Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] tdb idmap returns different GID's for the same SID from time to time
0 views
Skip to first unread message
Pavel Bychykhin
Sep 16, 2013, 5:00:02 AM9/16/13
to
Greetings!
I have a samba 3.6.18 acts as a domain member.
I'm using a samba nss and creating local groups for a domain users.
Here part of my nsswitch.conf:
group: files winbind
passwd: files winbind
The problem is that the tdb unix GID mappings returns different ID from time to time for the same SIDs.
Suppose we have a local group "samba_svn1", created with "NET SAM CREATELOCALGROUP".
After creation, group "samba_svn1" has SID S-1-5-21-3743722752-3344840800-2625497366-1074 and GID 30025. But, from time to time this SID receives a
different GID mapping: 30027.
Following are the result of service commands, which demonstrates a real problem:
NSS is always works correctly:
[root@dynamo ~]# getfacl /zfsmount/svn/svn1
# file: /zfsmount/svn/svn1
# owner: www
# group: www
group:DYNAMO\samba_svn1:rwxpDdaARWcCos:fd----:allow
owner@:rwxp--aARWcCos:------:allow
group@:------a-R-c--s:------:allow
everyone@:------a-R-c--s:------:allow
[root@dynamo ~]# getent group samba_svn1
DYNAMO\samba_svn1:x:30025
[root@dynamo ~]# wbinfo --sid-to-gid S-1-5-21-3743722752-3344840800-2625497366-1074
30025
But, just after that, when i try to get info from idmap DB and the cache, i see a very strange results. SID
S-1-5-21-3743722752-3344840800-2625497366-1074 is mapped to GID 30027:
[root@dynamo ~]# net idmap dump|grep S-1-5-21-3743722752-3344840800-2625497366-1074
dumping id mapping from /var/db/samba/winbindd_idmap.tdb
GID 30027 S-1-5-21-3743722752-3344840800-2625497366-1074
[root@dynamo ~]# net cache list|grep S-1-5-21-3743722752-3344840800-2625497366-1074
Key: IDMAP/SID2GID/S-1-5-21-3743722752-3344840800-2625497366-1074 Timeout: Mon Sep 23 09:14:17 2013 Value: 30025
Key: IDMAP/GID2SID/30025 Timeout: Mon Sep 23 09:14:17 2013 Value: S-1-5-21-3743722752-3344840800-2625497366-1074
Key: IDMAP/GID2SID/30027 Timeout: Thu Sep 19 13:44:48 2013 Value: S-1-5-21-3743722752-3344840800-2625497366-1074
"net idmap check" doesn't resolve the problem, but gives an additional info: 30027 is a highest GID from my DB (maybe it's a key to problem):
[root@dynamo ~]# net idmap check
check database: /var/db/samba/winbindd_idmap.tdb
uid hwm: 30018
gid hwm: 30027
mappings: 39
other: 3
invalid records: 0
missing links: 0
invalid links: 0
0 changes:
Question: is my problem because of bug, or it's because of misconfigured server. Here my config:
[global]
dos charset = CP866
workgroup = HTS
realm = HTS.KH.UA
server string =
security = ADS
map to guest = Bad Password
local master = No
wins server = 192.168.32.5
winbind enum users = Yes
winbind enum groups = Yes
winbind expand groups = 10
winbind nss info = rfc2307
winbind max domain connections = 50
idmap config HTS : schema_mode = rfc2307
idmap config HTS : range = 10000-29999
idmap config HTS : backend = ad
idmap config HTS : default = yes
idmap config * : range = 30000-49999
idmap config * : backend = tdb
[svn1]
path = /zfsmount/svn/svn1
valid users = @samba_svn1
read only = No
create mask = 0700
force create mode = 0700
inherit owner = Yes
map archive = No
map readonly = no
vfs objects = zfsacl
nfs4: chown = no
nfs4:acedup = dontcare
nfs4: mode = special
P.S. An upgrade to newer ver. 4.0 is undesirable for me, and i do it only if ver. 4.0 really solve my problem.
