[Samba] Strange ID-Mapping behavior

Stefan Schäfer ml at fsproductions.de
Mon May 2 14:14:53 UTC 2016


Am 02.05.2016 um 15:47 schrieb Achim Gottinger:
> In my case flushing the cache did not help. I had around an dozend of 
> user accounts with uidNumbers assigned and left over (dynamic winbind) 
> mappings in idmap.ldb. At first after an flush samba used the 
> uidNumber but after an logoff/logon of the userd getent passwd [user] 
> showed the mapping from idmap.ldb. After i deleted the mapping in 
> idmap.ldb everythiing went back to normal. Under 4.1 the leftover 
> entries in idmap.ldb where never used.

That's what i fear.

>
> smbcontrol idmap delete <ID>
>
> can be used to delete the offending entries in idmap.ldb

I never worked with smbcontrol, is it possble to use smbcontrol to show 
all idmappings? Does "ID" means  the SID?


Stefan

>
> Am 02.05.2016 um 15:25 schrieb mathias dufresne:
>> Hey,
>>
>> id mapping is accessible from net command:
>> net cache list
>>
>> you can also clean that cache:
>> net cache flush
>>
>> After flushing the cache your users and groups having uidNumber and/or
>> gidNumber should work as expected (ie using their AD declared uid/gid).
>>
>> Cheers,
>>
>> mathias
>>
>> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
>>
>>> Sounds like there is an old entry in idmap.ldb. You can delete that 
>>> entry
>>> if you use rfc3207.
>>> On my environment i had alot of old user entrys in idmap.ldb whom i had
>>> moved to rfc3207 mapping.
>>> With 4.1 this did not matter but with 4.2 samba sometimes picks the 
>>> values
>>> from idmap.ldb.
>>>
>>> achim
>>>
>>>
>>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>>>
>>>> Hi list,
>>>>
>>>> on one of our servers I found a strange id-mapping behavior. The 
>>>> server
>>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>>>> version 4.2.9 on openSUSE leap 42.1.
>>>>
>>>> We use the rfc3207 extension for Posix attributes. Every group has 
>>>> a full
>>>> set of posix-attributes. Our gidNumbers are calculated by RID plus 
>>>> 20000.
>>>>
>>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>>>> mapping instead of the group "domain users". This group is mapped to
>>>> gitNumber 100, this is the group "users" in /etc/passwd.
>>>>
>>>> wbinfo --sids-to-unix-ids 
>>>> S-1-5-21-1891182457-2156988848-2018633412-513
>>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>>>>
>>>> For all other Groups it looks like:
>>>>
>>>> wbinfo --sids-to-unix-ids 
>>>> S-1-5-21-1891182457-2156988848-2018633412-514
>>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>>>>
>>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>>>> "domain users" is set corectly to 20513.
>>>>
>>>> Here is what testparm -v shows:
>>>> ...
>>>>          idmap backend = tdb
>>>>          idmap cache time = 604800
>>>>          idmap negative cache time = 120
>>>>          idmap uid =
>>>>          idmap gid =
>>>>          template homedir = /home/%D/%U
>>>>          template shell = /bin/false
>>>>          winbind separator = \
>>>>          winbind cache time = 300
>>>>          winbind reconnect delay = 30
>>>>          winbind request timeout = 60
>>>>          winbind max clients = 200
>>>>          winbind enum users = No
>>>>          winbind enum groups = No
>>>>          winbind use default domain = No
>>>>          winbind trusted domains only = No
>>>>          winbind nested groups = Yes
>>>>          winbind expand groups = 0
>>>>          winbind nss info = template
>>>>          winbind refresh tickets = No
>>>>          winbind offline logon = No
>>>>          winbind normalize names = No
>>>>          winbind rpc only = No
>>>>          create krb5 conf = Yes
>>>>          ncalrpc dir = /var/run/samba/ncalrpc
>>>>          winbind max domain connections = 1
>>>>          winbindd socket directory = /var/run/samba/winbindd
>>>>          winbindd privileged socket directory =
>>>> /var/lib/samba/winbindd_privileged
>>>>          winbind sealed pipes = Yes
>>>> ....
>>>>          winbindd:use external pipes = true
>>>>          idmap_ldb:use rfc2307 = yes
>>>>          idmap config * : backend = tdb
>>>> ...
>>>>
>>>> Has anybody an idea how I can fix this wrong idmapping?
>>>>
>>>> Other servers with the same setup didn't show this behavior.
>>>>
>>>> Regards
>>>>
>>>> Stefan
>>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>
>


-- 
www.invis-server.org

Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten




More information about the samba mailing list