[Samba] Strange ID-Mapping behavior

Stefan Schäfer ml at fsproductions.de
Mon May 2 14:53:50 UTC 2016


Am 02.05.2016 um 16:21 schrieb Rowland penny:
> On 02/05/16 15:08, Stefan Schäfer wrote:
>> Hi Mathias,
>>
>> greping in the output of "net cache list" shows:
>>
>> Key: IDMAP/GID2SID/20513         Timeout: Mon May  9 07:29:11 
>> 2016       Value: S-1-5-21-1891182457-2156988848-2018633412-513
>> Key: IDMAP/GID2SID/100   Timeout: Mon May  9 07:29:32 2016 Value: 
>> S-1-5-21-1891182457-2156988848-2018633412-513
>> Key: IDMAP/SID2XID/S-1-5-21-1891182457-2156988848-2018633412-513 
>> Timeout: Mon May  9 07:29:32 2016       Value: 100:G
>>
>>
>> There are both values, the correct and the wrong one. Before I clear 
>> the cache, the question is: where could the wrong value come from?
>>
>> Stefan
>>
>>
>> Am 02.05.2016 um 15:25 schrieb mathias dufresne:
>>> Hey,
>>>
>>> id mapping is accessible from net command:
>>> net cache list
>>>
>>> you can also clean that cache:
>>> net cache flush
>>>
>>> After flushing the cache your users and groups having uidNumber and/or
>>> gidNumber should work as expected (ie using their AD declared uid/gid).
>>>
>>> Cheers,
>>>
>>> mathias
>>>
>>> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
>>>
>>>> Sounds like there is an old entry in idmap.ldb. You can delete that 
>>>> entry
>>>> if you use rfc3207.
>>>> On my environment i had alot of old user entrys in idmap.ldb whom i 
>>>> had
>>>> moved to rfc3207 mapping.
>>>> With 4.1 this did not matter but with 4.2 samba sometimes picks the 
>>>> values
>>>> from idmap.ldb.
>>>>
>>>> achim
>>>>
>>>>
>>>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:
>>>>
>>>>> Hi list,
>>>>>
>>>>> on one of our servers I found a strange id-mapping behavior. The 
>>>>> server
>>>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in
>>>>> version 4.2.9 on openSUSE leap 42.1.
>>>>>
>>>>> We use the rfc3207 extension for Posix attributes. Every group has 
>>>>> a full
>>>>> set of posix-attributes. Our gidNumbers are calculated by RID plus 
>>>>> 20000.
>>>>>
>>>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct
>>>>> mapping instead of the group "domain users". This group is mapped to
>>>>> gitNumber 100, this is the group "users" in /etc/passwd.
>>>>>
>>>>> wbinfo --sids-to-unix-ids 
>>>>> S-1-5-21-1891182457-2156988848-2018633412-513
>>>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
>>>>>
>>>>> For all other Groups it looks like:
>>>>>
>>>>> wbinfo --sids-to-unix-ids 
>>>>> S-1-5-21-1891182457-2156988848-2018633412-514
>>>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
>>>>>
>>>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for
>>>>> "domain users" is set corectly to 20513.
>>>>>
>>>>> Here is what testparm -v shows:
>>>>> ...
>>>>>          idmap backend = tdb
>>>>>          idmap cache time = 604800
>>>>>          idmap negative cache time = 120
>>>>>          idmap uid =
>>>>>          idmap gid =
>>>>>          template homedir = /home/%D/%U
>>>>>          template shell = /bin/false
>>>>>          winbind separator = \
>>>>>          winbind cache time = 300
>>>>>          winbind reconnect delay = 30
>>>>>          winbind request timeout = 60
>>>>>          winbind max clients = 200
>>>>>          winbind enum users = No
>>>>>          winbind enum groups = No
>>>>>          winbind use default domain = No
>>>>>          winbind trusted domains only = No
>>>>>          winbind nested groups = Yes
>>>>>          winbind expand groups = 0
>>>>>          winbind nss info = template
>>>>>          winbind refresh tickets = No
>>>>>          winbind offline logon = No
>>>>>          winbind normalize names = No
>>>>>          winbind rpc only = No
>>>>>          create krb5 conf = Yes
>>>>>          ncalrpc dir = /var/run/samba/ncalrpc
>>>>>          winbind max domain connections = 1
>>>>>          winbindd socket directory = /var/run/samba/winbindd
>>>>>          winbindd privileged socket directory =
>>>>> /var/lib/samba/winbindd_privileged
>>>>>          winbind sealed pipes = Yes
>>>>> ....
>>>>>          winbindd:use external pipes = true
>>>>>          idmap_ldb:use rfc2307 = yes
>>>>>          idmap config * : backend = tdb
>>>>> ...
>>>>>
>>>>> Has anybody an idea how I can fix this wrong idmapping?
>>>>>
>>>>> Other servers with the same setup didn't show this behavior.
>>>>>
>>>>> Regards
>>>>>
>>>>> Stefan
>>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>
>>
>
> How shall I put this, I know :-)
>
> Your post subject is incorrect, it should be ' [Samba] Normal 
> ID-Mapping behaviour'
>
> Mapping 'Domain Users' to the GID '100' is perfectly normal on a DC, 
> it is done automatically, but if you give 'Domain Users' a gidNumber, 
> you need to remove 'Domain Users' from idmap.ldb, you can do this with 
> smbcontrol or by opening idmap.ldb with ldbedit, finding and deleting 
> the entry for RID 513.
>
> Rowland
>
Hi Rowland,

thank's for your explanation. If this is the normal behavior, it's 
strange, that this is the first server of my installations which shows it.

I think, that I have to inspect the others. :)

Stefan

-- 
www.invis-server.org

Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten




More information about the samba mailing list