Alexander 'Leo' Bergolth <leo <at> strike.wu.ac.at> writes:
>
> Since upgrade to Samba 3.6.9, I am experiencing problems concerning
> winbind idmapping.
>
> I am using an LDAP directory with RFC 2307 accounts and sambaSamAccount
> sambaSID entries for each local domain user. SIDs for other domains
> should be stored in sambaIdmapEntry objects in a separate LDAP tree.
>
> The problem is that winbind doesn't seem to map SIDs from the local
> domain to unix IDs. smbd initially work fine but after some time, Idmap
> entries for my local domain groups are allocated, which results in
> duplicate mappings. (I.e. a local domain group now has a sambaSID to
> RFC-2307 gidNumber mapping and the newly allocated mapping in the
> sambaIdmapEntry object.)
>
> Do you have any hints how the existing local domain mappings can be
> configured with the new idmap syntax? Should I use idmap_nss for the
> local domain instead of idmap_ldap?
>
I'll list my current steps while I'm diagnosing. This does seem to be an
error in the current version of samba (I'll check with regards samba group
objectclasses before I point fingers).
idmap logs show that sambaIdmapEntry is sought, and added if none found.
Somehow wbinfo --gid-info will reset itself after the second attempt, and
will remain correct until the winbind cache expires.
I've tried to set the idmap config DOMAIN to read only (with idmap config *
to read/write), but that doesn't help. I can't find any documentation on
'idmap alloc config' which is referred to on the samba site in a wiki.
Our
setup is fairly stable and this problem only appeared when I made changes in
order to add users (which was failing because I had two sambaUnixIdPool
objects).
This is currently only happening with group objects; I'll have to see if
there isn't another objectclass change I haven't yet picked up on. In
the
meantime, I've added the 'objectclass=sambaIdmapEntry' to the
groups.