[Samba] Strange ID-Mapping behavior
Stefan Schäfer
ml at fsproductions.de
Mon May 2 14:53:50 UTC 2016
Am 02.05.2016 um 16:21 schrieb Rowland penny:
> On 02/05/16 15:08, Stefan Schäfer wrote:
>> Hi Mathias,
>>
>> greping in the output of "net cache list" shows:
>>
>> Key: IDMAP/GID2SID/20513 Timeout: Mon May 9 07:29:11
>> 2016 Value: S-1-5-21-1891182457-2156988848-2018633412-513
>> Key: IDMAP/GID2SID/100 Timeout: Mon May 9 07:29:32 2016 Value:
>> S-1-5-21-1891182457-2156988848-2018633412-513
>> Key: IDMAP/SID2XID/S-1-5-21-1891182457-2156988848-2018633412-513
>> Timeout: Mon May 9 07:29:32 2016 Value: 100:G
>>
>>
>> There are both values, the correct and the wrong one. Before I clear
>> the cache, the question is: where could the wrong value come from?
>>
>> Stefan
>>
>>
>> Am 02.05.2016 um 15:25 schrieb mathias dufresne:
>>> Hey,
>>>
>>> id mapping is accessible from net command:
>>> net cache list
>>>
>>> you can also clean that cache:
>>> net cache flush
>>>
>>> After flushing the cache your users and groups having uidNumber and/or
>>> gidNumber should work as expected (ie using their AD declared uid/gid).
>>>
>>> Cheers,
>>>
>>> mathias
>>>
>>> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
>>>
>>>> Sounds like there is an old entry in idmap.ldb. You can delete that
>>>> entry
>>>> if you use rfc3207.
>>>> On my environment i had alot of old user entrys in idmap.ldb whom i
>>>> had
>>>> moved to rfc3207 mapping.
>>>> With 4.1 this did not matter but with 4.2 samba sometimes picks the
>>>> values
>>>> from idmap.ldb.
>>>>
>>>> achim
>>>>
>>>>
>>>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>>>>
>>>>> Hi list,
>>>>>
>>>>> on one of our servers I found a strange id-mapping behavior. The
>>>>> server
>>>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>>>>> version 4.2.9 on openSUSE leap 42.1.
>>>>>
>>>>> We use the rfc3207 extension for Posix attributes. Every group has
>>>>> a full
>>>>> set of posix-attributes. Our gidNumbers are calculated by RID plus
>>>>> 20000.
>>>>>
>>>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>>>>> mapping instead of the group "domain users". This group is mapped to
>>>>> gitNumber 100, this is the group "users" in /etc/passwd.
>>>>>
>>>>> wbinfo --sids-to-unix-ids
>>>>> S-1-5-21-1891182457-2156988848-2018633412-513
>>>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>>>>>
>>>>> For all other Groups it looks like:
>>>>>
>>>>> wbinfo --sids-to-unix-ids
>>>>> S-1-5-21-1891182457-2156988848-2018633412-514
>>>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>>>>>
>>>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>>>>> "domain users" is set corectly to 20513.
>>>>>
>>>>> Here is what testparm -v shows:
>>>>> ...
>>>>> idmap backend = tdb
>>>>> idmap cache time = 604800
>>>>> idmap negative cache time = 120
>>>>> idmap uid =
>>>>> idmap gid =
>>>>> template homedir = /home/%D/%U
>>>>> template shell = /bin/false
>>>>> winbind separator = \
>>>>> winbind cache time = 300
>>>>> winbind reconnect delay = 30
>>>>> winbind request timeout = 60
>>>>> winbind max clients = 200
>>>>> winbind enum users = No
>>>>> winbind enum groups = No
>>>>> winbind use default domain = No
>>>>> winbind trusted domains only = No
>>>>> winbind nested groups = Yes
>>>>> winbind expand groups = 0
>>>>> winbind nss info = template
>>>>> winbind refresh tickets = No
>>>>> winbind offline logon = No
>>>>> winbind normalize names = No
>>>>> winbind rpc only = No
>>>>> create krb5 conf = Yes
>>>>> ncalrpc dir = /var/run/samba/ncalrpc
>>>>> winbind max domain connections = 1
>>>>> winbindd socket directory = /var/run/samba/winbindd
>>>>> winbindd privileged socket directory =
>>>>> /var/lib/samba/winbindd_privileged
>>>>> winbind sealed pipes = Yes
>>>>> ....
>>>>> winbindd:use external pipes = true
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> idmap config * : backend = tdb
>>>>> ...
>>>>>
>>>>> Has anybody an idea how I can fix this wrong idmapping?
>>>>>
>>>>> Other servers with the same setup didn't show this behavior.
>>>>>
>>>>> Regards
>>>>>
>>>>> Stefan
>>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>
>>
>
> How shall I put this, I know :-)
>
> Your post subject is incorrect, it should be ' [Samba] Normal
> ID-Mapping behaviour'
>
> Mapping 'Domain Users' to the GID '100' is perfectly normal on a DC,
> it is done automatically, but if you give 'Domain Users' a gidNumber,
> you need to remove 'Domain Users' from idmap.ldb, you can do this with
> smbcontrol or by opening idmap.ldb with ldbedit, finding and deleting
> the entry for RID 513.
>
> Rowland
>
Hi Rowland,
thank's for your explanation. If this is the normal behavior, it's
strange, that this is the first server of my installations which shows it.
I think, that I have to inspect the others. :)
Stefan
--
www.invis-server.org
Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten
More information about the samba
mailing list