Hey, id mapping is accessible from net command: net cache list you can also clean that cache: net cache flush After flushing the cache your users and groups having uidNumber and/or gidNumber should work as expected (ie using their AD declared uid/gid). Cheers, mathias 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:> Sounds like there is an old entry in idmap.ldb. You can delete that entry > if you use rfc3207. > On my environment i had alot of old user entrys in idmap.ldb whom i had > moved to rfc3207 mapping. > With 4.1 this did not matter but with 4.2 samba sometimes picks the values > from idmap.ldb. > > achim > > > Am 02.05.2016 um 14:31 schrieb Stefan Schäfer: > >> Hi list, >> >> on one of our servers I found a strange id-mapping behavior. The server >> acts as an AD-DC and fileserver. We user the sernet-samba packages in >> version 4.2.9 on openSUSE leap 42.1. >> >> We use the rfc3207 extension for Posix attributes. Every group has a full >> set of posix-attributes. Our gidNumbers are calculated by RID plus 20000. >> >> If i ask for id-mappings, "wbinfo" shows for all groups the correct >> mapping instead of the group "domain users". This group is mapped to >> gitNumber 100, this is the group "users" in /etc/passwd. >> >> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513 >> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100 >> >> For all other Groups it looks like: >> >> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514 >> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514 >> >> A look inside the LDAP DIT shows that the attribute "gidNumber" for >> "domain users" is set corectly to 20513. >> >> Here is what testparm -v shows: >> ... >> idmap backend = tdb >> idmap cache time = 604800 >> idmap negative cache time = 120 >> idmap uid >> idmap gid >> template homedir = /home/%D/%U >> template shell = /bin/false >> winbind separator = \ >> winbind cache time = 300 >> winbind reconnect delay = 30 >> winbind request timeout = 60 >> winbind max clients = 200 >> winbind enum users = No >> winbind enum groups = No >> winbind use default domain = No >> winbind trusted domains only = No >> winbind nested groups = Yes >> winbind expand groups = 0 >> winbind nss info = template >> winbind refresh tickets = No >> winbind offline logon = No >> winbind normalize names = No >> winbind rpc only = No >> create krb5 conf = Yes >> ncalrpc dir = /var/run/samba/ncalrpc >> winbind max domain connections = 1 >> winbindd socket directory = /var/run/samba/winbindd >> winbindd privileged socket directory >> /var/lib/samba/winbindd_privileged >> winbind sealed pipes = Yes >> .... >> winbindd:use external pipes = true >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> ... >> >> Has anybody an idea how I can fix this wrong idmapping? >> >> Other servers with the same setup didn't show this behavior. >> >> Regards >> >> Stefan >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
In my case flushing the cache did not help. I had around an dozend of user accounts with uidNumbers assigned and left over (dynamic winbind) mappings in idmap.ldb. At first after an flush samba used the uidNumber but after an logoff/logon of the userd getent passwd [user] showed the mapping from idmap.ldb. After i deleted the mapping in idmap.ldb everythiing went back to normal. Under 4.1 the leftover entries in idmap.ldb where never used. smbcontrol idmap delete <ID> can be used to delete the offending entries in idmap.ldb Am 02.05.2016 um 15:25 schrieb mathias dufresne:> Hey, > > id mapping is accessible from net command: > net cache list > > you can also clean that cache: > net cache flush > > After flushing the cache your users and groups having uidNumber and/or > gidNumber should work as expected (ie using their AD declared uid/gid). > > Cheers, > > mathias > > 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>: > >> Sounds like there is an old entry in idmap.ldb. You can delete that entry >> if you use rfc3207. >> On my environment i had alot of old user entrys in idmap.ldb whom i had >> moved to rfc3207 mapping. >> With 4.1 this did not matter but with 4.2 samba sometimes picks the values >> from idmap.ldb. >> >> achim >> >> >> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer: >> >>> Hi list, >>> >>> on one of our servers I found a strange id-mapping behavior. The server >>> acts as an AD-DC and fileserver. We user the sernet-samba packages in >>> version 4.2.9 on openSUSE leap 42.1. >>> >>> We use the rfc3207 extension for Posix attributes. Every group has a full >>> set of posix-attributes. Our gidNumbers are calculated by RID plus 20000. >>> >>> If i ask for id-mappings, "wbinfo" shows for all groups the correct >>> mapping instead of the group "domain users". This group is mapped to >>> gitNumber 100, this is the group "users" in /etc/passwd. >>> >>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513 >>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100 >>> >>> For all other Groups it looks like: >>> >>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514 >>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514 >>> >>> A look inside the LDAP DIT shows that the attribute "gidNumber" for >>> "domain users" is set corectly to 20513. >>> >>> Here is what testparm -v shows: >>> ... >>> idmap backend = tdb >>> idmap cache time = 604800 >>> idmap negative cache time = 120 >>> idmap uid >>> idmap gid >>> template homedir = /home/%D/%U >>> template shell = /bin/false >>> winbind separator = \ >>> winbind cache time = 300 >>> winbind reconnect delay = 30 >>> winbind request timeout = 60 >>> winbind max clients = 200 >>> winbind enum users = No >>> winbind enum groups = No >>> winbind use default domain = No >>> winbind trusted domains only = No >>> winbind nested groups = Yes >>> winbind expand groups = 0 >>> winbind nss info = template >>> winbind refresh tickets = No >>> winbind offline logon = No >>> winbind normalize names = No >>> winbind rpc only = No >>> create krb5 conf = Yes >>> ncalrpc dir = /var/run/samba/ncalrpc >>> winbind max domain connections = 1 >>> winbindd socket directory = /var/run/samba/winbindd >>> winbindd privileged socket directory >>> /var/lib/samba/winbindd_privileged >>> winbind sealed pipes = Yes >>> .... >>> winbindd:use external pipes = true >>> idmap_ldb:use rfc2307 = yes >>> idmap config * : backend = tdb >>> ... >>> >>> Has anybody an idea how I can fix this wrong idmapping? >>> >>> Other servers with the same setup didn't show this behavior. >>> >>> Regards >>> >>> Stefan >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Hi Mathias, greping in the output of "net cache list" shows: Key: IDMAP/GID2SID/20513 Timeout: Mon May 9 07:29:11 2016 Value: S-1-5-21-1891182457-2156988848-2018633412-513 Key: IDMAP/GID2SID/100 Timeout: Mon May 9 07:29:32 2016 Value: S-1-5-21-1891182457-2156988848-2018633412-513 Key: IDMAP/SID2XID/S-1-5-21-1891182457-2156988848-2018633412-513 Timeout: Mon May 9 07:29:32 2016 Value: 100:G There are both values, the correct and the wrong one. Before I clear the cache, the question is: where could the wrong value come from? Stefan Am 02.05.2016 um 15:25 schrieb mathias dufresne:> Hey, > > id mapping is accessible from net command: > net cache list > > you can also clean that cache: > net cache flush > > After flushing the cache your users and groups having uidNumber and/or > gidNumber should work as expected (ie using their AD declared uid/gid). > > Cheers, > > mathias > > 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>: > >> Sounds like there is an old entry in idmap.ldb. You can delete that entry >> if you use rfc3207. >> On my environment i had alot of old user entrys in idmap.ldb whom i had >> moved to rfc3207 mapping. >> With 4.1 this did not matter but with 4.2 samba sometimes picks the values >> from idmap.ldb. >> >> achim >> >> >> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer: >> >>> Hi list, >>> >>> on one of our servers I found a strange id-mapping behavior. The server >>> acts as an AD-DC and fileserver. We user the sernet-samba packages in >>> version 4.2.9 on openSUSE leap 42.1. >>> >>> We use the rfc3207 extension for Posix attributes. Every group has a full >>> set of posix-attributes. Our gidNumbers are calculated by RID plus 20000. >>> >>> If i ask for id-mappings, "wbinfo" shows for all groups the correct >>> mapping instead of the group "domain users". This group is mapped to >>> gitNumber 100, this is the group "users" in /etc/passwd. >>> >>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-513 >>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100 >>> >>> For all other Groups it looks like: >>> >>> wbinfo --sids-to-unix-ids S-1-5-21-1891182457-2156988848-2018633412-514 >>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514 >>> >>> A look inside the LDAP DIT shows that the attribute "gidNumber" for >>> "domain users" is set corectly to 20513. >>> >>> Here is what testparm -v shows: >>> ... >>> idmap backend = tdb >>> idmap cache time = 604800 >>> idmap negative cache time = 120 >>> idmap uid >>> idmap gid >>> template homedir = /home/%D/%U >>> template shell = /bin/false >>> winbind separator = \ >>> winbind cache time = 300 >>> winbind reconnect delay = 30 >>> winbind request timeout = 60 >>> winbind max clients = 200 >>> winbind enum users = No >>> winbind enum groups = No >>> winbind use default domain = No >>> winbind trusted domains only = No >>> winbind nested groups = Yes >>> winbind expand groups = 0 >>> winbind nss info = template >>> winbind refresh tickets = No >>> winbind offline logon = No >>> winbind normalize names = No >>> winbind rpc only = No >>> create krb5 conf = Yes >>> ncalrpc dir = /var/run/samba/ncalrpc >>> winbind max domain connections = 1 >>> winbindd socket directory = /var/run/samba/winbindd >>> winbindd privileged socket directory >>> /var/lib/samba/winbindd_privileged >>> winbind sealed pipes = Yes >>> .... >>> winbindd:use external pipes = true >>> idmap_ldb:use rfc2307 = yes >>> idmap config * : backend = tdb >>> ... >>> >>> Has anybody an idea how I can fix this wrong idmapping? >>> >>> Other servers with the same setup didn't show this behavior. >>> >>> Regards >>> >>> Stefan >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>-- www.invis-server.org Stefan Schäfer Ludwigstr. 1-3 63679 Schotten
Am 02.05.2016 um 15:47 schrieb Achim Gottinger:> In my case flushing the cache did not help. I had around an dozend of > user accounts with uidNumbers assigned and left over (dynamic winbind) > mappings in idmap.ldb. At first after an flush samba used the > uidNumber but after an logoff/logon of the userd getent passwd [user] > showed the mapping from idmap.ldb. After i deleted the mapping in > idmap.ldb everythiing went back to normal. Under 4.1 the leftover > entries in idmap.ldb where never used.That's what i fear.> > smbcontrol idmap delete <ID> > > can be used to delete the offending entries in idmap.ldbI never worked with smbcontrol, is it possble to use smbcontrol to show all idmappings? Does "ID" means the SID? Stefan> > Am 02.05.2016 um 15:25 schrieb mathias dufresne: >> Hey, >> >> id mapping is accessible from net command: >> net cache list >> >> you can also clean that cache: >> net cache flush >> >> After flushing the cache your users and groups having uidNumber and/or >> gidNumber should work as expected (ie using their AD declared uid/gid). >> >> Cheers, >> >> mathias >> >> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>: >> >>> Sounds like there is an old entry in idmap.ldb. You can delete that >>> entry >>> if you use rfc3207. >>> On my environment i had alot of old user entrys in idmap.ldb whom i had >>> moved to rfc3207 mapping. >>> With 4.1 this did not matter but with 4.2 samba sometimes picks the >>> values >>> from idmap.ldb. >>> >>> achim >>> >>> >>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer: >>> >>>> Hi list, >>>> >>>> on one of our servers I found a strange id-mapping behavior. The >>>> server >>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in >>>> version 4.2.9 on openSUSE leap 42.1. >>>> >>>> We use the rfc3207 extension for Posix attributes. Every group has >>>> a full >>>> set of posix-attributes. Our gidNumbers are calculated by RID plus >>>> 20000. >>>> >>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct >>>> mapping instead of the group "domain users". This group is mapped to >>>> gitNumber 100, this is the group "users" in /etc/passwd. >>>> >>>> wbinfo --sids-to-unix-ids >>>> S-1-5-21-1891182457-2156988848-2018633412-513 >>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100 >>>> >>>> For all other Groups it looks like: >>>> >>>> wbinfo --sids-to-unix-ids >>>> S-1-5-21-1891182457-2156988848-2018633412-514 >>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514 >>>> >>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for >>>> "domain users" is set corectly to 20513. >>>> >>>> Here is what testparm -v shows: >>>> ... >>>> idmap backend = tdb >>>> idmap cache time = 604800 >>>> idmap negative cache time = 120 >>>> idmap uid >>>> idmap gid >>>> template homedir = /home/%D/%U >>>> template shell = /bin/false >>>> winbind separator = \ >>>> winbind cache time = 300 >>>> winbind reconnect delay = 30 >>>> winbind request timeout = 60 >>>> winbind max clients = 200 >>>> winbind enum users = No >>>> winbind enum groups = No >>>> winbind use default domain = No >>>> winbind trusted domains only = No >>>> winbind nested groups = Yes >>>> winbind expand groups = 0 >>>> winbind nss info = template >>>> winbind refresh tickets = No >>>> winbind offline logon = No >>>> winbind normalize names = No >>>> winbind rpc only = No >>>> create krb5 conf = Yes >>>> ncalrpc dir = /var/run/samba/ncalrpc >>>> winbind max domain connections = 1 >>>> winbindd socket directory = /var/run/samba/winbindd >>>> winbindd privileged socket directory >>>> /var/lib/samba/winbindd_privileged >>>> winbind sealed pipes = Yes >>>> .... >>>> winbindd:use external pipes = true >>>> idmap_ldb:use rfc2307 = yes >>>> idmap config * : backend = tdb >>>> ... >>>> >>>> Has anybody an idea how I can fix this wrong idmapping? >>>> >>>> Other servers with the same setup didn't show this behavior. >>>> >>>> Regards >>>> >>>> Stefan >>>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> > >-- www.invis-server.org Stefan Schäfer Ludwigstr. 1-3 63679 Schotten
