[Samba] autorid broken in samba 4.9?

Nathaniel W. Turner nathanielwyliet at gmail.com
Wed Jun 17 13:25:03 UTC 2020 

I realize I never followed up with this. The problem here turned out to be
that I was doing a "reload" of the samba services (smb, nmb, winbind) to
pick up my ID mapping changes in smb.conf. Switching my test case to do a
"restart" instead resolved the issue.

More details:

The test case basically did the following:
1. Join AD using "realm join --client-software=winbind ..."
2. Reconfigure smb.conf based on a custom template (as shown in prior
emails).
3. Reload samba services.
4. Log in as an AD user (or use wbinfo -i ...)

The problem was a combination of a few things:
* Step 1 writes an interim smb.conf with an undesirable idmapping
configuration. (I realize there is probably a better way to craft this test
case than by using "realm join" here --- suggestions welcome.)
* Step 3 didn't completely eradicate the old idmapping configuration from
the runtime. It seems a "restart" is needed here.
* After step 4 shows the wrong ID mapping, a "restart" of the services does
not fix it, presumably because the autorid.cache file already has an entry
for this username.

Anyway, I just wanted to post this here in case anyone else finds this
thread while debugging the same problem.

n

On Thu, Apr 9, 2020 at 9:35 AM Nathaniel W. Turner <nate at houseofnate.net>
wrote:

> Hi all,
>
> Thanks for the replies.
>
> On Thu, Apr 9, 2020 at 3:54 AM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
>> Good morning Rowland,
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > Rowland penny via samba
>> > Verzonden: donderdag 9 april 2020 9:46
>> > Aan: samba at lists.samba.org
>> > Onderwerp: Re: [Samba] autorid broken in samba 4.9?
>> >
>> > On 09/04/2020 08:34, L.P.H. van Belle via samba wrote:
>> > > Show the servers there smb.conf that might help.
>> > >
>> > > And your using autorid..
>> > > https://wiki.samba.org/index.php/Idmap_config_autorid
>> > >
>> > > Drawbacks: User and group IDs are not equal across Samba
>> > domain members.
>> > >
>> > > TC84\administrator:*:1100500:1100513::/home/administrator at TC84
>> > > TC83\administrator:*:1200500:1200513::/home/administrator at TC83
>> > >
>> > > 1200500-1100500 = 100000
>> > >
>> > > idmap config * : rangesize = 100000
>> > >   The default value is 100000 !
>> > >
>> > > So this looks normal.. But i never used autorid so, im sure
>> > if im wrong
>> > > Someone will correct me ;-)
>> >
>> > Yes that is correct, they should be different across domains,
>> > but they
>> > shouldn't change if Samba is upgraded and this is what has
>> > happened for
>> > the OP.
>>
>
> Right, the mappings in the samba 4.8 case quoted look right to me too.
> What I don'd understand is this:
>
> TC84\administrator:*:2000500:2000513::/home/administrator at TC84:/bin/bash
> TC83\administrator:*:10000:10000::/home/administrator at TC83:/bin/bash
>
> I thought that because I have "idmap config * : range = 1000000-19999999",
> that the lowest UID that idmap would allocate would be 1000000 (but here we
> have 10,000 which is much less than 1,000,000).
>
> > I wasn't going to reply on this subject because I do not know enough
>> > about autorid and there doesn't seem to be  any changes to
>> > the code that  could cause this. I did hope that one of  the other
>> Samba
>> > team members  would chime in.
>>
>> Hahaha.. Yeah.well, one did :-).
>> And I was thinking the same but i felt sorry nobody replied him,
>> so i gave it an attempt to help. I dont know much of the autorid part
>> also,
>> but lets give it a try.
>>
>> >
>> > Perhaps seeing the OP's smb.conf might help and a bit more
>> > info, is sssd running for instance ?
>>
>> Yeah, we really need the full smb.conf to tell more.
>>
>
> Sure, here's the whole thing (it's identical on both machines):
>
> # Global parameters
> [global]
>         client signing = required
>         debug pid = Yes
>         debug prefix timestamp = Yes
>         disable netbios = Yes
>         dns proxy = No
>         guest account = nfsnobody
>         hostname lookups = Yes
>         kerberos method = system keytab
>         load printers = No
>         local master = No
>         log file = /var/log/samba/log.%m
>         logging = file
>         map to guest = Bad User
>         max log size = 1000
>         max open files = 32768
>         preferred master = No
>         realm = TC84.LOCAL
>         security = ADS
>         server min protocol = SMB2
>         server string = xxxxxxx
>         template homedir = /home/%U@%D
>         template shell = /bin/bash
>         unix extensions = No
>         winbind offline logon = Yes
>         winbind refresh tickets = Yes
>         workgroup = TC84
>         idmap config * : range = 1000000-19999999
>         idmap config * : backend = autorid
>         aio read size = 0
>         aio write size = 0
>         allocation roundup size = 0
>         dfree cache time = 60
>         level2 oplocks = No
>         locking = No
>         oplocks = No
>

More information about the samba mailing list