Web lists-archives.com

Re: [Samba] idmap limit?




Hi,

no, that's my fault. I changed the UIDs and user names in my "ls -l" to unpersonalized/example data for my mail and didn't think about putting these values into the range. A better unpersonalized data example would look like:

----------

drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
drwx------  3         10234          DOM\group  4096 Sep  7  2015 user3
drwx------  7         10235          DOM\group  4096 Apr 30  2013 user4
drwx------ 12 DOM\user5        DOM\group   4096 Jan  4 12:46 user5
drwx------  2         10236          DOM\group   4096 Jul  1 2015 user6
....

When we run a "wbinfo --uid-info" for an unmapped user, we are getting:

> wbinfo --uid-info=10234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10234

When we run "wbinfo -i" for that user, everything works fine.

> wbinfo -i DOM\\user3
DOM\user3:*:10234:10001::/home/user3:/bin/bash

After the last command (wbinfo -i DOM\\user3) also "wbinfo --uid-info=10234" shows the correct result and the "ls -l" list also list the user name instead of the uid.

---------



Am 16.01.2018 um 16:06 schrieb Rowland Penny via samba:
On Tue, 16 Jan 2018 15:22:44 +0100
Andreas Hauffe via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

we are running a file server as member server of a windows 2012
domain. Now we are facing the problem, that some UIDs are not mapped
to the user names by the running winbindd process. This results in
"nobody" usernames for nfs shares mounted by other clients.

When doing an "ls -l" in the homes directory on the member server
(file server), the list looks like:

drwx------ 43 DOM\user1        DOM\group  4096 Jan 10 08:00 user1
drwx------   5 DOM\user2        DOM\group  4096 Jan 11 08:13 user2
drwx------  3           1234          DOM\group  4096 Sep  7  2015
user3 drwx------  7           1235          DOM\group  4096 Apr 30
2013 user4 drwx------ 12 DOM\user5        DOM\group   4096 Jan  4
12:46 user5 drwx------  2           1236          DOM\group   4096
Jul  1 2015 user6 ....

When we run a "wbinfo --uid-info" for an unmapped user, we are
getting:

  > wbinfo --uid-info=1234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 1234

When we run "wbinfo -i" for that user, everything works fine.

  > wbinfo -i DOM\\user3
DOM\user3:*:1234:1000::/home/user3:/bin/bash

After the last command (wbinfo -i DOM\\user3) also "wbinfo
--uid-info=1234" shows the correct result and the "ls -l" list also
list the user name instead of the uid.

So the question is, if there is any limit for the UID to user name
mapping in winbind, since the problem started while increasing the
number of clients and users.

smb.conf looks like:

[global]
      security = ADS
      workgroup = DOM2
      realm = DOM2.DOM.EXAMPLE.DE
      dedicated keytab file = /etc/krb5.keytab
      kerberos method = secrets and keytab

      template homedir = /home/%U
      template shell = /bin/bash

      idmap config * : backend = tdb
      idmap config * : range = 2000-2999
      idmap config DOM2 : backend = rid
      idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
      idmap config DOM : backend = rid
      idmap config DOM : range = 10000-9999999 # UID aus RID für DOM

      winbind refresh tickets = yes

nsswitch.conf looks like:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files

idmapd.conf looks like:

[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = dom2.dom.example.de
Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

krb5.conf looks like:

[libdefaults]
      default_realm = DOM2.DOM.TU-DRESDEN.DE
      dns_lookup_realm = true
      dns_lookup_kdc = true


Is the user '1234' stored in AD or /etc/passwd ?

 From the number '1234' it is not a member of 'DOM' (range
10000-9999999), or 'DOM2' (range 3000-9999) or a member of '*' (range
2000-2999), it looks like it is probably a local Unix user.

Rowland

--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba