samba - Jan 2018 - idmap limit?

Ok, you are completely right. Here are the real numbers with changed 
user names:

drwx------ 43 DOM\user1        DOM\domain-user  4096 Jan 10 08:00 user1
drwx------   5 DOM\user2        DOM\domain-user  4096 Jan 11 08:13 user2
drwx------ 92 DOM\user3        DOM\domain-user   4096 Jan 16 08:39 user3
drwx------   3        133265        DOM\domain-user   4096 Sep  7 2015 user4
drwx------   7        470055        DOM\domain-user   4096 Apr 30 2013 user5
drwx------ 12 DOM\user6        DOM\domain-user   4096 Jan  4 12:46 user6
drwx------ 51 DOM\user7        DOM\domain-user   4096 Jan 15 23:01 user7
drwx------   2          95092        DOM\domain-user   4096 Jul 1  2015 
user8
drwx------  3 DOM\user9         DOM\domain-user   4096 Jun  8 2015 user9
....
drwx------  7 DOM\user200    DOM\domain-user   4096 Nov  6  2012 user200

  > wbinfo --uid-info=133265
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 133265

  > wbinfo -i DOM\\user4
DOM\user4:*:133265:10513::/home/user4:/bin/bash

After the last command (wbinfo -i DOM\\user4) also "wbinfo
--uid-info=133265" shows the correct result and the "ls -l" list
also
list the user name instead of the uid.


Am 16.01.2018 um 16:38 schrieb Rowland Penny via samba:
> On Tue, 16 Jan 2018 16:20:52 +0100
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> no, that's my fault. I changed the UIDs and user names in my
"ls -l"
>> to unpersonalized/example data for my mail and didn't think about
>> putting these values into the range. A better unpersonalized data
>> example would look like:
>>
>> ----------
>>
>> drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
>> drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
>> drwx------  3         10234          DOM\group  4096 Sep  7  2015
>> user3 drwx------  7         10235          DOM\group  4096 Apr 30
>> 2013 user4 drwx------ 12 DOM\user5        DOM\group   4096 Jan  4
>> 12:46 user5 drwx------  2         10236          DOM\group   4096
>> Jul  1 2015 user6 ....
>>
>> When we run a "wbinfo --uid-info" for an unmapped user, we
are
>> getting:
>>
>>   > wbinfo --uid-info=10234
>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for uid 10234
>>
>> When we run "wbinfo -i" for that user, everything works fine.
>>
>>   > wbinfo -i DOM\\user3
>> DOM\user3:*:10234:10001::/home/user3:/bin/bash
>>
>> After the last command (wbinfo -i DOM\\user3) also "wbinfo
>> --uid-info=10234" shows the correct result and the "ls
-l" list also
>> list the user name instead of the uid.
>>
> Please don't mess with the numbers, '10234' is still an invalid
ID. You
> are using the 'rid' backend and this calculates the ID from the RID
> with:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> To calculate the RID from the ID, you would use:
>
> RID = ID + BASE_RID - LOW_RANGE_ID
>
> the 'BASE_RID' is always '0' (unless you set it) so the
above becomes:
>
> RID = 10234 - 10000
>
> RID = 234
>
> Please post again with the CORRECT IDs, a number cannot be that
> secret ;-)
>
> Rowland
>
-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the
following web address:
http://www.elamx.de

