[Samba] Problems with ID mapping after upgrade to Debian jessie

Lukas Haase lukashaase at gmx.at
Sun Jan 15 00:03:04 UTC 2017 

Hi,

I still do not know why the problem came up, why all the idmap
configuration was ignored and why wbinfo and net idmap dump returned
different entries. However, after a long time I ended up doing the
following:

1.) In the LDAP, changed the SID from
S-1-5-21-3909901412-745783496-1225843668-500 to SID
S-1-5-21-3909901412-745783496-1225843668-501.

2.) Hooray, login worked! wbinfo returned the correct result for RID 501
but not for 500. Chaning the SID entry back stopped it from working again.

3.) Grepped /var for S-1-5-21-3909901412-745783496-1225843668-501. Found
it in /var/cache/samba/gencache.tdb. Deleted the file

4.) Restarted samba, works again with original SID!

If somebody has an explanation for this behavior, I would still be
interested to know why ...

Luke

On 2017-01-14 14:49, Lukas Haase via samba wrote:
> Hi,
> 
> I have been running a Debian 3 server without problems for a long time.
> Now, after upgrading to Debian jessie (Debian 4.2.14) I cannot log in
> any more:
> 
> smbclient -U admin -L //localhost/
> Enter admin's password:
> session setup failed: NT_STATUS_UNSUCCESSFUL
> 
> In the logs:
> 
> [2017/01/14 23:37:21.636022,  2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [admin] -> [admin] ->
> [admin] succeeded
> [2017/01/14 23:37:21.637610,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>   SID S-1-5-21-3909901412-745783496-1225843668-500 -> getpwuid(25003) failed
> 
> This is odd because the correct UID for this SID would be 1013.
> 
> The relevant Samba config thus far was:
> 
> passdb backend = ldapsam:ldap://ldap/
> ldap ssl = Start_tls
> obey pam restrictions = no
> ldap admin dn = uid=admin,dc=intra
> ldap suffix = dc=intra
> ldap group suffix = ou=groups
> ldap user suffix = ou=users
> ldap machine suffix = ou=machines
> ldap idmap suffix = ou=idmap
> idmap uid = 25000-27000
> idmap gid = 25000-27000
> 
> However, ou=idmap in the LDAP tree is empty and winbind was running.
> 
> I thought maybe it is because of the deprecated idmap uid option but no
> matter what I set for "idmap config", wbinfo always returns the wrong UID:
> 
> # wbinfo --sid-to-uid S-1-5-21-3909901412-745783496-1225843668-500
> 25003
> 
> 
> For example, I tried
> 
> idmap config * : backend = tdb
> idmap config * : range = 25000 27000
> 
> or
> 
> idmap config * : backend = rid
> idmap config * : range = 0 1000
> 
> The output just does not change.
> 
> Any help would be appreciated. Thanks!
> 
> Luke
> 
> 
> 
> 
> 
> 
>

More information about the samba mailing list