[Samba] Strange ID-Mapping behavior

Rowland penny rpenny at samba.org
Mon May 2 14:21:08 UTC 2016 

On 02/05/16 15:08, Stefan Schäfer wrote:
> Hi Mathias,
>
> greping in the output of "net cache list" shows:
>
> Key: IDMAP/GID2SID/20513         Timeout: Mon May  9 07:29:11 
> 2016       Value: S-1-5-21-1891182457-2156988848-2018633412-513
> Key: IDMAP/GID2SID/100   Timeout: Mon May  9 07:29:32 2016 Value: 
> S-1-5-21-1891182457-2156988848-2018633412-513
> Key: IDMAP/SID2XID/S-1-5-21-1891182457-2156988848-2018633412-513 
> Timeout: Mon May  9 07:29:32 2016       Value: 100:G
>
>
> There are both values, the correct and the wrong one. Before I clear 
> the cache, the question is: where could the wrong value come from?
>
> Stefan
>
>
> Am 02.05.2016 um 15:25 schrieb mathias dufresne:
>> Hey,
>>
>> id mapping is accessible from net command:
>> net cache list
>>
>> you can also clean that cache:
>> net cache flush
>>
>> After flushing the cache your users and groups having uidNumber and/or
>> gidNumber should work as expected (ie using their AD declared uid/gid).
>>
>> Cheers,
>>
>> mathias
>>
>> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
>>
>>> Sounds like there is an old entry in idmap.ldb. You can delete that 
>>> entry
>>> if you use rfc3207.
>>> On my environment i had alot of old user entrys in idmap.ldb whom i had
>>> moved to rfc3207 mapping.
>>> With 4.1 this did not matter but with 4.2 samba sometimes picks the 
>>> values
>>> from idmap.ldb.
>>>
>>> achim
>>>
>>>
>>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>>>
>>>> Hi list,
>>>>
>>>> on one of our servers I found a strange id-mapping behavior. The 
>>>> server
>>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>>>> version 4.2.9 on openSUSE leap 42.1.
>>>>
>>>> We use the rfc3207 extension for Posix attributes. Every group has 
>>>> a full
>>>> set of posix-attributes. Our gidNumbers are calculated by RID plus 
>>>> 20000.
>>>>
>>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>>>> mapping instead of the group "domain users". This group is mapped to
>>>> gitNumber 100, this is the group "users" in /etc/passwd.
>>>>
>>>> wbinfo --sids-to-unix-ids 
>>>> S-1-5-21-1891182457-2156988848-2018633412-513
>>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>>>>
>>>> For all other Groups it looks like:
>>>>
>>>> wbinfo --sids-to-unix-ids 
>>>> S-1-5-21-1891182457-2156988848-2018633412-514
>>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>>>>
>>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>>>> "domain users" is set corectly to 20513.
>>>>
>>>> Here is what testparm -v shows:
>>>> ...
>>>>          idmap backend = tdb
>>>>          idmap cache time = 604800
>>>>          idmap negative cache time = 120
>>>>          idmap uid =
>>>>          idmap gid =
>>>>          template homedir = /home/%D/%U
>>>>          template shell = /bin/false
>>>>          winbind separator = \
>>>>          winbind cache time = 300
>>>>          winbind reconnect delay = 30
>>>>          winbind request timeout = 60
>>>>          winbind max clients = 200
>>>>          winbind enum users = No
>>>>          winbind enum groups = No
>>>>          winbind use default domain = No
>>>>          winbind trusted domains only = No
>>>>          winbind nested groups = Yes
>>>>          winbind expand groups = 0
>>>>          winbind nss info = template
>>>>          winbind refresh tickets = No
>>>>          winbind offline logon = No
>>>>          winbind normalize names = No
>>>>          winbind rpc only = No
>>>>          create krb5 conf = Yes
>>>>          ncalrpc dir = /var/run/samba/ncalrpc
>>>>          winbind max domain connections = 1
>>>>          winbindd socket directory = /var/run/samba/winbindd
>>>>          winbindd privileged socket directory =
>>>> /var/lib/samba/winbindd_privileged
>>>>          winbind sealed pipes = Yes
>>>> ....
>>>>          winbindd:use external pipes = true
>>>>          idmap_ldb:use rfc2307 = yes
>>>>          idmap config * : backend = tdb
>>>> ...
>>>>
>>>> Has anybody an idea how I can fix this wrong idmapping?
>>>>
>>>> Other servers with the same setup didn't show this behavior.
>>>>
>>>> Regards
>>>>
>>>> Stefan
>>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>
>

How shall I put this, I know :-)

Your post subject is incorrect, it should be ' [Samba] Normal ID-Mapping 
behaviour'

Mapping 'Domain Users' to the GID '100' is perfectly normal on a DC, it 
is done automatically, but if you give 'Domain Users' a gidNumber, you 
need to remove 'Domain Users' from idmap.ldb, you can do this with 
smbcontrol or by opening idmap.ldb with ldbedit, finding and deleting 
the entry for RID 513.

Rowland

More information about the samba mailing list