I may have indeed forgot to clear the cache files after upgrading from samba 3.0x to 3.4.x.

I had various issues with samba servers as member servers - mostly in keeping idmap entries consistent across machines. The solution in the end had been to covert the member servers to BDC's and have ldap backend for everything. Altho I suspect that the "idmap .. backend: nss" may have been an alternate solution. I don't think it was an option for samba 3.0.x and I needed a BDC anyway.

I have found the online samba documention on idmap less than optimal. (The man pages are ok tho.) There are ranges set for each trusted domain as well as the "idmap alloc config:range." I am not quite sure if the "idmap alloc config:range" should encompass all the domain ranges or if idmap is supposed to allocate id's from the domain ranges. My experience so far is that new entries are from "idmap alloc config:range." I guess the domain specific ranges are where idmap is supposed to check for existing mappings first?




On 10/26/2010 12:02 PM, Alex Crow wrote:
On 26/10/10 16:32, Gaiseric Vandal wrote:
You may need to specify separate idmap sections for each domain, as well as general settings. Samples of my smb.conf (samba 3.4.x ) are below.

When I was on samba 3.0.x, idmap entries would populate for each domain in the correct OU. It would use the general idmap range, not domain specific range (which wasn't a problem.) The problem with samba 3.0.x is that one the idmap cache expired it would not renew. I moved to samba 3.4.x which fixed some issue BUT now stuff does not auto populate. For "trustedomain1" there is only a handful of users, and that almost never changes so manually adding idmap entries (via an ldap editor or wbinfo --allocate-uid / --allocate-gid) was OK.

Strange - I have the opposite problem in that I get my Idmap ou populated but also "contaminated" with stuff that should not be there (because it is in the LDAP db and is in the local domain). However to get the population to work at all I had to remove the gencache.tdb and winbind_cache.tdb (and the old idmap_cache.tdb) files before starting samba and winbind.

I /do/ get my trusted domain working OK - from what you say you are having to add Idmap entries by hand, which in my situation would be completely impractical (500 accounts in one of the domains - it's a bidirectional trust). Perhaps you could try removing the cache files.

I have tried adding this to my config files on a test 3.5.6 domain:

idmap config TESTDOM1 : backend = nss
idmap config TESTDOM1 : range = 500-9999

Which seems to help stop the entries for accounts already in the LDAP db being put into Idmap, but I am not sure if I should reduce the lower boundary to "0" as I still get entries added for widely known SIDs as soon as a client connects to a share on the member server:

dn: sambaSID=S-1-1-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10028
sambaSID: S-1-1-0
structuralObjectClass: sambaSidEntry
entryUUID: b7a12d38-7565-102f-938a-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026155911Z
entryCSN: 20101026155911Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026155911Z

dn: sambaSID=S-1-5-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10029
sambaSID: S-1-5-2
structuralObjectClass: sambaSidEntry
entryUUID: b7a30e6e-7565-102f-938b-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026155911Z
entryCSN: 20101026155911Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026155911Z

And even odder entries like this which do not match any "widely know SIDs":

dn: sambaSID=S-1-22-2-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10032
sambaSID: S-1-22-2-0
structuralObjectClass: sambaSidEntry
entryUUID: f93738b4-7565-102f-938e-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000001#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-1,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10033
sambaSID: S-1-22-2-1
structuralObjectClass: sambaSidEntry
entryUUID: f937bfb4-7565-102f-938f-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10034
sambaSID: S-1-22-2-2
structuralObjectClass: sambaSidEntry
entryUUID: f93828d2-7565-102f-9390-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-3,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10035
sambaSID: S-1-22-2-3
structuralObjectClass: sambaSidEntry
entryUUID: f9389114-7565-102f-9391-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000007#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-4,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10036
sambaSID: S-1-22-2-4
structuralObjectClass: sambaSidEntry
entryUUID: f9390388-7565-102f-9392-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000009#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-6,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10037
sambaSID: S-1-22-2-6
structuralObjectClass: sambaSidEntry
entryUUID: f9399cd0-7565-102f-9393-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000b#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-10,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10038
sambaSID: S-1-22-2-10
structuralObjectClass: sambaSidEntry
entryUUID: f93a2952-7565-102f-9394-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000d#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

I really think there is some breakage here!

Cheers

Alex


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to