search for: _rob

...running, this seems to be working without issue! My guess (without looking at the code) is that one of the smbd processes had a record of a UID=20xx user, and did reverse lookup to find the SID, and somehow that led winbindd to always use the idmap.tdb info instead of querying AD for that SID. _Rob

...Spoke too soon... I just checked and auser has a 20xx UID again. It > was fine for a bit but no longer. > > $ wbinfo -i auser > auser:*:2018:10000:User Name:/home/auser:/bin/bash > > Oddly, this seems to only affect ~3 of my 20 users and the same ~3 > every time. > > _Rob > > This is very strange, have you tried running 'net cache flush' on the domain member ? Have you compared the users AD objects ? Rowland

...77 is the SID for auser) > > But I'd think winbindd would prefer the mapping in AD, given smb.conf > having our domain listed explicitly and 2xxx only as a > default/fallback. Or maybe I misunderstand how the idmaps work... does > the order in smb.conf matter at all? > > _Rob > > Hi Rob, You can try to use tdbtool to delete the offending key with uid 2020. https://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html I'd stop samba make an backup of winbind_idmap.tdb and give it a try. In my case deleting the mappings from idamp.tdb fixed the issue of chan...

On Mon, 3 Oct 2016, Rowland Penny wrote: > On Mon, 3 Oct 2016, Rob wrote: >> # idmap config for domain >> idmap config MY.AD.REALM.COM:backend = ad >> idmap config MY.AD.REALM.COM:schema_mode = rfc2307 >> idmap config MY.AD.REALM.COM:range = 10000-99999 [...] > > You might think it works fine, but it will probably work better if

...e. (At the time, the UID from the "broken" state was outside of my terminal's scrollback range; I thought it was 2018 but I was wrong; it was 2020 all along.) All of my users seem to have entries in winbindd_idmap.tdb, actually; not just the ones that have UID-changing problems. _Rob

...77 is the SID for auser) > > But I'd think winbindd would prefer the mapping in AD, given smb.conf > having our domain listed explicitly and 2xxx only as a > default/fallback. Or maybe I misunderstand how the idmaps work... > does the order in smb.conf matter at all? > > _Rob > > OK, this is basically how the winbind 'ad' works: Domain Users is checked for a gidNumber attribute and if found winbind continues, if not found, the '*' range will be used. Once pass this point, any user that has a uidNumber attribute that contains a number inside th...

...29-2160704981-1177 (where S-*-1177 is the SID for auser) But I'd think winbindd would prefer the mapping in AD, given smb.conf having our domain listed explicitly and 2xxx only as a default/fallback. Or maybe I misunderstand how the idmaps work... does the order in smb.conf matter at all? _Rob

...;> >> But I'd think winbindd would prefer the mapping in AD, given smb.conf >> having our domain listed explicitly and 2xxx only as a >> default/fallback. Or maybe I misunderstand how the idmaps work... >> does the order in smb.conf matter at all? >> >> _Rob >> >> > Hi Rob, > > You can try to use tdbtool to delete the offending key with uid 2020. > https://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html > I'd stop samba make an backup of winbind_idmap.tdb and give it a try. > In my case deleting the mappings fr...

...without issue! > > My guess (without looking at the code) is that one of the smbd > processes had a record of a UID=20xx user, and did reverse lookup to > find the SID, and somehow that led winbindd to always use the > idmap.tdb info instead of querying AD for that SID. > > _Rob > > Thank you for the update. By getting worse do you mean other users also got affected?

...hat doesn?t exist, I simply get an empty response. I've verified that the recursive server is returning NXDOMAIN, while Samba returns NOERROR (see below). This yields funny behavior with the 'host' command, for instance, giving no output but returning success. Any ideas? Thanks! _Rob e.g., querying Samba: % dig anonexistantdomain.com @127.0.0.1 ; <<>> DiG <<>> anonexistantdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64553 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY...

...t I'd think winbindd would prefer the mapping in AD, given smb.conf >>> having our domain listed explicitly and 2xxx only as a default/fallback. Or >>> maybe I misunderstand how the idmaps work... does the order in smb.conf >>> matter at all? >>> >>> _Rob >>> >>> >>> Hi Rob, >> >> You can try to use tdbtool to delete the offending key with uid 2020. >> https://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html >> I'd stop samba make an backup of winbind_idmap.tdb and give it a try. >>...

Hi all, I've been experiencing an intermittent problem where some UIDs on a member server spontaneously change from being their AD-derived values to being allocated from the default idmap space, even when there is no change to the AD user information. Specifically, I have a member server running Samba 4.4.5 on CentOS 6.8. AD service is provided by two Samba 4.4.5 servers. The member