We use Samba 3.6.23 with an LDAP backend. After migrating to a new virtual server with same RHEL 6.5 as the physical server it replaced, everything works fine, except that sometimes the winbind mapping gets confused (I hesitate to say "corrupted"). Here's an real-life example I finally managed to capture, with the domain SID redacted: # wbinfo -U 1503 S-1-5-21-xxx-xxx-xxx-3244 # wbinfo -S S-1-5-21-xxx-xxx-xxx-4006 1503 # wbinfo -S S-1-5-21-xxx-xxx-xxx-3244 1503 Two Samba SIDs are mapping to a single UID number. I then ran a "net cache flush" and immediately got these (correct) results: # wbinfo -U 1503 S-1-5-21-xxx-xxx-xxx-4006 # wbinfo -S S-1-5-21-xxx-xxx-xxx-4006 1503 # wbinfo -S S-1-5-21-xxx-xxx-xxx-3244 1122 The result is that when this happens, affected Windows users can log in, but cannot access their home folders (because it's trying to access the home folder as a different incorrect user) -- though from a command prompt, the folders are accessible. I know it's getting confused, and I know how to fix it when it does, but I don't know what's causing it or how to prevent it from happening in the first place. Any thoughts?>From the smb.conf file:idmap config * : backend = tdb idmap config * : range = 1000-89000 -- Jeff Williams
On 16/04/14 18:27, Williams, Jeff wrote:> We use Samba 3.6.23 with an LDAP backend. After migrating to a new virtual > server with same RHEL 6.5 as the physical server it replaced, everything > works fine, except that sometimes the winbind mapping gets confused (I > hesitate to say "corrupted"). Here's an real-life example I finally > managed to capture, with the domain SID redacted: > > # wbinfo -U 1503 > S-1-5-21-xxx-xxx-xxx-3244 > # wbinfo -S S-1-5-21-xxx-xxx-xxx-4006 > 1503 > # wbinfo -S S-1-5-21-xxx-xxx-xxx-3244 > 1503 > > Two Samba SIDs are mapping to a single UID number. I then ran a "net cache > flush" and immediately got these (correct) results: > > # wbinfo -U 1503 > S-1-5-21-xxx-xxx-xxx-4006 > # wbinfo -S S-1-5-21-xxx-xxx-xxx-4006 > 1503 > # wbinfo -S S-1-5-21-xxx-xxx-xxx-3244 > 1122 > > The result is that when this happens, affected Windows users can log in, > but cannot access their home folders (because it's trying to access the > home folder as a different incorrect user) -- though from a command prompt, > the folders are accessible. I know it's getting confused, and I know how > to fix it when it does, but I don't know what's causing it or how to > prevent it from happening in the first place. Any thoughts? > > From the smb.conf file: > > idmap config * : backend = tdb > idmap config * : range = 1000-89000 >Sigh, Can you please post your entire (sanitized) smb.conf Rowland
[global] workgroup = DACCSTU netbios name = STUDENTS server string = Student file server security = user encrypt passwords = yes local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes hosts allow = 192.168. 127. socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 hostname lookups = yes printcap name = cups load printers = yes printing = cups log file = /var/log/samba/log.%U log level = 1 max log size = 50 passdb backend = ldapsam ldap admin dn = "cn=xxx,o=students.dacc.edu" ldap delete dn = no ldap ssl = off ldap suffix = o=students.dacc.edu ldap passwd sync = yes ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* passwd program = /usr/local/sbin/smbldap-passwd %u logon drive = H: logon home = \\students\%U logon path = \\students\Profiles\%U logon script = logon.vbs wins support = no wins server = 192.168.1.5 wins proxy = no dns proxy = no add machine script = /usr/local/sbin/smbldap-useradd -w "%u" utmp = yes dos filemode = yes map archive = no map hidden = no map read only = no map system = no store dos attributes = yes wide links = yes unix extensions = no idmap config * : backend = tdb idmap config * : range = 1000-89000 idmap config DACCEMP : backend = rid idmap config DACCEMP : range = 90000-99000 winbind enum users = no winbind enum groups = no #============================ Share Definitions =============================[homes] comment = Home Directories browseable = no writable = yes path = /home/students/%U [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = yes write list = Administrator jeff locking = no public = yes browseable = no default case = lower case sensitive = no preserve case = yes short preserve case = yes [Profiles] path = /home/profiles browseable = no guest ok = yes writeable = yes read only = no create mask = 0600 directory mask = 0700 -- Jeff Williams