[Samba] winbindd losing track of RFC2307 UIDs
Rowland Penny
rpenny at samba.org
Wed Oct 5 20:36:20 UTC 2016
On Wed, 5 Oct 2016 16:12:41 -0400 (EDT)
Rob via samba <samba at lists.samba.org> wrote:
> On Tue, 4 Oct 2016, Rowland Penny wrote:
>
> > This is very strange, have you tried running 'net cache flush' on
> > the domain member ?
> >
> > Have you compared the users AD objects ?
>
> Running 'net cache flush' on the member does fix things, albeit only
> for a while:
>
> # wbinfo -i auser
> auser:*:2020:10000:User Name:/home/auser:/bin/bash
> # net cache flush
> # wbinfo -i auser
> auser:*:10028:10000:User Name:/home/auser:/bin/bash
> [...wait a few hours...]
> # wbinfo -i auser
> auser:*:2020:10000:User Name:/home/auser:/bin/bash
>
> Using ldbsearch on sam.ldb on the DC, I compared the attributes of
> problematic users and normal users... I couldn't find anything
> obvious distinguishing them.
>
> Also, on the member:
>
> # net idmap dump
> dumping id mapping from /usr/local/samba/var/locks/winbindd_idmap.tdb
> [...]
> UID 2020 S-1-5-21-2701825980-1665447529-2160704981-1177
>
> (where S-*-1177 is the SID for auser)
>
> But I'd think winbindd would prefer the mapping in AD, given smb.conf
> having our domain listed explicitly and 2xxx only as a
> default/fallback. Or maybe I misunderstand how the idmaps work...
> does the order in smb.conf matter at all?
>
> _Rob
>
>
OK, this is basically how the winbind 'ad' works:
Domain Users is checked for a gidNumber attribute and if found
winbind continues, if not found, the '*' range will be used.
Once pass this point, any user that has a uidNumber attribute that
contains a number inside the 'idmap config DOMAIN' range will be
displayed by 'getent passwd username'
once a user is displayed in this way, it should always be displayed in
this way, it shouldn't get an ID from the '*' range.
Could the '...wait a few hours...' be about 10 hours ??
Try adding these lines to smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
Leave the domain and rejoin, this should create the /etc/krb5.keytab
Rowland
More information about the samba
mailing list