[Samba] idmap limit?

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Jan 16 14:22:44 UTC 2018


we are running a file server as member server of a windows 2012 domain. 
Now we are facing the problem, that some UIDs are not mapped to the user 
names by the running winbindd process. This results in "nobody" 
usernames for nfs shares mounted by other clients.

When doing an "ls -l" in the homes directory on the member server (file 
server), the list looks like:

drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
drwx------  3           1234          DOM\group  4096 Sep  7  2015 user3
drwx------  7           1235          DOM\group  4096 Apr 30  2013 user4
drwx------ 12 DOM\user5        DOM\group   4096 Jan  4 12:46 user5
drwx------  2           1236          DOM\group   4096 Jul  1 2015 user6

When we run a "wbinfo --uid-info" for an unmapped user, we are getting:

 > wbinfo --uid-info=1234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 1234

When we run "wbinfo -i" for that user, everything works fine.

 > wbinfo -i DOM\\user3

After the last command (wbinfo -i DOM\\user3) also "wbinfo 
--uid-info=1234" shows the correct result and the "ls -l" list also list 
the user name instead of the uid.

So the question is, if there is any limit for the UID to user name 
mapping in winbind, since the problem started while increasing the 
number of clients and users.

smb.conf looks like:

     security = ADS
     workgroup = DOM2
     realm = DOM2.DOM.EXAMPLE.DE
     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab

     template homedir = /home/%U
     template shell = /bin/bash

     idmap config * : backend = tdb
     idmap config * : range = 2000-2999
     idmap config DOM2 : backend = rid
     idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
     idmap config DOM : backend = rid
     idmap config DOM : range = 10000-9999999 # UID aus RID für DOM

     winbind refresh tickets = yes

nsswitch.conf looks like:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files

idmapd.conf looks like:


Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = dom2.dom.example.de


Nobody-User = nobody
Nobody-Group = nogroup

krb5.conf looks like:

     default_realm = DOM2.DOM.TU-DRESDEN.DE
     dns_lookup_realm = true
     dns_lookup_kdc = true

Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:

More information about the samba mailing list