samba - Feb 2019 - UID provided by rid idmap is out of the range imposed in smb.cof

Hello,

I had a problem with Samba winbind id-mapping  on a system that is part 
of an AD domain.
In the smb.conf I have the following setting:

idmap config <domain> : backend = rid
idmap config <domain> : range = 1000000-3000000
idmap config <domain> : schema_mode = rfc2307

winbindd was failing to convert some user SID to UID and in the idmap 
logs I have the following error:

Requested id (7003151) out of range (1000000 - 3000000). Filtered!

I have fixed the issue by increasing the range to 1000000-10000000.
So it appears that depending on the user SID, the UID generated 
automatically by Samba rid could be out of the range imposed in smb.conf.
Is it a bug or I'm just misunderstanding?

Thanks
Andrea

On Tue, 26 Feb 2019 13:57:06 +0100
Andrea Cucciarre' via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I had a problem with Samba winbind id-mapping  on a system that is
> part of an AD domain.
> In the smb.conf I have the following setting:
> 
> idmap config <domain> : backend = rid
> idmap config <domain> : range = 1000000-3000000
> idmap config <domain> : schema_mode = rfc2307
> 
> winbindd was failing to convert some user SID to UID and in the idmap 
> logs I have the following error:
> 
> Requested id (7003151) out of range (1000000 - 3000000). Filtered!
> 
> I have fixed the issue by increasing the range to 1000000-10000000.
> So it appears that depending on the user SID, the UID generated 
> automatically by Samba rid could be out of the range imposed in
> smb.conf. Is it a bug or I'm just misunderstanding?
> 
No, it isn't a bug, it is how it works, when you use the 'rid'
backend
the Unix ID is calculated by this:

ID = RID - BASE_RID + LOW_RANGE_ID

So from the info you provided, it becomes this:

ID = 6003151 + 1000000

ID = 7003151

This is above the high range (3000000) and anything outside the range
is ignored.

It does say here:

https://wiki.samba.org/index.php/Idmap_config_rid

Under the heading: Planning the ID Ranges

The ranges must be continuous and big enough to enable Samba to assign
an ID for every future user and group created in the domain. 

It looks like you used the wrong range by not setting the high range
high enough ;-)

Rowland

Thanks! that was actually the problem

Andrea


Il 2/26/2019 2:19 PM, Rowland Penny via samba ha
scritto:
> On Tue, 26 Feb 2019 13:57:06 +0100
> Andrea Cucciarre' via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I had a problem with Samba winbind id-mapping  on a system that is
>> part of an AD domain.
>> In the smb.conf I have the following setting:
>>
>> idmap config <domain> : backend = rid
>> idmap config <domain> : range = 1000000-3000000
>> idmap config <domain> : schema_mode = rfc2307
>>
>> winbindd was failing to convert some user SID to UID and in the idmap
>> logs I have the following error:
>>
>> Requested id (7003151) out of range (1000000 - 3000000). Filtered!
>>
>> I have fixed the issue by increasing the range to 1000000-10000000.
>> So it appears that depending on the user SID, the UID generated
>> automatically by Samba rid could be out of the range imposed in
>> smb.conf. Is it a bug or I'm just misunderstanding?
>>
> No, it isn't a bug, it is how it works, when you use the 'rid'
backend
> the Unix ID is calculated by this:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> So from the info you provided, it becomes this:
>
> ID = 6003151 + 1000000
>
> ID = 7003151
>
> This is above the high range (3000000) and anything outside the range
> is ignored.
>
> It does say here:
>
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> Under the heading: Planning the ID Ranges
>
> The ranges must be continuous and big enough to enable Samba to assign
> an ID for every future user and group created in the domain.
>
> It looks like you used the wrong range by not setting the high range
> high enough ;-)
>
> Rowland
>