[Samba] idmap limit?
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Tue Jan 16 14:22:44 UTC 2018
Hi,
we are running a file server as member server of a windows 2012 domain.
Now we are facing the problem, that some UIDs are not mapped to the user
names by the running winbindd process. This results in "nobody"
usernames for nfs shares mounted by other clients.
When doing an "ls -l" in the homes directory on the member server (file
server), the list looks like:
drwx------ 43 DOM\user1 DOM\group 4096 Jan 10 08:00 user1
drwx------ 5 DOM\user2 DOM\group 4096 Jan 11 08:13 user2
drwx------ 3 1234 DOM\group 4096 Sep 7 2015 user3
drwx------ 7 1235 DOM\group 4096 Apr 30 2013 user4
drwx------ 12 DOM\user5 DOM\group 4096 Jan 4 12:46 user5
drwx------ 2 1236 DOM\group 4096 Jul 1 2015 user6
....
When we run a "wbinfo --uid-info" for an unmapped user, we are getting:
> wbinfo --uid-info=1234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 1234
When we run "wbinfo -i" for that user, everything works fine.
> wbinfo -i DOM\\user3
DOM\user3:*:1234:1000::/home/user3:/bin/bash
After the last command (wbinfo -i DOM\\user3) also "wbinfo
--uid-info=1234" shows the correct result and the "ls -l" list also list
the user name instead of the uid.
So the question is, if there is any limit for the UID to user name
mapping in winbind, since the problem started while increasing the
number of clients and users.
smb.conf looks like:
[global]
security = ADS
workgroup = DOM2
realm = DOM2.DOM.EXAMPLE.DE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
template homedir = /home/%U
template shell = /bin/bash
idmap config * : backend = tdb
idmap config * : range = 2000-2999
idmap config DOM2 : backend = rid
idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
idmap config DOM : backend = rid
idmap config DOM : range = 10000-9999999 # UID aus RID für DOM
winbind refresh tickets = yes
nsswitch.conf looks like:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
idmapd.conf looks like:
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = dom2.dom.example.de
Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
krb5.conf looks like:
[libdefaults]
default_realm = DOM2.DOM.TU-DRESDEN.DE
dns_lookup_realm = true
dns_lookup_kdc = true
--
Regards
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"
----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering
D-01062 Dresden
Germany
phone : +49 (351) 463 38496
fax : +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de
More information about the samba
mailing list