Bug 4908 - Cannot allocate gid above
Cannot allocate gid above
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: winbind
x64 Linux
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2007-08-22 06:57 UTC by Dirk Haller
Modified: 2009-04-04 08:03 UTC (History)
3 users (show)

See Also:

Logs (log level 10) during setting rights and resetting the ldap gid (276.23 KB, application/x-tgz)
2007-09-24 03:17 UTC, Dirk Haller
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Haller 2007-08-22 06:57:19 UTC

we have a problem with a samba server acting as ADS member server since update 
to version 3.0.25b-33. We use LDAP for idmap backend. Currently Samba/Winbind 
is not able to create group id mappings for new groups.

The error occurs when we add new groups on the Windows PDC, adding new users 
works fine. It seems that samba tries to use a wrong, out of range gid for 
the gid mapping.
New groups are visible via "wbinfo -g" on the samba server.

Following error is shown in winbind log:
[2007/08/16 20:52:36, 0] nsswitch/idmap_ldap.c:idmap_ldap_allocate_id(450)
  Cannot allocate gid above 25000!

The LDAP entry for the idmaps seems to be wrong...

dn: ou=idmaps,dc=atix,dc=local
ou: idmaps
objectClass: organizationalUnit
objectClass: sambaUnixIdPool
structuralObjectClass: organizationalUnit
entryUUID: bbbe2ae0-0d06-102b-885d-b8941de3c141
creatorsName: cn=Manager,dc=atix,dc=local
createTimestamp: 20061120171724Z
gidNumber: 25001
uidNumber: 13618
entryCSN: 20070820070613Z#000001#00#000000
modifiersName: cn=Manager,dc=atix,dc=local
modifyTimestamp: 20070820070613Z

"gidNumer" has the highest possible ID+1 (25001) specified in smb.conf 
(idmap gid = 10000-25000)

"uidNumber" has the highest ID+1 (13618) used for the last uid map entry 
(idmap uid = 10000-25000)

If i raise the value for "idmap gid" in smb.conf, the LDAP entry also raises the gidNumber to the highest possible ID+1 and samba is again not able to create group id mappings.

I searched the mailing list archives etc. and via google, but i couldn't find a solution for this problem.


        display charset = utf-8
        unix charset    = ISO8859-15
        dos charset     = 437

        workgroup = ATIX
        pid directory = /var/run/samba/atix
        lock directory = /var/cache/samba/atix
        log file = /var/log/samba/atix/%M.log
        encrypt passwords = yes
        bind interfaces only = yes
        interfaces =
        netbios name = %h
        server string = samba-ads-member
        domain master = no
        realm = ATIX.LOCAL
        password server = pdc1.atix.local
        username level = 5
        local master = no
        preferred master = no
        security = ADS
        private dir = /etc/samba/private/
        wins server=

        winbind use default domain = no
        winbind enum users = yes
        winbind nested groups = yes
        winbind cache time = 300

        template shell = /bin/bash
        winbind separator = +

        oplocks = no
        kernel oplocks = no
        fake oplocks = no
        level2 oplocks = no
        socket options = TCP_NODELAY IPTOS_LOWDELAY

        log level = 1 acls:1 auth:1 sam:1 winbind:1

        idmap backend = ldap:ldap://ldap-server
        idmap gid = 10000-25000
        idmap uid = 10000-25000
        ldap admin dn = cn=Manager,dc=atix,dc=local
        ldap suffix = dc=atix,dc=local
        ldap idmap suffix = ou=idmaps

        acl compatibility = auto
        map acl inherit = yes
        nt acl support = yes

        username map = /etc/samba/smbusers
        load printers=no

Installed Samba RPMs (Sernet)
Comment 1 Dirk Haller 2007-08-31 10:11:30 UTC

during a maintanance window, i had the chance to try some things to get rid of this error.
I modified the LDAP entry for the idmaps (ou: idmaps) or let's better say the gidNumber value of this entry.

The current value was, as mentioned before, 25001 (highest id in smb.conf 25000+1). I changed it to 11299 (11298 was the highest gid used for group mappings in the LDAP db).

I did the following steps:

- stopped samba and winbind
- modified the LDAP entry
- started winbind and samba

After starting samba an dwinbind, the group mapping entries for the missing groups could be added, but samba/winbind raised the gidNumber value again to 25001. 
Now we have the same behaviour as before the changes -> new group mappings cannot be added.

Wether we have a workaround, it's really annoying.
If i can provide additional informations to debug the problem, let me know. 
Comment 2 Dirk Haller 2007-09-06 07:45:17 UTC
Again, some more infos...

When i make the gidNumber of the idmap entry smaller in the LDAP database, the values is raised by winbind automatically. Have a look on the following output.
The latest group mapping entry has gidNumber 24973. ou=idmaps has gidNumber 25001.

Now i make the gidNumber of ou=idmaps smaller to 24974:
modifying entry "ou=idmaps,dc=atix,dc=local"
Thu Sep  6 14:23:54 CEST 2007

Winbind raises this value itself. Have a look on the following commands, the gidNumber is always the gidNumber of the ou=idmaps entry.
[root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1
Thu Sep  6 14:23:56 CEST 2007
gidNumber: 24976
[root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1
Thu Sep  6 14:24:15 CEST 2007
gidNumber: 24978
[root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1
Thu Sep  6 14:24:24 CEST 2007
gidNumber: 24988
[root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1
Thu Sep  6 14:24:29 CEST 2007
gidNumber: 24992
[root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1
Thu Sep  6 14:24:37 CEST 2007
gidNumber: 24996
[root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1
Thu Sep  6 14:24:43 CEST 2007
gidNumber: 24997
[root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1
Thu Sep  6 14:24:54 CEST 2007
gidNumber: 25000
[root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1
Thu Sep  6 14:25:08 CEST 2007
gidNumber: 25001

As long as gidNumber has not reached the max. possible gidNumber+1, we can add group mappings. As soon as gidNumber has reached that value, no group mappings could be added.

It's really annoying.
Comment 3 Gerald (Jerry) Carter 2007-09-06 09:10:18 UTC
Please grep the samba (smbd and winbindd) logs and see if you see 
the msg: "Could not allocate a RID -- wasted a gid"
Comment 4 Dirk Haller 2007-09-12 07:05:08 UTC
i increased the loglevel 
log level = 3 ads:3 auth:3 sam:3 rpc:3 winbind:6
but i only see the mentioned error message.

[2007/09/09 20:52:36, 0] nsswitch/idmap_ldap.c:idmap_ldap_allocate_id(450)
  Cannot allocate gid above 25000!

Comment 5 Gerald (Jerry) Carter 2007-09-12 07:50:21 UTC
Without level 10 debug logs, I cannot proceed with this bug.
Also note that you should either reset the next available gidNumber
when collecting the logs or increase your idmap range.
Comment 6 Dirk Haller 2007-09-24 03:17:16 UTC
Created attachment 2928 [details]
Logs (log level 10) during setting rights and resetting the ldap gid

During the last maintanance window, i had the chance to fetch the level 10 logs. Please find attached, the logs during setting rights with a new group and during the reset of the LDAP gid and afterwards setting rights with the new group.
Comment 7 Rauch Michael (550 5.1.1) 2007-10-01 08:28:29 UTC
Is there anything we can do for further assistance in this case?
The service is running in a productive environment and soon the group ids are running out.

Please let us know if you need more detailed information in this case.
Comment 8 Rauch Michael (550 5.1.1) 2007-10-26 03:15:28 UTC
The error is still present.

Please let us know if we can do anything to help in this case.