Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] idmap GID range became full without reason

825 views
Skip to first unread message

Andrew Hotlab

unread,
Jun 10, 2010, 7:00:02 AM6/10/10
to

Please excuse my ignorance: I have been running Samba for a little time, and I've very little experience with it.

I'm running Samba 3.0.37 on FreeBSD 7.2/amd64, configured as member server of a domain whose PDC is a Samba 3.0.25b-apple (the default Samba instance running on a Mac OS X 10.5.8).

The member server is sharing a couple of folders for 5 users (most of whom are using Mac OS 10.5.8 on their clients). Here is the smb.conf (Mac Server has the IP 192.168.167.12, FreeBSD has IP 192.168.167.6):

[global]
workgroup = XXXX
netbios name = BSD-SERVER
server string =
interfaces = 192.168.167.6/24
security = DOMAIN
auth methods = winbind
passdb backend = tdbsam
load printers = No
printcap name = /etc/printcap
disable spoolss = Yes
show add printer wizard = No
preferred master = No
local master = No
domain master = No
wins server = 192.168.167.12
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind use default domain = Yes
hide dot files = No
template homedir = /usr/local/samba/Users/%U
template shell = /bin/csh
[Users]
comment = Home Directories
path = /usr/local/samba/Users
read only = No
[Groups]
comment = Group Folders
path = /usr/local/samba/Groups
read only = No
force security mode = 0666
force directory security mode = 0775

Every two-three months, all users are unable to access shared folders because the idmap GID range became full!!

What I noticed is that each time a user mounts a shared folder, his/her GID is incremented, and when it reaches the upper limit, the file log.winbindd-idmap became full of these errors: "nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(470) Fatal Error: GID range full!! (max: 20000)"

Can anyone kindly suggest me what is causing this behavior, or at least put me in the right direction? Can I activate some debug to obtain more info about this?

Any help will be greatly appreciated: I convinced the customer to use Mac/BSD/Samba instead of going to Windows because I was confident it would have been a valid alternative, and it's hard to justify these errors… thank you all in advance!!

Andrew

_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Hotlab

unread,
Jun 10, 2010, 9:40:01 AM6/10/10
to

Andrew

_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.

gregorcy

unread,
Jun 10, 2010, 2:00:03 PM6/10/10
to

On 06/10/10 04:52, Andrew Hotlab wrote:
> Every two-three months, all users are unable to access shared folders because the idmap GID range became full!!
>
> What I noticed is that each time a user mounts a shared folder, his/her GID is incremented, and when it reaches the upper limit, the file log.winbindd-idmap became full of these errors: "nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(470) Fatal Error: GID range full!! (max: 20000)"
>
> Can anyone kindly suggest me what is causing this behavior, or at least put me in the right direction? Can I activate some debug to obtain more info about this?
>
> Any help will be greatly appreciated: I convinced the customer to use Mac/BSD/Samba instead of going to Windows because I was confident it would have been a valid alternative, and it's hard to justify these errors… thank you all in advance!!
>
> Andrew

> idmap uid = 15000-20000
> idmap gid = 15000-20000


Can you just increase the range? The setting I am using is:

> idmap uid = 500-100000000
> idmap gid = 500-100000000

--
Brian Gregorcy
IT Manager
University of Utah
Department of Chemical Engineering
801.585.7170

Andrew Hotlab

unread,
Jun 11, 2010, 11:20:02 AM6/11/10
to

On 06/10/10 04:52, Andrew Hotlab wrote:
> Every two-three months, all users are unable to access shared folders because the idmap GID range became full!!
>
> What I noticed is that each time a user mounts a shared folder, his/her GID is incremented, and when it reaches the upper limit, the file log.winbindd-idmap became full of these errors: "nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(470) Fatal Error: GID range full!! (max: 20000)"
>
> Can anyone kindly suggest me what is causing this behavior, or at least put me in the right direction? Can I activate some debug to obtain more info about this?
>
> Any help will be greatly appreciated: I convinced the customer to use Mac/BSD/Samba instead of going to Windows because I was confident it would have been a valid alternative, and it's hard to justify these errors… thank you all in advance!!
>
> Andrew


> idmap uid = 15000-20000
> idmap gid = 15000-20000

Can you just increase the range? The setting I am using is:

> idmap uid = 500-100000000
> idmap gid = 500-100000000

Thank you Brian.
Yes, I can do it, but this will only shift the problem. I'd like to understand the the cause of this behavior and, if applicable, find the solution! :)

Andrew

_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

gregorcy

unread,
Jun 11, 2010, 1:10:02 PM6/11/10
to

On 06/11/10 09:12, Andrew Hotlab wrote:
>
> On 06/10/10 04:52, Andrew Hotlab wrote:
>> Every two-three months, all users are unable to access shared folders because the idmap GID range became full!!
>>
>> What I noticed is that each time a user mounts a shared folder, his/her GID is incremented, and when it reaches the upper limit, the file log.winbindd-idmap became full of these errors: "nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(470) Fatal Error: GID range full!! (max: 20000)"
>>
>> Can anyone kindly suggest me what is causing this behavior, or at least put me in the right direction? Can I activate some debug to obtain more info about this?
>>
>> Any help will be greatly appreciated: I convinced the customer to use Mac/BSD/Samba instead of going to Windows because I was confident it would have been a valid alternative, and it's hard to justify these errors… thank you all in advance!!
>>
>> Andrew
>
>
>> idmap uid = 15000-20000
>> idmap gid = 15000-20000
>
> Can you just increase the range? The setting I am using is:
>
> idmap uid = 500-100000000
> idmap gid = 500-100000000
>
>
>
> Thank you Brian.
> Yes, I can do it, but this will only shift the problem. I'd like to understand the the cause of this behavior and, if applicable, find the solution! :)
>
> Andrew
>


I think the cause of the problem is your range is to small. Maybe it is different with the security type you are using,
I am using ADS.

