[Samba] samba idmap mystery

d tbsky tbskyd at gmail.com
Wed Feb 22 06:43:15 UTC 2023 

Hi:
   I have a samba dc and a samba member file server.

    I use rfc2307 id mapping and posix acl share for windows/linux
client for many years. they are simple and work fine. however in older
versions of samba (maybe 5 years ago). sometimes after I create a user
account at samba dc, the member file server can not recognize it (eg:
"getent passwd xxxx" or "id xxxx" return nothing).

   when the situation happened, if I use the account to  login a
windows client pc and access the file server, suddenly the file server
recognize the account at that moment and user can access it. although
I feel strange but it works eventually. and with newer samba versions
"getent passwd/id" seems works every time.

    recently I need to create a guest share to host computer group
policy resource. I tried but failed and found that recent win10
enterprise/win11 deny guest share access by default. so I think maybe
I can loosen samba configuration.

my original idmap config at file server looks like:

iidmap config *:backend = tdb
idmap config *:range = 1000000-1999999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 1000-999999

I comment out last line "idmap config SAMDOM:range = 1000-999999" and
restart samba. "getent passwd" return all the domain accounts with or
without rfc2307 settings.  "id machine$" also works and my computer
group policy can read the share resource correctly.

but two days later suddenly my usual user account can not access the
share and samba file server log said " failed: Permission denied.
Current token: uid=1000010".

that's too bad. my good rfc2307 uid (1001) is replaced by a dynamic
"1000010". my lazy dream is broken. I think my configuration is
illegal. maybe it was working because some kind of caching and now
cache is gone.

so I revert my configuration and restart smbd/winbind. but "id xxxx"
or "getent passwd xxxx" is still "1000010". I try add "winbind cache
time=1","idmap cache time=1","idmap negative cache time=1", also I try
delete
"/var/lib/samba/winbindd_cache.tdb" and
"/var/lib/samba/winbindd_cache.tdb" and restart winbind/smbd but still
can not get rid of the dynamic user id "1000010".

finally I remember the older samba behavior and try to logout/login my
windows pc. then I saw my rfc2307 gid is back. I restart the windows
and login again. this time I finally get my rfc2307 uid "1001".

so what's behind the scene? why I need to logon domain to make idmap correctly?
and I think I need to give my computer/machine account a rfc2307 uid.
it seems rfc2307 can not co-exist with dynamic id mapping. is that
correct?

thanks a lot for help.

Regards,
tbskyd

More information about the samba mailing list