> On Tue, Oct 24, 2017 at 12:28:53PM -0000, rdratlos(a)yahoo.co.uk wrote: > > If you start with empty caches on the winbind side the results should > stay the same because changes in the mapping should be very rare. Please > note the by default 'idmap cache time' is 1 week because of the rare > changes, see man smb.conf for more details. >
In general I would agree. But winbindd does not follow this principle. If sssd is not running, winbindd will directly contact the AD domain controller and request the UID/SID infomration. As the id mapping setting in smb.conf has been optimized for use of the sss_idmap backend, wbinfo will return the wrong UID and GID as shown in the post before: > > wbinfo -i rdratlos (from windbindd with sss_idmap) > rdratlos:*:10000:10006:Thomas Xyz:/home/MYDOMAIN/rdratlos:/bin/false > For sure, the long running gencache might prevent this, but we ran into this situation when upgrading sssd (-> 1.15.3) and samba (4.7.0) in parallel. The samba debug log showed following error: Failed to register idmap module. The module was compiled against SMB_IDMAP_INTERFACE_VERSION 5, current SMB_IDMAP_INTERFACE_VERSION is 6. Please recompile against the current version of samba! Even after rolling back Samba to version 4.6.7 winbindd's long running cache kept the wrong IDs and prevented some users from connecting the file shares. The required information to solve this problem can only be retrieved from low-level debug logs. BR Thomas _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
