Web lists-archives.com

[Samba] idmap limit?




Hi,

we are running a file server as member server of a windows 2012 domain. Now we are facing the problem, that some UIDs are not mapped to the user names by the running winbindd process. This results in "nobody" usernames for nfs shares mounted by other clients.

When doing an "ls -l" in the homes directory on the member server (file server), the list looks like:

drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
drwx------  3           1234          DOM\group  4096 Sep  7  2015 user3
drwx------  7           1235          DOM\group  4096 Apr 30  2013 user4
drwx------ 12 DOM\user5        DOM\group   4096 Jan  4 12:46 user5
drwx------  2           1236          DOM\group   4096 Jul  1 2015 user6
....

When we run a "wbinfo --uid-info" for an unmapped user, we are getting:

> wbinfo --uid-info=1234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 1234

When we run "wbinfo -i" for that user, everything works fine.

> wbinfo -i DOM\\user3
DOM\user3:*:1234:1000::/home/user3:/bin/bash

After the last command (wbinfo -i DOM\\user3) also "wbinfo --uid-info=1234" shows the correct result and the "ls -l" list also list the user name instead of the uid.

So the question is, if there is any limit for the UID to user name mapping in winbind, since the problem started while increasing the number of clients and users.

smb.conf looks like:

[global]
    security = ADS
    workgroup = DOM2
    realm = DOM2.DOM.EXAMPLE.DE
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    template homedir = /home/%U
    template shell = /bin/bash

    idmap config * : backend = tdb
    idmap config * : range = 2000-2999
    idmap config DOM2 : backend = rid
    idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
    idmap config DOM : backend = rid
    idmap config DOM : range = 10000-9999999 # UID aus RID für DOM

    winbind refresh tickets = yes

nsswitch.conf looks like:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files

idmapd.conf looks like:

[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = dom2.dom.example.de
Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

krb5.conf looks like:

[libdefaults]
    default_realm = DOM2.DOM.TU-DRESDEN.DE
    dns_lookup_realm = true
    dns_lookup_kdc = true


--
Regards
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba