[Samba] idmap limit?

Rowland Penny rpenny at samba.org
Tue Jan 16 15:06:21 UTC 2018 

On Tue, 16 Jan 2018 15:22:44 +0100
Andreas Hauffe via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> we are running a file server as member server of a windows 2012
> domain. Now we are facing the problem, that some UIDs are not mapped
> to the user names by the running winbindd process. This results in
> "nobody" usernames for nfs shares mounted by other clients.
> 
> When doing an "ls -l" in the homes directory on the member server
> (file server), the list looks like:
> 
> drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
> drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
> drwx------  3           1234          DOM\group  4096 Sep  7  2015
> user3 drwx------  7           1235          DOM\group  4096 Apr 30
> 2013 user4 drwx------ 12 DOM\user5        DOM\group   4096 Jan  4
> 12:46 user5 drwx------  2           1236          DOM\group   4096
> Jul  1 2015 user6 ....
> 
> When we run a "wbinfo --uid-info" for an unmapped user, we are
> getting:
> 
>  > wbinfo --uid-info=1234
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 1234
> 
> When we run "wbinfo -i" for that user, everything works fine.
> 
>  > wbinfo -i DOM\\user3
> DOM\user3:*:1234:1000::/home/user3:/bin/bash
> 
> After the last command (wbinfo -i DOM\\user3) also "wbinfo 
> --uid-info=1234" shows the correct result and the "ls -l" list also
> list the user name instead of the uid.
> 
> So the question is, if there is any limit for the UID to user name 
> mapping in winbind, since the problem started while increasing the 
> number of clients and users.
> 
> smb.conf looks like:
> 
> [global]
>      security = ADS
>      workgroup = DOM2
>      realm = DOM2.DOM.EXAMPLE.DE
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
> 
>      template homedir = /home/%U
>      template shell = /bin/bash
> 
>      idmap config * : backend = tdb
>      idmap config * : range = 2000-2999
>      idmap config DOM2 : backend = rid
>      idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
>      idmap config DOM : backend = rid
>      idmap config DOM : range = 10000-9999999 # UID aus RID für DOM
> 
>      winbind refresh tickets = yes
> 
> nsswitch.conf looks like:
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> sudoers:        files
> 
> idmapd.conf looks like:
> 
> [General]
> 
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
> Domain = dom2.dom.example.de
> Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE
> 
> [Mapping]
> 
> Nobody-User = nobody
> Nobody-Group = nogroup
> 
> krb5.conf looks like:
> 
> [libdefaults]
>      default_realm = DOM2.DOM.TU-DRESDEN.DE
>      dns_lookup_realm = true
>      dns_lookup_kdc = true
> 
> 

Is the user '1234' stored in AD or /etc/passwd ?

From the number '1234' it is not a member of 'DOM' (range
10000-9999999), or 'DOM2' (range 3000-9999) or a member of '*' (range
2000-2999), it looks like it is probably a local Unix user.

Rowland

More information about the samba mailing list