Bug 10462 - Two samba servers get same SID from AD but give different UID via RID (idmap_rid).
Summary: Two samba servers get same SID from AD but give different UID via RID (idmap_...
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.0rc4
Hardware: x64 Linux
: P5 critical (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-21 11:41 UTC by Richard Scott
Modified: 2014-02-21 12:41 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Scott 2014-02-21 11:41:55 UTC 
Hi,

I have two Samba servers that are connected as members of the same Active Directory and using (RID) idmap_rid I get two different UID using the same smb.conf settings.

I thought RID was supposed to avoid this UID mismatch?

On Server A I get this:

$ wbinfo -n test1
S-1-5-21-2640352130-3061597505-1574893503-1105 SID_USER (1)
$ wbinfo -n test2
S-1-5-21-2640352130-3061597505-1574893503-1106 SID_USER (1)
$ id test1
uid=9999(test1) gid=10001(domain users) groups=10001(domain users)
$ id test2
uid=10000(test2) gid=10001(domain users) groups=10001(domain users)


And on Server B I get this:

$ wbinfo -n test2
S-1-5-21-2640352130-3061597505-1574893503-1106 SID_USER (1)
$ wbinfo -n test1
S-1-5-21-2640352130-3061597505-1574893503-1105 SID_USER (1)
$ id test2
uid=9999(test2) gid=10001(domain users) groups=10001(domain users)
$ id test1
uid=10000(test1) gid=10001(domain users) groups=10001(domain users)

Depending on which user is checked first, depends on which one has the lower UID allocated. the UID's never match up otherwise.
As you can see, we read the same SID from AD but get allocated different UID's!

Both servers are using this smb.conf:

   netbios name = servera
   netbios aliases = samba
   server string = Samba Server Version %v
   workgroup = HOME
   password server = *
   realm = HOME.NETWORK.CO.UK
   security = ads
   template homedir = /mnt/storage/users/%U
   template shell = /bin/bash

   deadtime = 1

   idmap config * : range = 9999-9999999999
   idmap config * : backend = tdb2
   idmap config HOME : backend = rid

   winbind use default domain = true
   winbind offline logon = true
   winbind trusted domains only = no
   winbind nested groups = yes
   winbind refresh tickets = yes
   winbind enum users  = no
   winbind enum groups = no

   encrypt passwords = yes
   server signing = auto

Why is this?

Thanks,

Rich
Comment 1 Michael Adam 2014-02-21 12:40:40 UTC 
Your idmap config is incomplete:
you need to add a range for the rid config.
With your config, all SIDS get handled by the
default backend (tdb2 in your case).

I guess when you look at a level 10 log of starting
smbd or also of testparm, you'll see messages saying
that the config for HOME is not complete.

Closing this bug as invalid.
(The mailing list could have helped out here.)

Cheers - Michael
Comment 2 Michael Adam 2014-02-21 12:41:22 UTC 
fixing component afterwards.