Hi, I have been running a Debian 3 server without problems for a long time. Now, after upgrading to Debian jessie (Debian 4.2.14) I cannot log in any more: smbclient -U admin -L //localhost/ Enter admin's password: session setup failed: NT_STATUS_UNSUCCESSFUL In the logs: [2017/01/14 23:37:21.636022, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [admin] -> [admin] -> [admin] succeeded [2017/01/14 23:37:21.637610, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-3909901412-745783496-1225843668-500 -> getpwuid(25003) failed This is odd because the correct UID for this SID would be 1013. The relevant Samba config thus far was: passdb backend = ldapsam:ldap://ldap/ ldap ssl = Start_tls obey pam restrictions = no ldap admin dn = uid=admin,dc=intra ldap suffix = dc=intra ldap group suffix = ou=groups ldap user suffix = ou=users ldap machine suffix = ou=machines ldap idmap suffix = ou=idmap idmap uid = 25000-27000 idmap gid = 25000-27000 However, ou=idmap in the LDAP tree is empty and winbind was running. I thought maybe it is because of the deprecated idmap uid option but no matter what I set for "idmap config", wbinfo always returns the wrong UID: # wbinfo --sid-to-uid S-1-5-21-3909901412-745783496-1225843668-500 25003 For example, I tried idmap config * : backend = tdb idmap config * : range = 25000 27000 or idmap config * : backend = rid idmap config * : range = 0 1000 The output just does not change. Any help would be appreciated. Thanks! Luke
mathias dufresne
2017-Jan-16 15:02 UTC
[Samba] IDMAP problems after upgrade to Debian jessie
Hi, To clean idmap cache I'd bet you would have to type: "net cache flush" Then as idmap cache is cleared, it would be regenerated. 2017-01-14 23:43 GMT+01:00 Lukas Haase via samba <samba at lists.samba.org>:> Hi, > > I have been running a Debian 3 server without problems for a long time. > Now, after upgrading to Debian jessie (Debian 4.2.14) I cannot log in > any more: > > smbclient -U admin -L //localhost/ > Enter admin's password: > session setup failed: NT_STATUS_UNSUCCESSFUL > > In the logs: > > [2017/01/14 23:37:21.636022, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [admin] -> [admin] -> > [admin] succeeded > [2017/01/14 23:37:21.637610, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-3909901412-745783496-1225843668-500 -> getpwuid(25003) > failed > > This is odd because the correct UID for this SID would be 1013. > > The relevant Samba config thus far was: > > passdb backend = ldapsam:ldap://ldap/ > ldap ssl = Start_tls > obey pam restrictions = no > ldap admin dn = uid=admin,dc=intra > ldap suffix = dc=intra > ldap group suffix = ou=groups > ldap user suffix = ou=users > ldap machine suffix = ou=machines > ldap idmap suffix = ou=idmap > idmap uid = 25000-27000 > idmap gid = 25000-27000 > > However, ou=idmap in the LDAP tree is empty and winbind was running. > > I thought maybe it is because of the deprecated idmap uid option but no > matter what I set for "idmap config", wbinfo always returns the wrong UID: > > # wbinfo --sid-to-uid S-1-5-21-3909901412-745783496-1225843668-500 > 25003 > > > For example, I tried > > idmap config * : backend = tdb > idmap config * : range = 25000 27000 > > or > > idmap config * : backend = rid > idmap config * : range = 0 1000 > > The output just does not change. > > Any help would be appreciated. Thanks! > > Luke > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hello, After I fixed this by deleting /var/cache/samba/gencache.tdb the problem re-appeared randomly. "net cache flush" unfortunately had no effect. Deleting /var/cache/samba/gencache.tdb (and all kinds of other tbd's) did not work this time and eventually it worked out by removing winbind (!) and deleting these files. Can anybody help me to understand where this *arbitrary* mapping is coming from? And why my "idmap" lines in smb.conf seem to be ignored? And why killing winbindd has an effect on this (since winbind and smb share the same config file). Is it possible that this is a plain bug in samba? Thanks, Luke On 2017-01-16 07:02, mathias dufresne via samba wrote:> Hi, > > To clean idmap cache I'd bet you would have to type: "net cache flush" > > Then as idmap cache is cleared, it would be regenerated. > > 2017-01-14 23:43 GMT+01:00 Lukas Haase via samba <samba at lists.samba.org>: > >> Hi, >> >> I have been running a Debian 3 server without problems for a long time. >> Now, after upgrading to Debian jessie (Debian 4.2.14) I cannot log in >> any more: >> >> smbclient -U admin -L //localhost/ >> Enter admin's password: >> session setup failed: NT_STATUS_UNSUCCESSFUL >> >> In the logs: >> >> [2017/01/14 23:37:21.636022, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [admin] -> [admin] -> >> [admin] succeeded >> [2017/01/14 23:37:21.637610, 1] >> ../source3/auth/token_util.c:430(add_local_groups) >> SID S-1-5-21-3909901412-745783496-1225843668-500 -> getpwuid(25003) >> failed >> >> This is odd because the correct UID for this SID would be 1013. >> >> The relevant Samba config thus far was: >> >> passdb backend = ldapsam:ldap://ldap/ >> ldap ssl = Start_tls >> obey pam restrictions = no >> ldap admin dn = uid=admin,dc=intra >> ldap suffix = dc=intra >> ldap group suffix = ou=groups >> ldap user suffix = ou=users >> ldap machine suffix = ou=machines >> ldap idmap suffix = ou=idmap >> idmap uid = 25000-27000 >> idmap gid = 25000-27000 >> >> However, ou=idmap in the LDAP tree is empty and winbind was running. >> >> I thought maybe it is because of the deprecated idmap uid option but no >> matter what I set for "idmap config", wbinfo always returns the wrong UID: >> >> # wbinfo --sid-to-uid S-1-5-21-3909901412-745783496-1225843668-500 >> 25003 >> >> >> For example, I tried >> >> idmap config * : backend = tdb >> idmap config * : range = 25000 27000 >> >> or >> >> idmap config * : backend = rid >> idmap config * : range = 0 1000 >> >> The output just does not change. >> >> Any help would be appreciated. Thanks! >> >> Luke >> >> >> >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>