[Samba] autorid broken in samba 4.9?
Nathaniel W. Turner
nathanielwyliet at gmail.com
Wed Jun 17 13:25:03 UTC 2020
I realize I never followed up with this. The problem here turned out to be
that I was doing a "reload" of the samba services (smb, nmb, winbind) to
pick up my ID mapping changes in smb.conf. Switching my test case to do a
"restart" instead resolved the issue.
The test case basically did the following:
1. Join AD using "realm join --client-software=winbind ..."
2. Reconfigure smb.conf based on a custom template (as shown in prior
3. Reload samba services.
4. Log in as an AD user (or use wbinfo -i ...)
The problem was a combination of a few things:
* Step 1 writes an interim smb.conf with an undesirable idmapping
configuration. (I realize there is probably a better way to craft this test
case than by using "realm join" here --- suggestions welcome.)
* Step 3 didn't completely eradicate the old idmapping configuration from
the runtime. It seems a "restart" is needed here.
* After step 4 shows the wrong ID mapping, a "restart" of the services does
not fix it, presumably because the autorid.cache file already has an entry
for this username.
Anyway, I just wanted to post this here in case anyone else finds this
thread while debugging the same problem.
On Thu, Apr 9, 2020 at 9:35 AM Nathaniel W. Turner <nate at houseofnate.net>
> Hi all,
> Thanks for the replies.
> On Thu, Apr 9, 2020 at 3:54 AM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>> Good morning Rowland,
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > Rowland penny via samba
>> > Verzonden: donderdag 9 april 2020 9:46
>> > Aan: samba at lists.samba.org
>> > Onderwerp: Re: [Samba] autorid broken in samba 4.9?
>> > On 09/04/2020 08:34, L.P.H. van Belle via samba wrote:
>> > > Show the servers there smb.conf that might help.
>> > >
>> > > And your using autorid..
>> > > https://wiki.samba.org/index.php/Idmap_config_autorid
>> > >
>> > > Drawbacks: User and group IDs are not equal across Samba
>> > domain members.
>> > >
>> > > TC84\administrator:*:1100500:1100513::/home/administrator at TC84
>> > > TC83\administrator:*:1200500:1200513::/home/administrator at TC83
>> > >
>> > > 1200500-1100500 = 100000
>> > >
>> > > idmap config * : rangesize = 100000
>> > > The default value is 100000 !
>> > >
>> > > So this looks normal.. But i never used autorid so, im sure
>> > if im wrong
>> > > Someone will correct me ;-)
>> > Yes that is correct, they should be different across domains,
>> > but they
>> > shouldn't change if Samba is upgraded and this is what has
>> > happened for
>> > the OP.
> Right, the mappings in the samba 4.8 case quoted look right to me too.
> What I don'd understand is this:
> TC84\administrator:*:2000500:2000513::/home/administrator at TC84:/bin/bash
> TC83\administrator:*:10000:10000::/home/administrator at TC83:/bin/bash
> I thought that because I have "idmap config * : range = 1000000-19999999",
> that the lowest UID that idmap would allocate would be 1000000 (but here we
> have 10,000 which is much less than 1,000,000).
> > I wasn't going to reply on this subject because I do not know enough
>> > about autorid and there doesn't seem to be any changes to
>> > the code that could cause this. I did hope that one of the other
>> > team members would chime in.
>> Hahaha.. Yeah.well, one did :-).
>> And I was thinking the same but i felt sorry nobody replied him,
>> so i gave it an attempt to help. I dont know much of the autorid part
>> but lets give it a try.
>> > Perhaps seeing the OP's smb.conf might help and a bit more
>> > info, is sssd running for instance ?
>> Yeah, we really need the full smb.conf to tell more.
> Sure, here's the whole thing (it's identical on both machines):
> # Global parameters
> client signing = required
> debug pid = Yes
> debug prefix timestamp = Yes
> disable netbios = Yes
> dns proxy = No
> guest account = nfsnobody
> hostname lookups = Yes
> kerberos method = system keytab
> load printers = No
> local master = No
> log file = /var/log/samba/log.%m
> logging = file
> map to guest = Bad User
> max log size = 1000
> max open files = 32768
> preferred master = No
> realm = TC84.LOCAL
> security = ADS
> server min protocol = SMB2
> server string = xxxxxxx
> template homedir = /home/%U@%D
> template shell = /bin/bash
> unix extensions = No
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> workgroup = TC84
> idmap config * : range = 1000000-19999999
> idmap config * : backend = autorid
> aio read size = 0
> aio write size = 0
> allocation roundup size = 0
> dfree cache time = 60
> level2 oplocks = No
> locking = No
> oplocks = No
More information about the samba