Samba idmap against ad
in [Samba]
|
Prev: HOWTO close session(s) to a specific share from samba server side?
Next: [Samba] Winbind 3.5.4 and SFU
From: Andrew Masterson on 12 Aug 2010 17:10 -----Original Message----- From: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] On Behalf Of Stuart Bailey Sent: Wednesday, August 11, 2010 5:28 AM To: samba(a)lists.samba.org Subject: [Samba] Samba idmap against ad Hello, I have a samba server (old - running FC6, samba 3.0.24-11.fc6) that authenticates against AD. This is all configured and has been working fine until this week. A new user has been added to AD, but cannot access the samba drives. All other users can still access samba as normal. net ads testjoin reports OK. wbinfo -a newuser%pass and wbinfo -K newuser%pass both succeed. wbinfo -r newuser reports all the user group memberships from AD. wbinfo -p is OK wbinfo -i newuser reports that no information on that user can be found. wbinfo -n newuser returns the SID, and wbinfo -s SID returns the username However, wbinfo -S SID fails. I found a thread that suggests a corrupted idmap cache file. If I delete this file, and restart winbind, the file is re-created, but contains no SID data. I've also noticed that the winbindd_idmap.tdb file has an old time stamp winbindd_cache.tdb has today's date. I tried setting: winbind cache time = 3600 idmap cache time = 3600 but no improvement. Also, this is affecting both FC6 servers we have, both with the same config. The config has not changed, and the servers have not been rebooted / power cycled etc. The problem only affects new AD user accounts. Any sugguestions as to where I should look next? Many thanks, Stuart ----------------------- Sounds like you hit a limit somewhere. What is your user and group mapping range? Have you run out of space in there? i.e. idmap uid = 100000-200000 idmap gid = 100000-200000 -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Stuart Bailey on 13 Aug 2010 05:30
On Thursday 12 August 2010 21:56:09 Andrew Masterson wrote: > -----Original Message----- > From: samba-bounces(a)lists.samba.org > [mailto:samba-bounces(a)lists.samba.org] On Behalf Of Stuart Bailey > Sent: Wednesday, August 11, 2010 5:28 AM > To: samba(a)lists.samba.org > Subject: [Samba] Samba idmap against ad > > Hello, > I have a samba server (old - running FC6, samba 3.0.24-11.fc6) that > authenticates against AD. This is all configured and has been working > fine > until this week. > > A new user has been added to AD, but cannot access the samba drives. All > other > users can still access samba as normal. > > net ads testjoin reports OK. > > wbinfo -a newuser%pass and wbinfo -K newuser%pass both succeed. wbinfo > -r > newuser reports all the user group memberships from AD. > > wbinfo -p is OK > > wbinfo -i newuser reports that no information on that user can be found. > > wbinfo -n newuser returns the SID, and wbinfo -s SID returns the > username > > However, wbinfo -S SID fails. > > I found a thread that suggests a corrupted idmap cache file. If I delete > this > file, and restart winbind, the file is re-created, but contains no SID > data. > I've also noticed that the winbindd_idmap.tdb file has an old time stamp > > winbindd_cache.tdb has today's date. > > I tried setting: > winbind cache time = 3600 > idmap cache time = 3600 > but no improvement. > > Also, this is affecting both FC6 servers we have, both with the same > config. The > config has not changed, and the servers have not been rebooted / power > cycled > etc. The problem only affects new AD user accounts. > > Any sugguestions as to where I should look next? > > Many thanks, > > Stuart > > > > > > ----------------------- > > > Sounds like you hit a limit somewhere. What is your user and group > mapping range? Have you run out of space in there? > > i.e. > > idmap uid = 100000-200000 > idmap gid = 100000-200000 > > -=Andrew > > No malware was found: NETGEAR ProSecure Web/Email Security Threat > Management Appliance has scanned this mail and its attachment(s). Thanks Andrew, I have checked that. Originally, my idmap uid and gid were set to 600-100000. I have changed these to 600-300000, but the problem still exists. Many thanks, Stuart -- --------------------------------------- Stuart Bailey BSc (hons) CEng CITP MBCS LinuSoft (Managing Director) Linux Specialist & Software Developer ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (0845) 658 3563 Direct: +44 (0) 1953 878162 Fax: +44 (0) 1603 858583 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.linusoft.co.uk http://www.bluetoothadvertising.org.uk ---------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. No malware was found: NETGEAR ProSecure Web/Email Security Threat Management Appliance has scanned this mail and its attachment(s). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |