samba - Oct 2006 - Winbind mappings change over time

On Tue, 2006-10-31 at 15:52 +1300, Richard Greaney
wrote:
> Hi all
> I have a peculiar problem that has been ongoing over the last few years.
> 
> I have a mail server which is running winbind and giving distributed 
> authentication from a Windows server. Winbind UID mapping is in the 
> typical 10000-20000 range. Everything works fine... for the first little 
> while at least anyway.
> 
>  From what I can tell, when winbind is first set up it allocates UIDs 
> for all existing Windows users, in order of their SID on the Windows 
> server (eg, the lowest SID on the Windows server gets the UID of 10000, 
> the next gets 10001 and so on).  Again, this works fine.
> 
> However, this is where things start to get messy. The problem I'm 
> getting is that over time, these Windows - Unix ID maps get muddled up. 
> I've deployed some 40 odd Linux servers, some talking to AD, some 
> talking to Windows NT, some using Postfix for mail, some using Exim. In 
> all cases, this problem comes up at one time or another. You notice it 
> because the mailboxes (/var/mail/username) start having different 
> owners. This effectively kills a particular person's mail. For example,
> the user 'jsmith' should have 'jsmith' as the mailbox
owner, but they
> might have 'jbloggs' as the owner. This is because the UID that was
> assigned to jsmith has now been assigned to jbloggs. And yet there was 
> never any change to the jsmith or jbloggs account on the Windows server.
> 
> Has anybody else had this problem?
> 
> I'm using a range of samba builds up to 3.0.14a which, I realise is 
> rather old. However I'm loathed to upgrade when this is the only
problem
> I'm getting, if the problem isn't fixed in later versions.
> 
> I've tried a search in bugzilla but couldn't seem to come up with a
> query that returned less than 200 bugs.
Richard, the allocation order is not guaranteed at all.
Winbindd works on a first come first serve basis, it is only a case that
most of the time it will get you the same order on new server for most
users.

If you need to keep the same mapping for more than one server then you
need to share the mapping between them. The only backend that supports
shared mapping out of the box at this time is imdap_ldap.

idmap_rid instead uses an algorithmic mapping and does not need
synchronization, but it is somewhat limited (no trusted domain except by
recompiling it with experimental options).

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra@samba.org
http://samba.org

simo wrote:
> On Tue, 2006-10-31 at 15:52 +1300, Richard Greaney wrote:
>> Hi all
>> I have a peculiar problem that has been ongoing over the last few
years.
>>
>> I have a mail server which is running winbind and giving distributed 
>> authentication from a Windows server. Winbind UID mapping is in the 
>> typical 10000-20000 range. Everything works fine... for the first
little
>> while at least anyway.
>>
>>  From what I can tell, when winbind is first set up it allocates UIDs 
>> for all existing Windows users, in order of their SID on the Windows 
>> server (eg, the lowest SID on the Windows server gets the UID of 10000,
>> the next gets 10001 and so on).  Again, this works fine.
>>
>> However, this is where things start to get messy. The problem I'm 
>> getting is that over time, these Windows - Unix ID maps get muddled up.
>> I've deployed some 40 odd Linux servers, some talking to AD, some 
>> talking to Windows NT, some using Postfix for mail, some using Exim. In
>> all cases, this problem comes up at one time or another. You notice it 
>> because the mailboxes (/var/mail/username) start having different 
>> owners. This effectively kills a particular person's mail. For
example,
>> the user 'jsmith' should have 'jsmith' as the mailbox
owner, but they
>> might have 'jbloggs' as the owner. This is because the UID that
was
>> assigned to jsmith has now been assigned to jbloggs. And yet there was 
>> never any change to the jsmith or jbloggs account on the Windows
server.
>>
>> Has anybody else had this problem?
>>
>> I'm using a range of samba builds up to 3.0.14a which, I realise is
>> rather old. However I'm loathed to upgrade when this is the only
problem
>> I'm getting, if the problem isn't fixed in later versions.
>>
>> I've tried a search in bugzilla but couldn't seem to come up
with a
>> query that returned less than 200 bugs.
> 
> Richard, the allocation order is not guaranteed at all.
> Winbindd works on a first come first serve basis, it is only a case that
> most of the time it will get you the same order on new server for most
> users.
> 
> If you need to keep the same mapping for more than one server then you
> need to share the mapping between them. The only backend that supports
> shared mapping out of the box at this time is imdap_ldap.
> 
> idmap_rid instead uses an algorithmic mapping and does not need
> synchronization, but it is somewhat limited (no trusted domain except by
> recompiling it with experimental options).
> 
> Simo.
> 
Hi Simo
Thanks for your reply. I might have made things a little hazy in my 
initial post. The 40-odd servers I mentioned are all on remote client 
sites and each has it's own corresponding Windows server. Effectively, I 
have the same problem on all sites at one time or another. My issue 
isn't with the order of winbind mapping, but more with the fact that the 
SID to UID mapping appears to change over time.

I will take a look for information about idmap_ldap as a backend to see 
if it is going to work with my setup.

Richard

-- 

Richard Greaney
Senior Technician
NET Solutions
Massey University College of Education
Palmerston North

e-mail: richard@net-solutions.net.nz
Phone: 06 351 3323