[Samba] winbindd losing track of RFC2307 UIDs

Achim Gottinger achim at ag-web.biz
Tue Oct 4 00:35:21 UTC 2016 


Am 03.10.2016 um 18:57 schrieb Rob via samba:
> Hi all,
>
> I've been experiencing an intermittent problem where some UIDs on a 
> member server spontaneously change from being their AD-derived values 
> to being allocated from the default idmap space, even when there is no 
> change to the AD user information.
>
> Specifically, I have a member server running Samba 4.4.5 on CentOS 6.8.
> AD service is provided by two Samba 4.4.5 servers.
>
> The member server's smb.conf has (in part):
>
> [global]
>         netbios name = memberserver
>         security = ADS
>         workgroup = MYDOMAIN
>         realm = MY.AD.REALM.COM
>         server role = member server
>
>         interfaces = em1 127.0.0.1
>         bind interfaces only = yes
>
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>
>         # idmap config for domain
>         idmap config MY.AD.REALM.COM:backend = ad
>         idmap config MY.AD.REALM.COM:schema_mode = rfc2307
>         idmap config MY.AD.REALM.COM:range = 10000-99999
>
>         # Use template settings for login shell and home directory
>         winbind nss info = template
>         template shell = /bin/bash
>         template homedir = /home/%U
>
>         winbind use default domain = yes
> [...]
>
> This generally works fine... user mappings are like:
>
> $ wbinfo -i auser
> auser:*:10028:10000:User Name:/home/auser:/bin/bash
> $ id auser
> uid=10028(auser) gid=10000(agroup) groups=10000(agroup),10007(othergroup)
>
> After a while (generally a couple days, though sometimes much sooner), 
> this starts happening:
>
> $ wbinfo -i auser
> auser:*:2018:10000:User Name:/home/auser:/bin/bash
> $ id auser
> uid=2018(auser) gid=10000(agroup) groups=10000(agroup),10007(othergroup)
>
> and this persists until I do "net cache flush" on the member!
>
> Any thoughts on why the winbindd cache is getting corrupted?  I tried 
> running winbindd with log level 7, but nothing jumped out at me: just 
> normal queries returning 10028 and then normal queries returning 2018. 
> Other suggestions to try?
>
> Thanks!
> -Rob
>
> PS. At one point in the past, this member server was also a DC and 
> this problem never happened then.
>
Been having this issue on an dc after i updated from 4.1 to 4.2. It 
turned out some users with defined uid also had mappings from winbind in 
idmap.tdb. At firt the uid attributre gets used but afetr a while the 
value fromidmap.tdb was used. The fix was to delete the mappings in 
idmap.tdb.
On an member server you can use net idmap set/get/dump to test this.

More information about the samba mailing list