samba - Jan 2018 - idmap limit?

Hi,

we are running a file server as member server of a windows 2012 domain. 
Now we are facing the problem, that some UIDs are not mapped to the user 
names by the running winbindd process. This results in "nobody" 
usernames for nfs shares mounted by other clients.

When doing an "ls -l" in the homes directory on the member server
(file
server), the list looks like:

drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
drwx------  3           1234          DOM\group  4096 Sep  7  2015 user3
drwx------  7           1235          DOM\group  4096 Apr 30  2013 user4
drwx------ 12 DOM\user5        DOM\group   4096 Jan  4 12:46 user5
drwx------  2           1236          DOM\group   4096 Jul  1 2015 user6
....

When we run a "wbinfo --uid-info" for an unmapped user, we are
getting:

 > wbinfo --uid-info=1234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 1234

When we run "wbinfo -i" for that user, everything works fine.

 > wbinfo -i DOM\\user3
DOM\user3:*:1234:1000::/home/user3:/bin/bash

After the last command (wbinfo -i DOM\\user3) also "wbinfo 
--uid-info=1234" shows the correct result and the "ls -l" list
also list
the user name instead of the uid.

So the question is, if there is any limit for the UID to user name 
mapping in winbind, since the problem started while increasing the 
number of clients and users.

smb.conf looks like:

[global]
     security = ADS
     workgroup = DOM2
     realm = DOM2.DOM.EXAMPLE.DE
     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab

     template homedir = /home/%U
     template shell = /bin/bash

     idmap config * : backend = tdb
     idmap config * : range = 2000-2999
     idmap config DOM2 : backend = rid
     idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
     idmap config DOM : backend = rid
     idmap config DOM : range = 10000-9999999 # UID aus RID für DOM

     winbind refresh tickets = yes

nsswitch.conf looks like:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files

idmapd.conf looks like:

[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = dom2.dom.example.de
Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

krb5.conf looks like:

[libdefaults]
     default_realm = DOM2.DOM.TU-DRESDEN.DE
     dns_lookup_realm = true
     dns_lookup_kdc = true


-- 
Regards
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the
following web address:
http://www.elamx.de

On Tue, 16 Jan 2018 15:22:44 +0100
Andreas Hauffe via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> we are running a file server as member server of a windows 2012
> domain. Now we are facing the problem, that some UIDs are not mapped
> to the user names by the running winbindd process. This results in
> "nobody" usernames for nfs shares mounted by other clients.
> 
> When doing an "ls -l" in the homes directory on the member server
> (file server), the list looks like:
> 
> drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
> drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
> drwx------  3           1234          DOM\group  4096 Sep  7  2015
> user3 drwx------  7           1235          DOM\group  4096 Apr 30
> 2013 user4 drwx------ 12 DOM\user5        DOM\group   4096 Jan  4
> 12:46 user5 drwx------  2           1236          DOM\group   4096
> Jul  1 2015 user6 ....
> 
> When we run a "wbinfo --uid-info" for an unmapped user, we are
> getting:
> 
>  > wbinfo --uid-info=1234
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 1234
> 
> When we run "wbinfo -i" for that user, everything works fine.
> 
>  > wbinfo -i DOM\\user3
> DOM\user3:*:1234:1000::/home/user3:/bin/bash
> 
> After the last command (wbinfo -i DOM\\user3) also "wbinfo 
> --uid-info=1234" shows the correct result and the "ls -l"
list also
> list the user name instead of the uid.
> 
> So the question is, if there is any limit for the UID to user name 
> mapping in winbind, since the problem started while increasing the 
> number of clients and users.
> 
> smb.conf looks like:
> 
> [global]
>      security = ADS
>      workgroup = DOM2
>      realm = DOM2.DOM.EXAMPLE.DE
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
> 
>      template homedir = /home/%U
>      template shell = /bin/bash
> 
>      idmap config * : backend = tdb
>      idmap config * : range = 2000-2999
>      idmap config DOM2 : backend = rid
>      idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
>      idmap config DOM : backend = rid
>      idmap config DOM : range = 10000-9999999 # UID aus RID für DOM
> 
>      winbind refresh tickets = yes
> 
> nsswitch.conf looks like:
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> sudoers:        files
> 
> idmapd.conf looks like:
> 
> [General]
> 
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
> Domain = dom2.dom.example.de
> Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE
> 
> [Mapping]
> 
> Nobody-User = nobody
> Nobody-Group = nogroup
> 
> krb5.conf looks like:
> 
> [libdefaults]
>      default_realm = DOM2.DOM.TU-DRESDEN.DE
>      dns_lookup_realm = true
>      dns_lookup_kdc = true
> 
> 
Is the user '1234' stored in AD or /etc/passwd ?