On 02/05/16 15:08, Stefan Schäfer wrote:> Hi Mathias, > > greping in the output of "net cache list" shows: > > Key: IDMAP/GID2SID/20513 Timeout: Mon May 9 07:29:11 > 2016 Value: S-1-5-21-1891182457-2156988848-2018633412-513 > Key: IDMAP/GID2SID/100 Timeout: Mon May 9 07:29:32 2016 Value: > S-1-5-21-1891182457-2156988848-2018633412-513 > Key: IDMAP/SID2XID/S-1-5-21-1891182457-2156988848-2018633412-513 > Timeout: Mon May 9 07:29:32 2016 Value: 100:G > > > There are both values, the correct and the wrong one. Before I clear > the cache, the question is: where could the wrong value come from? > > Stefan > > > Am 02.05.2016 um 15:25 schrieb mathias dufresne: >> Hey, >> >> id mapping is accessible from net command: >> net cache list >> >> you can also clean that cache: >> net cache flush >> >> After flushing the cache your users and groups having uidNumber and/or >> gidNumber should work as expected (ie using their AD declared uid/gid). >> >> Cheers, >> >> mathias >> >> 2016-05-02 15:18 GMT+02:00 Achim Gottinger <achim at ag-web.biz>: >> >>> Sounds like there is an old entry in idmap.ldb. You can delete that >>> entry >>> if you use rfc3207. >>> On my environment i had alot of old user entrys in idmap.ldb whom i had >>> moved to rfc3207 mapping. >>> With 4.1 this did not matter but with 4.2 samba sometimes picks the >>> values >>> from idmap.ldb. >>> >>> achim >>> >>> >>> Am 02.05.2016 um 14:31 schrieb Stefan Schäfer: >>> >>>> Hi list, >>>> >>>> on one of our servers I found a strange id-mapping behavior. The >>>> server >>>> acts as an AD-DC and fileserver. We user the sernet-samba packages in >>>> version 4.2.9 on openSUSE leap 42.1. >>>> >>>> We use the rfc3207 extension for Posix attributes. Every group has >>>> a full >>>> set of posix-attributes. Our gidNumbers are calculated by RID plus >>>> 20000. >>>> >>>> If i ask for id-mappings, "wbinfo" shows for all groups the correct >>>> mapping instead of the group "domain users". This group is mapped to >>>> gitNumber 100, this is the group "users" in /etc/passwd. >>>> >>>> wbinfo --sids-to-unix-ids >>>> S-1-5-21-1891182457-2156988848-2018633412-513 >>>> S-1-5-21-1891182457-2156988848-2018633412-513 -> gid 100 >>>> >>>> For all other Groups it looks like: >>>> >>>> wbinfo --sids-to-unix-ids >>>> S-1-5-21-1891182457-2156988848-2018633412-514 >>>> S-1-5-21-1891182457-2156988848-2018633412-514 -> gid 20514 >>>> >>>> A look inside the LDAP DIT shows that the attribute "gidNumber" for >>>> "domain users" is set corectly to 20513. >>>> >>>> Here is what testparm -v shows: >>>> ... >>>> idmap backend = tdb >>>> idmap cache time = 604800 >>>> idmap negative cache time = 120 >>>> idmap uid >>>> idmap gid >>>> template homedir = /home/%D/%U >>>> template shell = /bin/false >>>> winbind separator = \ >>>> winbind cache time = 300 >>>> winbind reconnect delay = 30 >>>> winbind request timeout = 60 >>>> winbind max clients = 200 >>>> winbind enum users = No >>>> winbind enum groups = No >>>> winbind use default domain = No >>>> winbind trusted domains only = No >>>> winbind nested groups = Yes >>>> winbind expand groups = 0 >>>> winbind nss info = template >>>> winbind refresh tickets = No >>>> winbind offline logon = No >>>> winbind normalize names = No >>>> winbind rpc only = No >>>> create krb5 conf = Yes >>>> ncalrpc dir = /var/run/samba/ncalrpc >>>> winbind max domain connections = 1 >>>> winbindd socket directory = /var/run/samba/winbindd >>>> winbindd privileged socket directory >>>> /var/lib/samba/winbindd_privileged >>>> winbind sealed pipes = Yes >>>> .... >>>> winbindd:use external pipes = true >>>> idmap_ldb:use rfc2307 = yes >>>> idmap config * : backend = tdb >>>> ... >>>> >>>> Has anybody an idea how I can fix this wrong idmapping? >>>> >>>> Other servers with the same setup didn't show this behavior. >>>> >>>> Regards >>>> >>>> Stefan >>>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> > >How shall I put this, I know :-) Your post subject is incorrect, it should be ' [Samba] Normal ID-Mapping behaviour' Mapping 'Domain Users' to the GID '100' is perfectly normal on a DC, it is done automatically, but if you give 'Domain Users' a gidNumber, you need to remove 'Domain Users' from idmap.ldb, you can do this with smbcontrol or by opening idmap.ldb with ldbedit, finding and deleting the entry for RID 513. Rowland