Hi everybody, I'm having a problem with winbind creating 2 entries for some of my users that really wrecking my head ;-/ . My situation is as follows : I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain (another Samba/LDAP setup) and use winbind to map the users from the foreign domain, with the UID to SID mappings stored in LDAP . This works very well. The relevant part of my nsswitch.conf file is as follows : passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind When i 'getent passwd' on a domain member server the following are listed: 1.) local user accounts 2.) accounts resolved via LDAP (UID 5'000+) 3.) winbind resolved accounts from the foreign domain (i.e. FDOMAIN+user) UID = 10'000 + This was all working fine for a while. However, recently i noticed that winbind began storing additional UID to SID mappings for members of the local domain in LDAP. So when i ran e.g. 'getent passwd | grep brightstop' i would get 2 entries for the 1 user account, 1 resolved from LDAP, the other from winbind brightstor:x:5586:513:System User:/home/brightstor:/bin/false brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false This occurs for some accounts but not others: pdbedit on this account returns : [root@teddc etc]# pdbedit -Lv brightstor init_sam_from_ldap: Entry found for user: brightstor Unix username: brightstor NT username: brightstor Account Flags: [UX ] User SID: S-1-5-21-193554404-1789558652-91453608-12172 Primary Group SID: S-1-5-21-193554404-1789558652-91453608-513 Full Name: Brightstor Home Directory: HomeDir Drive: Logon Script: scripts\tedmap.bat Profile Path: Domain: TED Account desc: System User Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 03:14:07 GMT Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT Password last set: Tue, 28 Jun 2005 10:53:57 GMT Password can change: Tue, 28 Jun 2005 10:53:57 GMT Password must change: Tue, 19 Jan 2038 03:14:07 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Even when i stop winbind, delete winbindd_cache.tdb and winbindd_idmap.tdb and delete the bad entries from the LDAP Directory the problem returns ?. Can anone make sence of this behaviour ?. Thanks -- Ian Clancy IT Systems Engineer Connaught Electronics Ltd. Dunmore Rd, Tuam, Co. Galway, Ireland. P : ++353 93 23151 F : ++353 93 23110 E : mailto:clancyian@cel.ie W : http://www.cel-europe.com
what are your relevant smb.conf entries? greez Ian Clancy wrote:> Hi everybody, > I'm having a problem with winbind creating 2 entries for some of my > users that really wrecking my head ;-/ . > My situation is as follows : > I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain > (another Samba/LDAP setup) and use winbind to map the users from the > foreign domain, with the UID to SID mappings stored in LDAP . This works > very well. > The relevant part of my nsswitch.conf file is as follows : > > passwd: files ldap winbind > shadow: files ldap winbind > group: files ldap winbind > > When i 'getent passwd' on a domain member server the following are listed: > 1.) local user accounts > 2.) accounts resolved via LDAP (UID 5'000+) > 3.) winbind resolved accounts from the foreign domain (i.e. > FDOMAIN+user) UID = 10'000 + > > This was all working fine for a while. However, recently i noticed that > winbind began storing additional UID to SID mappings for members of the > local domain in LDAP. > So when i ran e.g. 'getent passwd | grep brightstop' i would get 2 > entries for the 1 user account, 1 resolved from LDAP, the other from > winbind > > brightstor:x:5586:513:System User:/home/brightstor:/bin/false > brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false > > This occurs for some accounts but not others: > pdbedit on this account returns : > > [root@teddc etc]# pdbedit -Lv brightstor > init_sam_from_ldap: Entry found for user: brightstor > Unix username: brightstor > NT username: brightstor > Account Flags: [UX ] > User SID: S-1-5-21-193554404-1789558652-91453608-12172 > Primary Group SID: S-1-5-21-193554404-1789558652-91453608-513 > Full Name: Brightstor > Home Directory: > HomeDir Drive: > Logon Script: scripts\tedmap.bat > Profile Path: > Domain: TED > Account desc: System User > Workstations: > Munged dial: > Logon time: 0 > Logoff time: Tue, 19 Jan 2038 03:14:07 GMT > Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT > Password last set: Tue, 28 Jun 2005 10:53:57 GMT > Password can change: Tue, 28 Jun 2005 10:53:57 GMT > Password must change: Tue, 19 Jan 2038 03:14:07 GMT > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > Even when i stop winbind, delete winbindd_cache.tdb and > winbindd_idmap.tdb and delete the bad entries from the LDAP Directory > the problem returns ?. > > Can anone make sence of this behaviour ?. > Thanks >-- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137
