[Samba] winbindd losing track of RFC2307 UIDs

Rowland Penny rpenny at samba.org
Tue Oct 4 08:21:18 UTC 2016 

On Tue, 4 Oct 2016 02:35:21 +0200
Achim Gottinger via samba <samba at lists.samba.org> wrote:

> 
> 
> Am 03.10.2016 um 18:57 schrieb Rob via samba:
> > Hi all,
> >
> > I've been experiencing an intermittent problem where some UIDs on a 
> > member server spontaneously change from being their AD-derived
> > values to being allocated from the default idmap space, even when
> > there is no change to the AD user information.
> >
> > Specifically, I have a member server running Samba 4.4.5 on CentOS
> > 6.8. AD service is provided by two Samba 4.4.5 servers.
> >
> > The member server's smb.conf has (in part):
> >
> > [global]
> >         netbios name = memberserver
> >         security = ADS
> >         workgroup = MYDOMAIN
> >         realm = MY.AD.REALM.COM
> >         server role = member server
> >
> >         interfaces = em1 127.0.0.1
> >         bind interfaces only = yes
> >
> >         idmap config *:backend = tdb
> >         idmap config *:range = 2000-9999
> >
> >         # idmap config for domain
> >         idmap config MY.AD.REALM.COM:backend = ad
> >         idmap config MY.AD.REALM.COM:schema_mode = rfc2307
> >         idmap config MY.AD.REALM.COM:range = 10000-99999
> >
> >         # Use template settings for login shell and home directory
> >         winbind nss info = template
> >         template shell = /bin/bash
> >         template homedir = /home/%U
> >
> >         winbind use default domain = yes
> > [...]
> >
> > This generally works fine... user mappings are like:
> >
> > $ wbinfo -i auser
> > auser:*:10028:10000:User Name:/home/auser:/bin/bash
> > $ id auser
> > uid=10028(auser) gid=10000(agroup)
> > groups=10000(agroup),10007(othergroup)
> >
> > After a while (generally a couple days, though sometimes much
> > sooner), this starts happening:
> >
> > $ wbinfo -i auser
> > auser:*:2018:10000:User Name:/home/auser:/bin/bash
> > $ id auser
> > uid=2018(auser) gid=10000(agroup)
> > groups=10000(agroup),10007(othergroup)
> >
> > and this persists until I do "net cache flush" on the member!
> >
> > Any thoughts on why the winbindd cache is getting corrupted?  I
> > tried running winbindd with log level 7, but nothing jumped out at
> > me: just normal queries returning 10028 and then normal queries
> > returning 2018. Other suggestions to try?
> >
> > Thanks!
> > -Rob
> >
> > PS. At one point in the past, this member server was also a DC and 
> > this problem never happened then.
> >
> Been having this issue on an dc after i updated from 4.1 to 4.2. It 
> turned out some users with defined uid also had mappings from winbind
> in idmap.tdb. At firt the uid attributre gets used but afetr a while
> the value fromidmap.tdb was used. The fix was to delete the mappings
> in idmap.tdb.
> On an member server you can use net idmap set/get/dump to test this.
> 

You are missing the fact that the OP is using the REALM name instead of
the NETBios domain name and for some reason winbind is starting to
allocate the user a UID from the '*' range.

Rowland

More information about the samba mailing list