Re: [Samba] Winbind behaviour odd in 3.4.9 and 3.5.6 vs 3.2.14 (Samba domain with Samba member servers)

Tue, 26 Oct 2010 09:29:10 -0700

I may have indeed forgot to clear the cache files after upgrading from samba 3.0x to 3.4.x.
I had various issues with samba servers as member servers - mostly in keeping idmap entries consistent across machines. The solution in the end had been to covert the member servers to BDC's and have ldap backend for everything. Altho I suspect that the "idmap .. backend: nss" may have been an alternate solution. I don't think it was an option for samba 3.0.x and I needed a BDC anyway. 


I have found the online  samba documention on idmap  less than optimal.  
(The man pages are ok tho.)   There are ranges set for each trusted  
domain as well as the "idmap alloc config:range."    I am not quite sure 
if the "idmap alloc config:range" should encompass all the domain ranges 
or if idmap is supposed to allocate id's from the domain ranges.   My 
experience so far is that new entries are from "idmap alloc 
config:range."   I guess the domain specific ranges are where idmap is 
supposed to check for existing mappings first?





On 10/26/2010 12:02 PM, Alex Crow wrote:

On 26/10/10 16:32, Gaiseric Vandal wrote:

You may need to specify separate idmap sections for each domain, as 
well as general settings.  Samples of my smb.conf (samba 3.4.x ) are 
below.



When I was on samba 3.0.x, idmap entries would populate for each 
domain in the correct OU.  It would use the general idmap range, not 
domain specific range (which wasn't a problem.)  The problem with 
samba 3.0.x is that one the idmap cache expired it would not 
renew.    I moved to samba 3.4.x which fixed some issue BUT now stuff 
does not auto populate.  For "trustedomain1" there is only a handful 
of users, and that almost never changes so manually adding idmap 
entries (via an ldap editor or wbinfo --allocate-uid  / 
--allocate-gid) was OK.



Strange - I have the opposite problem in that I get my Idmap ou 
populated but also "contaminated" with stuff that should not be there 
(because it is in the LDAP db and is in the local domain). However to 
get the population to work at all I had to remove the gencache.tdb and 
winbind_cache.tdb (and the old idmap_cache.tdb) files before starting 
samba and winbind.



I /do/ get my trusted domain working OK - from what you say you are 
having to add Idmap entries by hand, which in my situation would be 
completely impractical (500 accounts in one of the domains - it's a 
bidirectional trust). Perhaps you could try removing the cache files.


I have tried adding this to my config files on a test 3.5.6 domain:

idmap config TESTDOM1 : backend = nss
idmap config TESTDOM1 : range = 500-9999


Which seems to help stop the entries for accounts already in the LDAP 
db being put into Idmap, but I am not sure if I should reduce the 
lower boundary to "0" as I still get entries added for widely known 
SIDs as soon as a client connects to a share on the member server:


dn: sambaSID=S-1-1-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10028
sambaSID: S-1-1-0
structuralObjectClass: sambaSidEntry
entryUUID: b7a12d38-7565-102f-938a-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026155911Z
entryCSN: 20101026155911Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026155911Z

dn: sambaSID=S-1-5-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10029
sambaSID: S-1-5-2
structuralObjectClass: sambaSidEntry
entryUUID: b7a30e6e-7565-102f-938b-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026155911Z
entryCSN: 20101026155911Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026155911Z


And even odder entries like this which do not match any "widely know 
SIDs":


dn: sambaSID=S-1-22-2-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10032
sambaSID: S-1-22-2-0
structuralObjectClass: sambaSidEntry
entryUUID: f93738b4-7565-102f-938e-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000001#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-1,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10033
sambaSID: S-1-22-2-1
structuralObjectClass: sambaSidEntry
entryUUID: f937bfb4-7565-102f-938f-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10034
sambaSID: S-1-22-2-2
structuralObjectClass: sambaSidEntry
entryUUID: f93828d2-7565-102f-9390-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-3,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10035
sambaSID: S-1-22-2-3
structuralObjectClass: sambaSidEntry
entryUUID: f9389114-7565-102f-9391-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000007#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-4,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10036
sambaSID: S-1-22-2-4
structuralObjectClass: sambaSidEntry
entryUUID: f9390388-7565-102f-9392-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000009#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-6,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10037
sambaSID: S-1-22-2-6
structuralObjectClass: sambaSidEntry
entryUUID: f9399cd0-7565-102f-9393-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000b#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-10,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10038
sambaSID: S-1-22-2-10
structuralObjectClass: sambaSidEntry
entryUUID: f93a2952-7565-102f-9394-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000d#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

I really think there is some breakage here!

Cheers

Alex



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to