--
Brian Gregorcy
IT Manager
University of Utah
Department of Chemical Engineering
801.585.7170

--

Andrew Hotlab

unread,
Jun 11, 2010, 5:40:02 PM6/11/10
to

> On 06/11/10 09:12, Andrew Hotlab wrote:
> >
> > On 06/10/10 04:52, Andrew Hotlab wrote:
> >> Every two-three months, all users are unable to access shared folders because the idmap GID range became full!!
> >>
> >> What I noticed is that each time a user mounts a shared folder, his/her GID is incremented, and when it reaches the upper limit, the file log.winbindd-idmap became full of these errors: "nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(470) Fatal Error: GID range full!! (max: 20000)"
> >>
> >> Can anyone kindly suggest me what is causing this behavior, or at least put me in the right direction? Can I activate some debug to obtain more info about this?
> >>
> >> Any help will be greatly appreciated: I convinced the customer to use Mac/BSD/Samba instead of going to Windows because I was confident it would have been a valid alternative, and it's hard to justify these errors… thank you all in advance!!
> >>
> >> Andrew
> >
> >
> >> idmap uid = 15000-20000
> >> idmap gid = 15000-20000
> >
> > Can you just increase the range? The setting I am using is:
> >
> > idmap uid = 500-100000000
> > idmap gid = 500-100000000
> >
> >
> >
> > Thank you Brian.
> > Yes, I can do it, but this will only shift the problem. I'd like to understand the the cause of this behavior and, if applicable, find the solution! :)
> >

> I think the cause of the problem is your range is to small. Maybe it is different with the security type you are using,
> I am using ADS.

Perhaps this can be helpful to understand the problem... I've just tried the same version of Samba as a member server of a Windows 2003 AD (exactly the same smb.conf): the output of the id command is "uid=15001(andrew) gid=15005(domain users) groups=15005(domain users)", and the gid number never changes, even if I mount the shared folders on Mac.
I can't believe this behavior is normal: each time a user mounts a share the gid idmap increase! That would be extremely insane too, because it would make impossible to control access through group permissions!

_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

Gaiseric Vandal

unread,
Jun 12, 2010, 5:20:02 PM6/12/10
to
Is the Mac as PDC, or a member server? What is the PDC?


Idmap is not as well documented as it could be. I am using idmap with
ldap backend for interdomain trusts, with both samba 3.0.x and samba 3.4.x
with mixed success. But the behavior you are describing is definitely not
OK.

In addition to having an idmap section for the trusted domain, I also have
an idmap section for "alloc" - I would check the smb.conf man page. I
think the "idmap mydomain" section is supposed to help samba check existing
idmap uid/gid entries and the "idmap alloc" section is supposed to keep
track of the next entry to be allocated. It sounds like samba is unable to
determine the existing idmap uid so creates another one.

Maybe you can use the wbinfo command to manually set uid/gid's and then try
to comment out the idmap entries in smb.conf to prevent future entries being
added.

Andrew Hotlab

unread,
Jun 12, 2010, 8:40:01 PM6/12/10
to

> Is the Mac as PDC, or a member server? What is the PDC?
>
> Idmap is not as well documented as it could be. I am using idmap with
> ldap backend for interdomain trusts, with both samba 3.0.x and samba 3.4.x
> with mixed success. But the behavior you are describing is definitely not
> OK.
>
> In addition to having an idmap section for the trusted domain, I also have
> an idmap section for "alloc" - I would check the smb.conf man page. I
> think the "idmap mydomain" section is supposed to help samba check existing
> idmap uid/gid entries and the "idmap alloc" section is supposed to keep
> track of the next entry to be allocated. It sounds like samba is unable to
> determine the existing idmap uid so creates another one.
>
> Maybe you can use the wbinfo command to manually set uid/gid's and then try
> to comment out the idmap entries in smb.conf to prevent future entries being
> added.
>

The Mac is the PDC, running Samba 3.0.25b-apple. The member server is
Samba 3.0.8 running on FreeBSD. I'll never have a second member server.

Sorry, but as I said, I'm a newbie with Samba: I read the man pages and
I did not understand much about your suggestion. I'm guessing you
suggested to write something like the following in my smb.conf?

[global]
idmap backend = tdb
idmap id = 15000-20000
idmap gid = 15000-20000

idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN: range = 15000-20000


Thank very much for your help and patience! :)

Sincerely

Andrew

Hotmail: Free, trusted and rich email service.

Carlos Ramos Gómez

unread,
Jan 12, 2011, 12:20:02 PM1/12/11
to
You might want to check this bug, could be affecting you.

https://bugzilla.samba.org/show_bug.cgi?id=6537

Cheers.

0 new messages