From the number '1234' it is not a member of 'DOM' (range
10000-9999999), or 'DOM2' (range 3000-9999) or a member of '*'
(range
2000-2999), it looks like it is probably a local Unix user.

Rowland

Hi,

no, that's my fault. I changed the UIDs and user names in my "ls
-l" to
unpersonalized/example data for my mail and didn't think about putting 
these values into the range. A better unpersonalized data example would 
look like:

----------

drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
drwx------  3         10234          DOM\group  4096 Sep  7  2015 user3
drwx------  7         10235          DOM\group  4096 Apr 30  2013 user4
drwx------ 12 DOM\user5        DOM\group   4096 Jan  4 12:46 user5
drwx------  2         10236          DOM\group   4096 Jul  1 2015 user6
....

When we run a "wbinfo --uid-info" for an unmapped user, we are
getting:

 > wbinfo --uid-info=10234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10234

When we run "wbinfo -i" for that user, everything works fine.

 > wbinfo -i DOM\\user3
DOM\user3:*:10234:10001::/home/user3:/bin/bash

After the last command (wbinfo -i DOM\\user3) also "wbinfo 
--uid-info=10234" shows the correct result and the "ls -l" list
also
list the user name instead of the uid.

---------



Am 16.01.2018 um 16:06 schrieb Rowland Penny via samba:
> On Tue, 16 Jan 2018 15:22:44 +0100
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> we are running a file server as member server of a windows 2012
>> domain. Now we are facing the problem, that some UIDs are not mapped
>> to the user names by the running winbindd process. This results in
>> "nobody" usernames for nfs shares mounted by other clients.
>>
>> When doing an "ls -l" in the homes directory on the member
server
>> (file server), the list looks like:
>>
>> drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
>> drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
>> drwx------  3           1234          DOM\group  4096 Sep  7  2015
>> user3 drwx------  7           1235          DOM\group  4096 Apr 30
>> 2013 user4 drwx------ 12 DOM\user5        DOM\group   4096 Jan  4
>> 12:46 user5 drwx------  2           1236          DOM\group   4096
>> Jul  1 2015 user6 ....
>>
>> When we run a "wbinfo --uid-info" for an unmapped user, we
are
>> getting:
>>
>>   > wbinfo --uid-info=1234
>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for uid 1234
>>
>> When we run "wbinfo -i" for that user, everything works fine.
>>
>>   > wbinfo -i DOM\\user3
>> DOM\user3:*:1234:1000::/home/user3:/bin/bash
>>
>> After the last command (wbinfo -i DOM\\user3) also "wbinfo
>> --uid-info=1234" shows the correct result and the "ls
-l" list also
>> list the user name instead of the uid.
>>
>> So the question is, if there is any limit for the UID to user name
>> mapping in winbind, since the problem started while increasing the
>> number of clients and users.
>>
>> smb.conf looks like:
>>
>> [global]
>>       security = ADS
>>       workgroup = DOM2
>>       realm = DOM2.DOM.EXAMPLE.DE
>>       dedicated keytab file = /etc/krb5.keytab
>>       kerberos method = secrets and keytab
>>
>>       template homedir = /home/%U
>>       template shell = /bin/bash
>>
>>       idmap config * : backend = tdb
>>       idmap config * : range = 2000-2999
>>       idmap config DOM2 : backend = rid
>>       idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
>>       idmap config DOM : backend = rid
>>       idmap config DOM : range = 10000-9999999 # UID aus RID für DOM
>>
>>       winbind refresh tickets = yes
>>
>> nsswitch.conf looks like:
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>> gshadow:        files
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>> sudoers:        files
>>
>> idmapd.conf looks like:
>>
>> [General]
>>
>> Verbosity = 0
>> Pipefs-Directory = /run/rpc_pipefs
>> Domain = dom2.dom.example.de
>> Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE
>>
>> [Mapping]
>>
>> Nobody-User = nobody
>> Nobody-Group = nogroup
>>
>> krb5.conf looks like:
>>
>> [libdefaults]
>>       default_realm = DOM2.DOM.TU-DRESDEN.DE
>>       dns_lookup_realm = true
>>       dns_lookup_kdc = true
>>
>>
> Is the user '1234' stored in AD or /etc/passwd ?
>
>  From the number '1234' it is not a member of 'DOM' (range
> 10000-9999999), or 'DOM2' (range 3000-9999) or a member of
'*' (range
> 2000-2999), it looks like it is probably a local Unix user.
>
> Rowland
>   
>
-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the
following web address:
http://www.elamx.de