Hi again,
In responce to queries for more info here is the smb.conf (- shares) of
my pdc :
workgroup = ted
netbios name = tedDC
server string = SAMBA-LDAP %v PDC Server
domain logons = Yes
domain master = Yes
preferred master = Yes
local master = Yes
interfaces = lo, eth0
bind interfaces only = Yes
logon script = scripts\tedmap.bat
logon home logon path wins support = Yes
name resolve order = lmhosts host wins bcast
remote announce = 192.168.2.2
log level = 1 auth:1 winbind:5 passdb:2
printing = cups
printcap name = CUPS
printer admin = Administrator
show add printer wizard = Yes
passdb backend = ldapsam:"ldap://127.0.0.1"
ldap passwd sync = Yes
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ted,dc=org
ldap suffix = dc=ted,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-15000
idmap gid = 10000-15000
winbind separator = +
winbind use default domain = Yes
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
Dos charset = 850
Unix charset = ISO8859-1
here is the smb.conf of a typical domain member server :
workgroup = TED
netbios name = TEDFS02
server string = Samba %v on Fedora Core 2
security = DOMAIN
encrypt passwords = Yes
password server = *
interfaces = lo, eth0
bind interfaces only = Yes
unix extensions = Yes
username map = /etc/samba/smbusers
wins server = 192.0.2.14
winbind separator = +
winbind use default domain = Yes
idmap backend = ldap:ldap://teddc.ted
idmap uid = 10000-15000
idmap gid = 10000-15000
ldap admin dn = cn=Manager,dc=ted,dc=org
ldap suffix = dc=ted,dc=org
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
log file = /var/log/samba/log.%m
log level = 1
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
Ian Clancy wrote:
> Hi everybody,
> I'm having a problem with winbind creating 2 entries for some of my
> users that really wrecking my head ;-/ .
> My situation is as follows :
> I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain
> (another Samba/LDAP setup) and use winbind to map the users from the
> foreign domain, with the UID to SID mappings stored in LDAP . This
> works very well.
> The relevant part of my nsswitch.conf file is as follows :
>
> passwd: files ldap winbind
> shadow: files ldap winbind
> group: files ldap winbind
>
> When i 'getent passwd' on a domain member server the following are
> listed:
> 1.) local user accounts
> 2.) accounts resolved via LDAP (UID 5'000+)
> 3.) winbind resolved accounts from the foreign domain (i.e.
> FDOMAIN+user) UID = 10'000 +
>
> This was all working fine for a while. However, recently i noticed
> that winbind began storing additional UID to SID mappings for members
> of the local domain in LDAP.
> So when i ran e.g. 'getent passwd | grep brightstop' i would get 2
> entries for the 1 user account, 1 resolved from LDAP, the other from
> winbind
>
> brightstor:x:5586:513:System User:/home/brightstor:/bin/false
> brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false
>
> This occurs for some accounts but not others:
> pdbedit on this account returns :
>
> [root@teddc etc]# pdbedit -Lv brightstor
> init_sam_from_ldap: Entry found for user: brightstor
> Unix username: brightstor
> NT username: brightstor
> Account Flags: [UX ]
> User SID: S-1-5-21-193554404-1789558652-91453608-12172
> Primary Group SID: S-1-5-21-193554404-1789558652-91453608-513
> Full Name: Brightstor
> Home Directory:
> HomeDir Drive:
> Logon Script: scripts\tedmap.bat
> Profile Path:
> Domain: TED
> Account desc: System User
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: Tue, 19 Jan 2038 03:14:07 GMT
> Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
> Password last set: Tue, 28 Jun 2005 10:53:57 GMT
> Password can change: Tue, 28 Jun 2005 10:53:57 GMT
> Password must change: Tue, 19 Jan 2038 03:14:07 GMT
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> Even when i stop winbind, delete winbindd_cache.tdb and
> winbindd_idmap.tdb and delete the bad entries from the LDAP Directory
> the problem returns ?.
>
> Can anone make sence of this behaviour ?.
> Thanks
>
--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.
P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian@cel.ie
W : http://www.cel-europe.com
i think if you fix the problem with the ridbase you will also solve the problem of having duplicated users you could also try to set winbind trusted domains only = yes greez -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137