Hi list,
on one of our servers I found a strange id-mapping behavior. The server
acts as an AD-DC and fileserver. We user the sernet-samba packages in
version 4.2.9 on openSUSE leap 42.1.
We use the rfc3207 extension for Posix attributes. Every group has a
full set of posix-attributes. Our gidNumbers are calculated by RID plus
20000.
If i ask for id-mappings, "wbinfo" shows for all groups the correct
mapping instead of the group "domain users". This group is mapped to
gitNumber 100, this is the group "users" in /etc/passwd.
wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513
S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100
For all other Groups it looks like:
wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514
S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514
A look inside the LDAP DIT shows that the attribute "gidNumber" for
"domain users" is set corectly to 20513.
Here is what testparm -v shows:
...
idmap backend = tdb
idmap cache time = 604800
idmap negative cache time = 120
idmap uid idmap gid template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind reconnect delay = 30
winbind request timeout = 60
winbind max clients = 200
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 0
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = Yes
ncalrpc dir = /var/run/samba/ncalrpc
winbind max domain connections = 1
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
....
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
...
Has anybody an idea how I can fix this wrong idmapping?
Other servers with the same setup didn't show this behavior.
Regards
Stefan
--
www.invis-server.org
Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten
Sounds like there is an old entry in idmap.ldb. You can delete that entry if you use rfc3207. On my environment i had alot of old user entrys in idmap.ldb whom i had moved to rfc3207 mapping. With 4.1 this did not matter but with 4.2 samba sometimes picks the values from idmap.ldb. achim Am 02.05.2016 um 14:31 schrieb Stefan Schäfer:> Hi list, > > on one of our servers I found a strange id-mapping behavior. The > server acts as an AD-DC and fileserver. We user the sernet-samba > packages in version 4.2.9 on openSUSE leap 42.1. > > We use the rfc3207 extension for Posix attributes. Every group has a > full set of posix-attributes. Our gidNumbers are calculated by RID > plus 20000. > > If i ask for id-mappings, "wbinfo" shows for all groups the correct > mapping instead of the group "domain users". This group is mapped to > gitNumber 100, this is the group "users" in /etc/passwd. > > wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513 > S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100 > > For all other Groups it looks like: > > wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514 > S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514 > > A look inside the LDAP DIT shows that the attribute "gidNumber" for > "domain users" is set corectly to 20513. > > Here is what testparm -v shows: > ... > idmap backend = tdb > idmap cache time = 604800 > idmap negative cache time = 120 > idmap uid > idmap gid > template homedir = /home/%D/%U > template shell = /bin/false > winbind separator = \ > winbind cache time = 300 > winbind reconnect delay = 30 > winbind request timeout = 60 > winbind max clients = 200 > winbind enum users = No > winbind enum groups = No > winbind use default domain = No > winbind trusted domains only = No > winbind nested groups = Yes > winbind expand groups = 0 > winbind nss info = template > winbind refresh tickets = No > winbind offline logon = No > winbind normalize names = No > winbind rpc only = No > create krb5 conf = Yes > ncalrpc dir = /var/run/samba/ncalrpc > winbind max domain connections = 1 > winbindd socket directory = /var/run/samba/winbindd > winbindd privileged socket directory = > /var/lib/samba/winbindd_privileged > winbind sealed pipes = Yes > .... > winbindd:use external pipes = true > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > ... > > Has anybody an idea how I can fix this wrong idmapping? > > Other servers with the same setup didn't show this behavior. > > Regards > > Stefan
Hey, id mapping is accessible from net command: net cache list you can also clean that cache: net cache flush After flushing the cache your users and groups having uidNumber and/or gidNumber should work as expected (ie using their AD declared uid/gid). Cheers, mathias 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:> Sounds like there is an old entry in idmap.ldb. You can delete that entry > if you use rfc3207. > On my environment i had alot of old user entrys in idmap.ldb whom i had > moved to rfc3207 mapping. > With 4.1 this did not matter but with 4.2 samba sometimes picks the values > from idmap.ldb. > > achim > > > Am 02.05.2016 um 14:31 schrieb Stefan Schäfer: > >> Hi list, >> >> on one of our servers I found a strange id-mapping behavior. The server >> acts as an AD-DC and fileserver. We user the sernet-samba packages in >> version 4.2.9 on openSUSE leap 42.1. >> >> We use the rfc3207 extension for Posix attributes. Every group has a full >> set of posix-attributes. Our gidNumbers are calculated by RID plus 20000. >> >> If i ask for id-mappings, "wbinfo" shows for all groups the correct >> mapping instead of the group "domain users". This group is mapped to >> gitNumber 100, this is the group "users" in /etc/passwd. >> >> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513 >> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100 >> >> For all other Groups it looks like: >> >> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514 >> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514 >> >> A look inside the LDAP DIT shows that the attribute "gidNumber" for >> "domain users" is set corectly to 20513. >> >> Here is what testparm -v shows: >> ... >> idmap backend = tdb >> idmap cache time = 604800 >> idmap negative cache time = 120 >> idmap uid >> idmap gid >> template homedir = /home/%D/%U >> template shell = /bin/false >> winbind separator = \ >> winbind cache time = 300 >> winbind reconnect delay = 30 >> winbind request timeout = 60 >> winbind max clients = 200 >> winbind enum users = No >> winbind enum groups = No >> winbind use default domain = No >> winbind trusted domains only = No >> winbind nested groups = Yes >> winbind expand groups = 0 >> winbind nss info = template >> winbind refresh tickets = No >> winbind offline logon = No >> winbind normalize names = No >> winbind rpc only = No >> create krb5 conf = Yes >> ncalrpc dir = /var/run/samba/ncalrpc >> winbind max domain connections = 1 >> winbindd socket directory = /var/run/samba/winbindd >> winbindd privileged socket directory >> /var/lib/samba/winbindd_privileged >> winbind sealed pipes = Yes >> .... >> winbindd:use external pipes = true >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> ... >> >> Has anybody an idea how I can fix this wrong idmapping? >> >> Other servers with the same setup didn't show this behavior. >> >> Regards >> >> Stefan >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >