[Samba] winbindd losing track of RFC2307 UIDs

Rowland Penny rpenny at samba.org
Tue Oct 4 15:05:37 UTC 2016 

On Tue, 4 Oct 2016 16:09:40 +0200
Achim Gottinger via samba <samba at lists.samba.org> wrote:

> 
> 
> Am 04.10.2016 um 15:43 schrieb Rowland Penny via samba:
> > On Tue, 4 Oct 2016 15:16:17 +0200
> > Achim Gottinger via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> Am 04.10.2016 um 10:21 schrieb Rowland Penny:
> >>> On Tue, 4 Oct 2016 02:35:21 +0200
> >>> Achim Gottinger via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Am 03.10.2016 um 18:57 schrieb Rob via samba:
> >>>>> Hi all,
> >>>>>
> >>>>> I've been experiencing an intermittent problem where some UIDs
> >>>>> on a member server spontaneously change from being their
> >>>>> AD-derived values to being allocated from the default idmap
> >>>>> space, even when there is no change to the AD user information.
> >>>>>
> >>>>> Specifically, I have a member server running Samba 4.4.5 on
> >>>>> CentOS 6.8. AD service is provided by two Samba 4.4.5 servers.
> >>>>>
> >>>>> The member server's smb.conf has (in part):
> >>>>>
> >>>>> [global]
> >>>>>           netbios name = memberserver
> >>>>>           security = ADS
> >>>>>           workgroup = MYDOMAIN
> >>>>>           realm = MY.AD.REALM.COM
> >>>>>           server role = member server
> >>>>>
> >>>>>           interfaces = em1 127.0.0.1
> >>>>>           bind interfaces only = yes
> >>>>>
> >>>>>           idmap config *:backend = tdb
> >>>>>           idmap config *:range = 2000-9999
> >>>>>
> >>>>>           # idmap config for domain
> >>>>>           idmap config MY.AD.REALM.COM:backend = ad
> >>>>>           idmap config MY.AD.REALM.COM:schema_mode = rfc2307
> >>>>>           idmap config MY.AD.REALM.COM:range = 10000-99999
> >>>>>
> >>>>>           # Use template settings for login shell and home
> >>>>> directory winbind nss info = template
> >>>>>           template shell = /bin/bash
> >>>>>           template homedir = /home/%U
> >>>>>
> >>>>>           winbind use default domain = yes
> >>>>> [...]
> >>>>>
> >>>>> This generally works fine... user mappings are like:
> >>>>>
> >>>>> $ wbinfo -i auser
> >>>>> auser:*:10028:10000:User Name:/home/auser:/bin/bash
> >>>>> $ id auser
> >>>>> uid=10028(auser) gid=10000(agroup)
> >>>>> groups=10000(agroup),10007(othergroup)
> >>>>>
> >>>>> After a while (generally a couple days, though sometimes much
> >>>>> sooner), this starts happening:
> >>>>>
> >>>>> $ wbinfo -i auser
> >>>>> auser:*:2018:10000:User Name:/home/auser:/bin/bash
> >>>>> $ id auser
> >>>>> uid=2018(auser) gid=10000(agroup)
> >>>>> groups=10000(agroup),10007(othergroup)
> >>>>>
> >>>>> and this persists until I do "net cache flush" on the member!
> >>>>>
> >>>>> Any thoughts on why the winbindd cache is getting corrupted?  I
> >>>>> tried running winbindd with log level 7, but nothing jumped out
> >>>>> at me: just normal queries returning 10028 and then normal
> >>>>> queries returning 2018. Other suggestions to try?
> >>>>>
> >>>>> Thanks!
> >>>>> -Rob
> >>>>>
> >>>>> PS. At one point in the past, this member server was also a DC
> >>>>> and this problem never happened then.
> >>>>>
> >>>> Been having this issue on an dc after i updated from 4.1 to 4.2.
> >>>> It turned out some users with defined uid also had mappings from
> >>>> winbind in idmap.tdb. At firt the uid attributre gets used but
> >>>> afetr a while the value fromidmap.tdb was used. The fix was to
> >>>> delete the mappings in idmap.tdb.
> >>>> On an member server you can use net idmap set/get/dump to test
> >>>> this.
> >>>>
> >>> You are missing the fact that the OP is using the REALM name
> >>> instead of the NETBios domain name and for some reason winbind is
> >>> starting to allocate the user a UID from the '*' range.
> >>>
> >>> Rowland
> >> It's jumping from using rfc uid's gid's in ad to the "*" range.
> >> Would it dynamic assign from the ad range it would still be an
> >> error.
> >>
> > If you look at the smb.conf the OP posted, you will find the ranges
> > are set to:
> >
> > idmap config *:range = 2000-9999
> > idmap config MY.AD.REALM.COM:range = 10000-99999
> >
> > His user 'auser' intially has this 'uid=10028', it then changes to
> > 'uid=2018'
> >
> > I do not really understand how he got the first as the second 'idmap
> > config' line is wrong, the user should have had the second id all
> > the time, because the user is outside the domain 'MYDOMAIN'.
> >
> > '10028' is inside the second range, but shouldn't have been used
> > because the DOMAIN name is wrong.
> > '2018' is inside the range set for '*' i.e. everything outside the
> > DOMAIN
> >
> > Rowland
> I assume he has configured 10028 as uid in the ad for that user.
> Using the realm as the domain name is not wrong seen from the windows 
> side of things where the netbios name is there for backward 
> compatibility. For example i can use [realm]\[username] or [netbios 
> domain name]\[username] to logon to a windows domain member.

It might not be wrong from a windows perspective, but it is wrong from
the 'idmap_ad' side of things, it expects the NETBios domain name not
the realm. It is how winbind differentiates between domains, see 'man
idmap_ad'

Rowland

More information about the samba mailing list