[Samba] idmap limit?
Rowland Penny
rpenny at samba.org
Tue Jan 16 15:06:21 UTC 2018
On Tue, 16 Jan 2018 15:22:44 +0100
Andreas Hauffe via samba <samba at lists.samba.org> wrote:
> Hi,
>
> we are running a file server as member server of a windows 2012
> domain. Now we are facing the problem, that some UIDs are not mapped
> to the user names by the running winbindd process. This results in
> "nobody" usernames for nfs shares mounted by other clients.
>
> When doing an "ls -l" in the homes directory on the member server
> (file server), the list looks like:
>
> drwx------ 43 DOM\user1 DOM\group 4096 Jan 10 08:00 user1
> drwx------ 5 DOM\user2 DOM\group 4096 Jan 11 08:13 user2
> drwx------ 3 1234 DOM\group 4096 Sep 7 2015
> user3 drwx------ 7 1235 DOM\group 4096 Apr 30
> 2013 user4 drwx------ 12 DOM\user5 DOM\group 4096 Jan 4
> 12:46 user5 drwx------ 2 1236 DOM\group 4096
> Jul 1 2015 user6 ....
>
> When we run a "wbinfo --uid-info" for an unmapped user, we are
> getting:
>
> > wbinfo --uid-info=1234
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 1234
>
> When we run "wbinfo -i" for that user, everything works fine.
>
> > wbinfo -i DOM\\user3
> DOM\user3:*:1234:1000::/home/user3:/bin/bash
>
> After the last command (wbinfo -i DOM\\user3) also "wbinfo
> --uid-info=1234" shows the correct result and the "ls -l" list also
> list the user name instead of the uid.
>
> So the question is, if there is any limit for the UID to user name
> mapping in winbind, since the problem started while increasing the
> number of clients and users.
>
> smb.conf looks like:
>
> [global]
> security = ADS
> workgroup = DOM2
> realm = DOM2.DOM.EXAMPLE.DE
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> template homedir = /home/%U
> template shell = /bin/bash
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-2999
> idmap config DOM2 : backend = rid
> idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
> idmap config DOM : backend = rid
> idmap config DOM : range = 10000-9999999 # UID aus RID für DOM
>
> winbind refresh tickets = yes
>
> nsswitch.conf looks like:
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> sudoers: files
>
> idmapd.conf looks like:
>
> [General]
>
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
> Domain = dom2.dom.example.de
> Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE
>
> [Mapping]
>
> Nobody-User = nobody
> Nobody-Group = nogroup
>
> krb5.conf looks like:
>
> [libdefaults]
> default_realm = DOM2.DOM.TU-DRESDEN.DE
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
>
Is the user '1234' stored in AD or /etc/passwd ?
From the number '1234' it is not a member of 'DOM' (range
10000-9999999), or 'DOM2' (range 3000-9999) or a member of '*' (range
2000-2999), it looks like it is probably a local Unix user.
Rowland
More information about the samba
mailing list