Thanks in advance.
--
Best regards,
Pavel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have a samba 3.6.18 acts as a domain member.
I'm using a samba nss and creating local groups for a domain users.
Here part of my nsswitch.conf:
group: files winbind
passwd: files winbind
The problem is that the tdb unix GID mappings returns different ID from time to time for the same SIDs.
Suppose we have a local group "samba_svn1", created with "NET SAM CREATELOCALGROUP".
After creation, group "samba_svn1" has SID S-1-5-21-3743722752-3344840800-2625497366-1074 and GID 30025. But, from time to time this SID receives a
different GID mapping: 30027.
Following are the result of service commands, which demonstrates a real problem:
NSS is always works correctly:
[root@dynamo ~]# getfacl /zfsmount/svn/svn1
# file: /zfsmount/svn/svn1
# owner: www
# group: www
group:DYNAMO\samba_svn1:rwxpDdaARWcCos:fd----:allow
owner@:rwxp--aARWcCos:------:allow
group@:------a-R-c--s:------:allow
everyone@:------a-R-c--s:------:allow
[root@dynamo ~]# getent group samba_svn1
DYNAMO\samba_svn1:x:30025
[root@dynamo ~]# wbinfo --sid-to-gid S-1-5-21-3743722752-3344840800-2625497366-1074
30025
But, just after that, when i try to get info from idmap DB and the cache, i see a very strange results. SID
S-1-5-21-3743722752-3344840800-2625497366-1074 is mapped to GID 30027:
[root@dynamo ~]# net idmap dump|grep S-1-5-21-3743722752-3344840800-2625497366-1074
dumping id mapping from /var/db/samba/winbindd_idmap.tdb
GID 30027 S-1-5-21-3743722752-3344840800-2625497366-1074
[root@dynamo ~]# net cache list|grep S-1-5-21-3743722752-3344840800-2625497366-1074
Key: IDMAP/SID2GID/S-1-5-21-3743722752-3344840800-2625497366-1074 Timeout: Mon Sep 23 09:14:17 2013 Value: 30025
Key: IDMAP/GID2SID/30025 Timeout: Mon Sep 23 09:14:17 2013 Value: S-1-5-21-3743722752-3344840800-2625497366-1074
Key: IDMAP/GID2SID/30027 Timeout: Thu Sep 19 13:44:48 2013 Value: S-1-5-21-3743722752-3344840800-2625497366-1074
"net idmap check" doesn't resolve the problem, but gives an additional info: 30027 is a highest GID from my DB (maybe it's a key to problem):
[root@dynamo ~]# net idmap check
check database: /var/db/samba/winbindd_idmap.tdb
uid hwm: 30018
gid hwm: 30027
mappings: 39
other: 3
invalid records: 0
missing links: 0
invalid links: 0
0 changes:
Question: is my problem because of bug, or it's because of misconfigured server. Here my config:
[global]
dos charset = CP866
workgroup = HTS
realm = HTS.KH.UA
server string =
security = ADS
map to guest = Bad Password
local master = No
wins server = 192.168.32.5
winbind enum users = Yes
winbind enum groups = Yes
winbind expand groups = 10
winbind nss info = rfc2307
winbind max domain connections = 50
idmap config HTS : schema_mode = rfc2307
idmap config HTS : range = 10000-29999
idmap config HTS : backend = ad
idmap config HTS : default = yes
idmap config * : range = 30000-49999
idmap config * : backend = tdb
[svn1]
path = /zfsmount/svn/svn1
valid users = @samba_svn1
read only = No
create mask = 0700
force create mode = 0700
inherit owner = Yes
map archive = No
map readonly = no
vfs objects = zfsacl
nfs4: chown = no
nfs4:acedup = dontcare
nfs4: mode = special
P.S. An upgrade to newer ver. 4.0 is undesirable for me, and i do it only if ver. 4.0 really solve my problem.
Thanks in advance.
--
Best regards,
Pavel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
0 new messages