Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for <SID>-513 and fails because of already existing entry. It just wastes gid range. Note that <SID> is not SID of main domain but another which name equal to hostname. For example on host FMS in domain CORP I have: wbinfo --all-domains BUILTIN FMS CORP wbinfo -D FMS Name : FMS Alt_Name : SID : S-1-5-21-3830529182-610880034-2098875520 Active Directory : No Native : No Primary : No Here is log: [2011/03/17 15:37:28.387459, 0] winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping) ldap_set_mapping_internals: Failed to add S-1-5-21-3830529182-610880034-2098875520-513 to 20067 mapping [gidNumber] [2011/03/17 15:37:28.387538, 0] winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping) ldap_set_mapping_internals: Error was: (Already exists) Can someone experienced in Samba comment how to deal with this issue? Thanks. -- Vladimir Vassiliev
On Thursday, March 17, 2011, Vladimir Vassiliev wrote:> Hi all, > > i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. > Servers run Centos 4 and 5. I can't cope with next issue for long time. > > On all servers in domain winbind constantly tries to create mapping for > <SID>-513 > and fails because of already existing entry. > It just wastes gid range.I had that problem. In my case, doing an "ldapsearch -x sambaSID=<SID>-513" found two idmap entries (in different ou). After I deleted one of them with ldapdelete, it stopped having that error and stopped trying to create new entries. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20110317/85d2acf1/attachment.pgp>
On Thu, Mar 17, 2011 at 04:02:29PM +0300, Vladimir Vassiliev wrote:> > Hi all, > > i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. > I can't cope with next issue for long time. > > On all servers in domain winbind constantly tries to create mapping for > <SID>-513 > and fails because of already existing entry. > It just wastes gid range.<DOMAIN-SID>-513 is the Domain Users group.> > Note that <SID> is not SID of main domain but another which name > equal to hostname. For example on host FMS in domain CORP I have: > > wbinfo --all-domains > BUILTIN > FMS > CORPWhy have you created a local computer domain, out of interest? Windows does this, but you don't have to do it with samba. This has been the cause of your problem; winbind is trying to map both <CORP-SID>-513 and <FMS-SID>-513 to the same local group. -- Bruce Bitterly it mathinketh me, that I spent mine wholle lyf in the lists against the ignorant. -- Roger Bacon, "Doctor Mirabilis"