[Samba] winbindd losing track of RFC2307 UIDs

Tue Oct 4 13:16:17 UTC 2016


Am 04.10.2016 um 10:21 schrieb Rowland Penny:
> On Tue, 4 Oct 2016 02:35:21 +0200
> Achim Gottinger via samba <samba at lists.samba.org> wrote:
>
>>
>> Am 03.10.2016 um 18:57 schrieb Rob via samba:
>>> Hi all,
>>>
>>> I've been experiencing an intermittent problem where some UIDs on a
>>> member server spontaneously change from being their AD-derived
>>> values to being allocated from the default idmap space, even when
>>> there is no change to the AD user information.
>>>
>>> Specifically, I have a member server running Samba 4.4.5 on CentOS
>>> 6.8. AD service is provided by two Samba 4.4.5 servers.
>>>
>>> The member server's smb.conf has (in part):
>>>
>>> [global]
>>>          netbios name = memberserver
>>>          security = ADS
>>>          workgroup = MYDOMAIN
>>>          realm = MY.AD.REALM.COM
>>>          server role = member server
>>>
>>>          interfaces = em1 127.0.0.1
>>>          bind interfaces only = yes
>>>
>>>          idmap config *:backend = tdb
>>>          idmap config *:range = 2000-9999
>>>
>>>          # idmap config for domain
>>>          idmap config MY.AD.REALM.COM:backend = ad
>>>          idmap config MY.AD.REALM.COM:schema_mode = rfc2307
>>>          idmap config MY.AD.REALM.COM:range = 10000-99999
>>>
>>>          # Use template settings for login shell and home directory
>>>          winbind nss info = template
>>>          template shell = /bin/bash
>>>          template homedir = /home/%U
>>>
>>>          winbind use default domain = yes
>>> [...]
>>>
>>> This generally works fine... user mappings are like:
>>>
>>> $ wbinfo -i auser
>>> auser:*:10028:10000:User Name:/home/auser:/bin/bash
>>> $ id auser
>>> uid=10028(auser) gid=10000(agroup)
>>> groups=10000(agroup),10007(othergroup)
>>>
>>> After a while (generally a couple days, though sometimes much
>>> sooner), this starts happening:
>>>
>>> $ wbinfo -i auser
>>> auser:*:2018:10000:User Name:/home/auser:/bin/bash
>>> $ id auser
>>> uid=2018(auser) gid=10000(agroup)
>>> groups=10000(agroup),10007(othergroup)
>>>
>>> and this persists until I do "net cache flush" on the member!
>>>
>>> Any thoughts on why the winbindd cache is getting corrupted?  I
>>> tried running winbindd with log level 7, but nothing jumped out at
>>> me: just normal queries returning 10028 and then normal queries
>>> returning 2018. Other suggestions to try?
>>>
>>> Thanks!
>>> -Rob
>>>
>>> PS. At one point in the past, this member server was also a DC and
>>> this problem never happened then.
>>>
>> Been having this issue on an dc after i updated from 4.1 to 4.2. It
>> turned out some users with defined uid also had mappings from winbind
>> in idmap.tdb. At firt the uid attributre gets used but afetr a while
>> the value fromidmap.tdb was used. The fix was to delete the mappings
>> in idmap.tdb.
>> On an member server you can use net idmap set/get/dump to test this.
>>
> You are missing the fact that the OP is using the REALM name instead of
> the NETBios domain name and for some reason winbind is starting to
> allocate the user a UID from the '*' range.
>
> Rowland
It's jumping from using rfc uid's gid's in ad to the "*" range. Would it 
dynamic assign from the ad range it would still be an error.

man idmap_ad
---- snip -----
DESCRIPTION
        The idmap_ad plugin provides a way for Winbind to read id 
mappings from
        an AD server that uses RFC2307/SFU schema extensions. This module
        implements only the "idmap" API, and is READONLY. *Mappings must 
be**
**       provided in advance by the administrator by adding the uidNumber**
**       attributes for users and gidNumber attributes for groups in the 
AD.*
---- snap -----