On Tue, 16 Jan 2018 16:54:17 +0100
Andreas Hauffe via samba <samba at lists.samba.org> wrote:
> Ok, you are completely right. Here are the real numbers with changed 
> user names:
> 
> drwx------ 43 DOM\user1        DOM\domain-user  4096 Jan 10 08:00
> user1 drwx------   5 DOM\user2        DOM\domain-user  4096 Jan 11
> 08:13 user2 drwx------ 92 DOM\user3        DOM\domain-user   4096 Jan
> 16 08:39 user3 drwx------   3        133265        DOM\domain-user
> 4096 Sep  7 2015 user4 drwx------   7        470055
> DOM\domain-user   4096 Apr 30 2013 user5 drwx------ 12 DOM\user6
>        DOM\domain-user   4096 Jan  4 12:46 user6 drwx------ 51
> DOM\user7        DOM\domain-user   4096 Jan 15 23:01 user7
> drwx------   2          95092        DOM\domain-user   4096 Jul 1
> 2015 user8 drwx------  3 DOM\user9         DOM\domain-user   4096
> Jun  8 2015 user9 ....
> drwx------  7 DOM\user200    DOM\domain-user   4096 Nov  6  2012
> user200
> 
>   > wbinfo --uid-info=133265
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 133265
> 
>   > wbinfo -i DOM\\user4
> DOM\user4:*:133265:10513::/home/user4:/bin/bash
> 
> After the last command (wbinfo -i DOM\\user4) also "wbinfo
> --uid-info=133265" shows the correct result and the "ls -l"
list also
> list the user name instead of the uid.
> 
> 
One thing I have spotted:

/etc/krb5.conf should be:

[libdefaults]
     default_realm = DOM2.DOM.TU-DRESDEN.DE
     dns_lookup_realm = false
     dns_lookup_kdc = true

What is 'DOM2' ?
Is it a trusted domain ?

As I said, you are using the 'rid' backend and adding users to AD
shouldn't affect how winbind works. Your user 'user4' must have the
RID
'123265' and so should be available as a Unix user.

I take it that the Unix domain member is using the DC as its dnd
nameserver.

Rowland

Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba:
> On Tue, 16 Jan 2018 16:54:17 +0100
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Ok, you are completely right. Here are the real numbers with changed
>> user names:
>>
>> drwx------ 43 DOM\user1        DOM\domain-user  4096 Jan 10 08:00
>> user1 drwx------   5 DOM\user2        DOM\domain-user  4096 Jan 11
>> 08:13 user2 drwx------ 92 DOM\user3        DOM\domain-user   4096 Jan
>> 16 08:39 user3 drwx------   3        133265        DOM\domain-user
>> 4096 Sep  7 2015 user4 drwx------   7        470055
>> DOM\domain-user   4096 Apr 30 2013 user5 drwx------ 12 DOM\user6
>>         DOM\domain-user   4096 Jan  4 12:46 user6 drwx------ 51
>> DOM\user7        DOM\domain-user   4096 Jan 15 23:01 user7
>> drwx------   2          95092        DOM\domain-user   4096 Jul 1
>> 2015 user8 drwx------  3 DOM\user9         DOM\domain-user   4096
>> Jun  8 2015 user9 ....
>> drwx------  7 DOM\user200    DOM\domain-user   4096 Nov  6  2012
>> user200
>>
>>    > wbinfo --uid-info=133265
>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for uid 133265
>>
>>    > wbinfo -i DOM\\user4
>> DOM\user4:*:133265:10513::/home/user4:/bin/bash
>>
>> After the last command (wbinfo -i DOM\\user4) also "wbinfo
>> --uid-info=133265" shows the correct result and the "ls
-l" list also
>> list the user name instead of the uid.
>>
>>
> One thing I have spotted:
>
> /etc/krb5.conf should be:
>
> [libdefaults]
>       default_realm = DOM2.DOM.TU-DRESDEN.DE
>       dns_lookup_realm = false
>       dns_lookup_kdc = true
>
> What is 'DOM2' ?
> Is it a trusted domain ?
>
> As I said, you are using the 'rid' backend and adding users to AD
> shouldn't affect how winbind works. Your user 'user4' must have
the RID
> '123265' and so should be available as a Unix user.
>
> I take it that the Unix domain member is using the DC as its dnd
> nameserver.
>
> Rowland
>
Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain 
(DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust). 
At our university we have a parent domain "DOM.EXAMPLE.DE" were all
the
user accounts are hold/administered. Every department have a subdomain 
for their services. In our example case "DOM2.DOM.EXAMPLE.DE". The 
client and so the member server are member of "DOM2.DOM.EXAMPLE.DE".
But
most of the users are from "DOM.EXAMPLE.DE".

And I checked, the RID of the user4 is 123265.

Yes, the DC (actually both DCs) is the dns of the unix member server.

-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the
following web address:
http://www.elamx.de