Re: [Samba] Winbind uselessly using up Idmap range in ldap

Mon, 17 Jan 2011 08:33:39 -0800

I started on samba 3.0.x and upgrades to 3.4.x. Still having only partial success myself. I have different "ou" objects in ldap for the allocation range and each trusted domain . 

My smb.conf (editted somewhat) is below.


I would that the idmapping would be created in the correct OU for each 
domain.  I also found that the idmap id would be allocated from the 
"idmap alloc config" range, regardless of the range specified for the 
particular domain.     So  the an idmap entry would be created for the 
TRUSTEDOMAIN1 in the ou=trusteddomain container but with a UID in the 
30000 range not the 40000 range.



Not sure if this provides any insight.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


#IDMAP DEFAULT SETTINGS
idmap backend=ldap:ldap://ldap1.mydomain.com
idmap uid = 70000-79999
idmap gid = 70000-79999

#IDMAP ALLOC SETTINGS

idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=xxxxx
idmap alloc config:range = 30000 - 79999

#IDMAP SETTINGS FOR TRUSTEDDOMAIN1

idmap config TRUSTEDDOMAIN1:backend = ldap
idmap config TRUSTEDDOMAIN1:readonly = no
idmap config TRUSTEDDOMAIN1:default=no

idmap config TRUSTEDDOMAIN1:ldap_base_dn = 
ou=trusteddomain1,ou=idmap,o=mydomain.com

idmap config TRUSTEDDOMAIN1:ldap_user_dn = cn=xxxxx
idmap config TRUSTEDDOMAIN1:ldap_url = ldap://ldap1.mydomain.com
idmap config TRUSTEDDOMAIN1:range = 40000-49999








On 01/17/2011 05:27 AM, Alex Crow wrote:

Hi,


We have just managed to get winbind behaving correctly in a Samba 
domain with Samba member servers with help from Sernet. It is now not 
adding spurious entries for the "own domain".



However, a member server keeps trying to add group mappings that 
already exist in the LDAP idmap ou. This would not be a problem, apart 
from the fact that every time it fails adding an entry, the 
"gidnumber" attribute in the idmap ou (that determines the next 
available gid number) is incremented. Thus, in a short while, it hits 
20000 which is the upper limit. I also don't know why it tries to add 
a mapping if one already exists!


Here are logs from the DMS:


[2011/01/17 10:13:50.303702,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:13:50.303749,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:13:50.303768,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:13:50.303783,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:13:50.312693,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add 
S-1-5-21-8015792-1768810241-176008768-513 to 12350 mapping [gidNumber]
[2011/01/17 10:13:50.312747,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:13:50.318187,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:13:50.318225,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:13:50.318245,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:13:50.318263,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:13:50.329100,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12351 
mapping [gidNumber]
[2011/01/17 10:13:50.329152,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:16:01.024241,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:16:01.024285,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:16:01.024302,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:16:01.024317,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:16:01.033804,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add 
S-1-5-21-8015792-1768810241-176008768-513 to 12352 mapping [gidNumber]
[2011/01/17 10:16:01.033847,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:16:01.035771,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:16:01.035807,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:16:01.035832,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:16:01.035855,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:16:01.043636,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12353 
mapping [gidNumber]
[2011/01/17 10:16:01.043675,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:18:15.019605,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:18:15.019664,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:18:15.019682,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:18:15.019697,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:18:17.207189,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add 
S-1-5-21-8015792-1768810241-176008768-513 to 12354 mapping [gidNumber]
[2011/01/17 10:18:17.207235,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:18:17.208951,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:18:17.208978,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:18:17.208994,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:18:17.209009,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:18:17.216845,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12355 
mapping [gidNumber]
[2011/01/17 10:18:17.216874,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:20:34.446465,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:20:34.446506,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:20:34.446522,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:20:34.446537,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:20:36.631996,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add 
S-1-5-21-8015792-1768810241-176008768-513 to 12356 mapping [gidNumber]
[2011/01/17 10:20:36.632037,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:20:36.637324,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:20:36.637353,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:20:36.637370,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:20:36.637385,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:20:36.646479,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12357 
mapping [gidNumber]
[2011/01/17 10:20:36.646524,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:22:36.726247,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:22:36.726286,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:22:36.726305,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:22:36.726320,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:22:36.764044,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add 
S-1-5-21-8015792-1768810241-176008768-513 to 12358 mapping [gidNumber]
[2011/01/17 10:22:36.764087,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:22:36.765893,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:22:36.765929,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:22:36.765982,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:22:36.766008,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:22:36.774857,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12359 
mapping [gidNumber]
[2011/01/17 10:22:36.774896,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:24:41.446106,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:24:41.446146,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:24:41.446163,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:24:41.446178,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:24:41.454458,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add 
S-1-5-21-8015792-1768810241-176008768-513 to 12360 mapping [gidNumber]
[2011/01/17 10:24:41.454502,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

[2011/01/17 10:24:41.456096,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module ldap already registered!

[2011/01/17 10:24:41.456132,  0] 
winbindd/idmap.c:201(smb_register_idmap_alloc)

  idmap_alloc module tdb already registered!
[2011/01/17 10:24:41.456158,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/17 10:24:41.456181,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!

[2011/01/17 10:24:41.467068,  0] 
winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping)
  ldap_set_mapping_internals: Failed to add S-1-5-32-546 to 12361 
mapping [gidNumber]
[2011/01/17 10:24:41.467107,  0] 
winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping)

  ldap_set_mapping_internals: Error was:  (Already exists)

Here is the relevant part of the DMS smb.conf:

idmap backend = ldap:ldap://pdc
idmap uid = 10000-20000
idmap gid = 10000-20000
ldap admin dn = cn=manager,dc=my,dc=net
ldap suffix = dc=ifa,dc=net
ldap idmap suffix = ou=Idmap

# the own domain, users come via nss_ldap:
idmap config MY_NET : backend = nss
idmap config MY_NET : range = 500-9999

winbind nested groups = yes
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
allow trusted domains = yes

and on the pdc:

ldap suffix = dc=my,dc=net
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind trusted domains only = yes
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes

Any help to resolve this issue would be gratefully received.

Thanks

Alex



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to