net command:
>> net cache list
>>
>> you can also clean that cache:
>> net cache flush
>>
>> After flushing the cache your users and groups having uidNumber and/or
>> gidNumber should work as expected (ie using their AD declared uid/gid).
>>
>> Cheers,
>>
>> mathias
>>
>> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
>>
>>> Sounds like there is an old entry in idmap.ldb. You can delete that
>>> entry
>>> if you use rfc3207.
>>> On my environment i had alot of old user entrys in idmap.ldb whom i had
>>> moved to rfc3207 mapping.
>>> With 4.1 this did not matter but with 4.2 samba sometimes picks the
>>> values
>>> from idmap.ldb.
>>>
>>> achim
>>>
>>>
>>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>>>
>>>> Hi list,
>>>>
>>>> on one of our servers I found a strange id-mapping behavior. The
>>>> server
>>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>>>> version 4.2.9 on openSUSE leap 42.1.
>>>>
>>>> We use the rfc3207 extension for Posix attributes. Every group has
>>>> a full
>>>> set of posix-attributes. Our gidNumbers are calculated by RID plus
>>>> 20000.
>>>>
>>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>>>> mapping instead of the group "domain users". This group is mapped to
>>>> gitNumber 100, this is the group "users" in /etc/passwd.
>>>>
>>>> wbinfo --sids-to-unix-ids
>>>> S-1-5-21-1891182457-2156988848-2018633412-513
>>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>>>>
>>>> For all other Groups it looks like:
>>>>
>>>> wbinfo --sids-to-unix-ids
>>>> S-1-5-21-1891182457-2156988848-2018633412-514
>>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>>>>
>>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>>>> "domain users" is set corectly to 20513.
>>>>
>>>> Here is what testparm -v shows:
>>>> ...
>>>> idmap backend = tdb
>>>> idmap cache time = 604800
>>>> idmap negative cache time = 120
>>>> idmap uid =
>>>> idmap gid =
>>>> template homedir = /home/%D/%U
>>>> template shell = /bin/false
>>>> winbind separator = \
>>>> winbind cache time = 300
>>>> winbind reconnect delay = 30
>>>> winbind request timeout = 60
>>>> winbind max clients = 200
>>>> winbind enum users = No
>>>> winbind enum groups = No
>>>> winbind use default domain = No
>>>> winbind trusted domains only = No
>>>> winbind nested groups = Yes
>>>> winbind expand groups = 0
>>>> winbind nss info = template
>>>> winbind refresh tickets = No
>>>> winbind offline logon = No
>>>> winbind normalize names = No
>>>> winbind rpc only = No
>>>> create krb5 conf = Yes
>>>> ncalrpc dir = /var/run/samba/ncalrpc
>>>> winbind max domain connections = 1
>>>> winbindd socket directory = /var/run/samba/winbindd
>>>> winbindd privileged socket directory =
>>>> /var/lib/samba/winbindd_privileged
>>>> winbind sealed pipes = Yes
>>>> ....
>>>> winbindd:use external pipes = true
>>>> idmap_ldb:use rfc2307 = yes
>>>> idmap config * : backend = tdb
>>>> ...
>>>>
>>>> Has anybody an idea how I can fix this wrong idmapping?
>>>>
>>>> Other servers with the same setup didn't show this behavior.
>>>>
>>>> Regards
>>>>
>>>> Stefan
>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>
>
--
www.invis-server.org
Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten
More information about the samba
mailing list