Twice this week I had a Domain Member Server "crash" A week ago I saw errors like this in log.winbindd-idmap: [2017/11/27 11:25:02.768090, 1] ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) Error allocating a new GID [2017/11/27 11:25:02.768213, 1] ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action) Fatal Error: GID range full!! (max: 2999) I increased this from 2999 to 9999: idmap config arbeitsgruppe:schema_mode = rfc2307 idmap config arbeitsgruppe:range = 10000-9999999 idmap config arbeitsgruppe:backend = ad idmap config * : range = 2000-9999 idmap config * : backend = tdb and restarted smbd/nmbd/winbindd Today it crashed again, but without those lines: [2017/11/27 11:25:02.768228, 1] ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) Error allocating a new GID [2017/11/27 11:26:43.632040, 1] ../source3/winbindd/winbindd.c:396(winbindd_sig_hup_handler) Reloading services after SIGHUP [2017/12/04 11:50:31.642817, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2017/12/04 11:51:50.973272, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) Samba-4.6.11 btw Hmm. What does samba need >3000 IDs for, when we have around 40 users and maybe 15 groups in ADS there? Can someone explain? How to maybe clean that up, get rid of wrong ids or whatever is needed here?
On Mon, 4 Dec 2017 12:13:39 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > Twice this week I had a Domain Member Server "crash" > > A week ago I saw errors like this in log.winbindd-idmap: > > [2017/11/27 11:25:02.768090, 1] > ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) > Error allocating a new GID > [2017/11/27 11:25:02.768213, 1] > ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action) > Fatal Error: GID range full!! (max: 2999) > > I increased this from 2999 to 9999: > > idmap config arbeitsgruppe:schema_mode = rfc2307 > idmap config arbeitsgruppe:range = 10000-9999999 > idmap config arbeitsgruppe:backend = ad > idmap config * : range = 2000-9999 > idmap config * : backend = tdb > > and restarted smbd/nmbd/winbindd > > Today it crashed again, but without those lines: > > [2017/11/27 11:25:02.768228, 1] > ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id) > Error allocating a new GID > [2017/11/27 11:26:43.632040, 1] > ../source3/winbindd/winbindd.c:396(winbindd_sig_hup_handler) > Reloading services after SIGHUP > [2017/12/04 11:50:31.642817, 0] > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > Got sig[15] terminate (is_parent=0) > [2017/12/04 11:51:50.973272, 0] > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > Got sig[15] terminate (is_parent=0) > > Samba-4.6.11 btw > > Hmm. > > What does samba need >3000 IDs for, when we have around 40 users and > maybe 15 groups in ADS there? > > Can someone explain? > > How to maybe clean that up, get rid of wrong ids or whatever is > needed here? >II take it that 'arbeitsgruppe' is the workgroup name, it should be 'ARBEITSGRUPPE' in the 'idmap config' lines. The '*' range is used to store the Well Known SIDs and anything outside the 'arbeitsgruppe' domain, 7999 IDs is more than enough for this, in fact 999 IDs should have been enough, there are less than 200 Well Known SIDs. Your 'arbeitsgruppe' domain members should fit into 9989999 IDs I suspect that either your domain computers are not in fact domain computers, or something is badly mis-configured. Rowland
Am 2017-12-04 um 12:42 schrieb Rowland Penny:> II take it that 'arbeitsgruppe' is the workgroup name, it should be > 'ARBEITSGRUPPE' in the 'idmap config' lines.The output of testparm shows them lowercase, smb.conf has it in uppercase: [global] security = ADS workgroup = ARBEITSGRUPPE realm = arbeitsgruppe.hidden.tld log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config ARBEITSGRUPPE:backend = ad idmap config ARBEITSGRUPPE:range = 10000-9999999 idmap config ARBEITSGRUPPE:schema_mode = rfc2307 username map = /etc/samba/user.map winbind use default domain = Yes winbind refresh tickets = Yes winbind nss info = rfc2307 load printers = No printcap name = /dev/null vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes> The '*' range is used to store the Well Known SIDs and anything outside > the 'arbeitsgruppe' domain, 7999 IDs is more than enough for this, in > fact 999 IDs should have been enough, there are less than 200 Well > Known SIDs. > Your 'arbeitsgruppe' domain members should fit into 9989999 IDs > > I suspect that either your domain computers are not in fact domain > computers, or something is badly mis-configured.Well, I come back here to ask how to do things and configure DC and DM for over a year now. We discussed the config in various threads and I always follow your suggestions and the docs as good as I can and understand. Same this time. *I* don't know what is wrong or might be wrong. You suggest the domain computers might not be what they should be: domain computers. You mean, the windows PCs might be not joined correctly?