[Samba] samba idmap mystery

Rowland Penny rpenny at samba.org
Wed Feb 22 08:23:07 UTC 2023 


On 22/02/2023 06:43, d tbsky via samba wrote:
> Hi:
>     I have a samba dc and a samba member file server.
> 
>      I use rfc2307 id mapping and posix acl share for windows/linux
> client for many years. they are simple and work fine. however in older
> versions of samba (maybe 5 years ago). sometimes after I create a user
> account at samba dc, the member file server can not recognize it (eg:
> "getent passwd xxxx" or "id xxxx" return nothing).
> 
>     when the situation happened, if I use the account to  login a
> windows client pc and access the file server, suddenly the file server
> recognize the account at that moment and user can access it. although
> I feel strange but it works eventually. and with newer samba versions
> "getent passwd/id" seems works every time.
> 
>      recently I need to create a guest share to host computer group
> policy resource. I tried but failed and found that recent win10
> enterprise/win11 deny guest share access by default. so I think maybe
> I can loosen samba configuration.

Why would you think that ?
If you need guest access, then you need to turn it back on, on the 
Windows clients.

> 
> my original idmap config at file server looks like:
> 
> iidmap config *:backend = tdb
> idmap config *:range = 1000000-1999999
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 1000-999999
> 
> I comment out last line "idmap config SAMDOM:range = 1000-999999" and

What was your reasoning for doing that ?
What did you hope to achieve ?

> restart samba. "getent passwd" return all the domain accounts with or
> without rfc2307 settings.  "id machine$" also works and my computer
> group policy can read the share resource correctly.

Now if you did restart Samba, this should have cleared the winbind 
cache, unless, is nscd also running ? If it is, I suggest you remove it, 
you cannot have two caches.

> 
> but two days later suddenly my usual user account can not access the
> share and samba file server log said " failed: Permission denied.
> Current token: uid=1000010".

Looks like the cache expired and your user became part of the default 
domain '*'

> 
> that's too bad. my good rfc2307 uid (1001) is replaced by a dynamic
> "1000010". my lazy dream is broken. I think my configuration is
> illegal. maybe it was working because some kind of caching and now
> cache is gone.

Just said that.

> 
> so I revert my configuration and restart smbd/winbind. but "id xxxx"
> or "getent passwd xxxx" is still "1000010". I try add "winbind cache
> time=1","idmap cache time=1","idmap negative cache time=1", also I try
> delete
> "/var/lib/samba/winbindd_cache.tdb" and
> "/var/lib/samba/winbindd_cache.tdb" and restart winbind/smbd but still
> can not get rid of the dynamic user id "1000010".

It looks more and more like nscd is running.

> 
> finally I remember the older samba behavior and try to logout/login my
> windows pc. then I saw my rfc2307 gid is back. I restart the windows
> and login again. this time I finally get my rfc2307 uid "1001".
> 
> so what's behind the scene? why I need to logon domain to make idmap correctly?
> and I think I need to give my computer/machine account a rfc2307 uid.
> it seems rfc2307 can not co-exist with dynamic id mapping. is that
> correct?

No, or no Unix domain member would work. What you are describing as 
'dynamic id mapping' is the default domain '*' which uses the tdb idmap 
backend and this allocates Unix ID's for the BUILTIN domain and anything 
that isn't in the 'SAMDOM' domain, by removing the line, you put 
everything into the default domain.

The only mysteries here are, why did you remove the line and is nscd 
running ?

Rowland

More information about the samba mailing list