[Samba] tdb idmap returns different GID's for the same SID from time to time

Mon, 16 Sep 2013 02:00:09 -0700 

Greetings!

I have a samba 3.6.18 acts as a domain member.
I'm using a samba nss and creating local groups for a domain users.
Here part of my nsswitch.conf:

group: files winbind
passwd: files winbind

The problem is that the tdb unix GID mappings returns different ID from time to 
time for the same SIDs.
Suppose we have a local group "samba_svn1", created with "NET SAM 
CREATELOCALGROUP".
After creation, group "samba_svn1" has SID S-1-5-21-3743722752-3344840800-2625497366-1074 and GID 30025. But, from time to time this SID receives a different GID mapping: 30027. 
Following are the result of service commands, which demonstrates a real problem:

NSS is always works correctly:

[root@dynamo ~]# getfacl /zfsmount/svn/svn1
# file: /zfsmount/svn/svn1
# owner: www
# group: www
group:DYNAMO\samba_svn1:rwxpDdaARWcCos:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:------a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow
[root@dynamo ~]# getent group samba_svn1
DYNAMO\samba_svn1:x:30025
[root@dynamo ~]# wbinfo --sid-to-gid 
S-1-5-21-3743722752-3344840800-2625497366-1074
30025
But, just after that, when i try to get info from idmap DB and the cache, i see a very strange results. SID S-1-5-21-3743722752-3344840800-2625497366-1074 is mapped to GID 30027: 

[root@dynamo ~]# net idmap dump|grep 
S-1-5-21-3743722752-3344840800-2625497366-1074
dumping id mapping from /var/db/samba/winbindd_idmap.tdb
GID 30027 S-1-5-21-3743722752-3344840800-2625497366-1074
[root@dynamo ~]# net cache list|grep 
S-1-5-21-3743722752-3344840800-2625497366-1074
Key: IDMAP/SID2GID/S-1-5-21-3743722752-3344840800-2625497366-1074        
Timeout: Mon Sep 23 09:14:17 2013       Value: 30025
Key: IDMAP/GID2SID/30025         Timeout: Mon Sep 23 09:14:17 2013       Value: 
S-1-5-21-3743722752-3344840800-2625497366-1074
Key: IDMAP/GID2SID/30027         Timeout: Thu Sep 19 13:44:48 2013       Value: 
S-1-5-21-3743722752-3344840800-2625497366-1074

"net idmap check" doesn't resolve the problem, but gives an additional info: 
30027 is a highest GID from my DB (maybe it's a key to problem):

[root@dynamo ~]# net idmap check
check database: /var/db/samba/winbindd_idmap.tdb
uid hwm: 30018
gid hwm: 30027
mappings: 39
other: 3
invalid records: 0
missing links: 0
invalid links: 0
0 changes:

Question: is my problem because of bug, or it's because of misconfigured 
server. Here my config:

[global]
        dos charset = CP866
        workgroup = HTS
        realm = HTS.KH.UA
        server string =
        security = ADS
        map to guest = Bad Password
        local master = No
        wins server = 192.168.32.5
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind expand groups = 10
        winbind nss info = rfc2307
        winbind max domain connections = 50
        idmap config HTS : schema_mode = rfc2307
        idmap config HTS : range = 10000-29999
        idmap config HTS : backend = ad
        idmap config HTS : default = yes
        idmap config * : range = 30000-49999
        idmap config * : backend = tdb

[svn1]
        path = /zfsmount/svn/svn1
        valid users = @samba_svn1
        read only = No
        create mask = 0700
        force create mode = 0700
        inherit owner = Yes
        map archive = No
        map readonly = no
        vfs objects = zfsacl
        nfs4: chown = no
        nfs4:acedup = dontcare
        nfs4: mode = special

P.S. An upgrade to newer ver. 4.0 is undesirable for me, and i do it only if 
ver. 4.0 really solve my problem.

Thanks in advance.
--
Best regards,
Pavel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to