Hello, we have a problem with a samba server acting as ADS member server since update to version 3.0.25b-33. We use LDAP for idmap backend. Currently Samba/Winbind is not able to create group id mappings for new groups. The error occurs when we add new groups on the Windows PDC, adding new users works fine. It seems that samba tries to use a wrong, out of range gid for the gid mapping. New groups are visible via "wbinfo -g" on the samba server. Following error is shown in winbind log: [2007/08/16 20:52:36, 0] nsswitch/idmap_ldap.c:idmap_ldap_allocate_id(450) Cannot allocate gid above 25000! The LDAP entry for the idmaps seems to be wrong... dn: ou=idmaps,dc=atix,dc=local ou: idmaps objectClass: organizationalUnit objectClass: sambaUnixIdPool structuralObjectClass: organizationalUnit entryUUID: bbbe2ae0-0d06-102b-885d-b8941de3c141 creatorsName: cn=Manager,dc=atix,dc=local createTimestamp: 20061120171724Z gidNumber: 25001 uidNumber: 13618 entryCSN: 20070820070613Z#000001#00#000000 modifiersName: cn=Manager,dc=atix,dc=local modifyTimestamp: 20070820070613Z "gidNumer" has the highest possible ID+1 (25001) specified in smb.conf (idmap gid = 10000-25000) "uidNumber" has the highest ID+1 (13618) used for the last uid map entry (13617). (idmap uid = 10000-25000) If i raise the value for "idmap gid" in smb.conf, the LDAP entry also raises the gidNumber to the highest possible ID+1 and samba is again not able to create group id mappings. I searched the mailing list archives etc. and via google, but i couldn't find a solution for this problem. --------------- smb.conf --------------- [global] display charset = utf-8 unix charset = ISO8859-15 dos charset = 437 workgroup = ATIX pid directory = /var/run/samba/atix lock directory = /var/cache/samba/atix log file = /var/log/samba/atix/%M.log encrypt passwords = yes bind interfaces only = yes interfaces = 192.168.3.10 netbios name = %h server string = samba-ads-member domain master = no realm = ATIX.LOCAL password server = pdc1.atix.local username level = 5 local master = no preferred master = no security = ADS private dir = /etc/samba/private/ wins server= 192.168.3.1 winbind use default domain = no winbind enum users = yes winbind nested groups = yes winbind cache time = 300 template shell = /bin/bash winbind separator = + oplocks = no kernel oplocks = no fake oplocks = no level2 oplocks = no socket options = TCP_NODELAY IPTOS_LOWDELAY log level = 1 acls:1 auth:1 sam:1 winbind:1 idmap backend = ldap:ldap://ldap-server idmap gid = 10000-25000 idmap uid = 10000-25000 ldap admin dn = cn=Manager,dc=atix,dc=local ldap suffix = dc=atix,dc=local ldap idmap suffix = ou=idmaps acl compatibility = auto map acl inherit = yes nt acl support = yes username map = /etc/samba/smbusers load printers=no ------------------------------------ Installed Samba RPMs (Sernet) ------------------------------------ samba3-client-3.0.25b-33 samba3-3.0.25b-33 samba3-utils-3.0.25b-33 samba3-winbind-3.0.25b-33 libsmbclient-3.0.25b-33
Hello, during a maintanance window, i had the chance to try some things to get rid of this error. I modified the LDAP entry for the idmaps (ou: idmaps) or let's better say the gidNumber value of this entry. The current value was, as mentioned before, 25001 (highest id in smb.conf 25000+1). I changed it to 11299 (11298 was the highest gid used for group mappings in the LDAP db). I did the following steps: - stopped samba and winbind - modified the LDAP entry - started winbind and samba After starting samba an dwinbind, the group mapping entries for the missing groups could be added, but samba/winbind raised the gidNumber value again to 25001. Now we have the same behaviour as before the changes -> new group mappings cannot be added. Wether we have a workaround, it's really annoying. If i can provide additional informations to debug the problem, let me know.
Again, some more infos... When i make the gidNumber of the idmap entry smaller in the LDAP database, the values is raised by winbind automatically. Have a look on the following output. The latest group mapping entry has gidNumber 24973. ou=idmaps has gidNumber 25001. Now i make the gidNumber of ou=idmaps smaller to 24974: ---CUT--- modifying entry "ou=idmaps,dc=atix,dc=local" Thu Sep 6 14:23:54 CEST 2007 ---CUT--- Winbind raises this value itself. Have a look on the following commands, the gidNumber is always the gidNumber of the ou=idmaps entry. ---CUT--- [root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1 Thu Sep 6 14:23:56 CEST 2007 gidNumber: 24976 [root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1 Thu Sep 6 14:24:15 CEST 2007 gidNumber: 24978 [root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1 Thu Sep 6 14:24:24 CEST 2007 gidNumber: 24988 [root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1 Thu Sep 6 14:24:29 CEST 2007 gidNumber: 24992 [root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1 Thu Sep 6 14:24:37 CEST 2007 gidNumber: 24996 [root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1 Thu Sep 6 14:24:43 CEST 2007 gidNumber: 24997 [root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1 Thu Sep 6 14:24:54 CEST 2007 gidNumber: 25000 [root@samba ~]# date && slapcat | grep gid | sort -t: | tail -n 1 Thu Sep 6 14:25:08 CEST 2007 gidNumber: 25001 ---CUT--- As long as gidNumber has not reached the max. possible gidNumber+1, we can add group mappings. As soon as gidNumber has reached that value, no group mappings could be added. It's really annoying.
Please grep the samba (smbd and winbindd) logs and see if you see the msg: "Could not allocate a RID -- wasted a gid"
i increased the loglevel log level = 3 ads:3 auth:3 sam:3 rpc:3 winbind:6 but i only see the mentioned error message. [2007/09/09 20:52:36, 0] nsswitch/idmap_ldap.c:idmap_ldap_allocate_id(450) Cannot allocate gid above 25000!
Without level 10 debug logs, I cannot proceed with this bug. Also note that you should either reset the next available gidNumber when collecting the logs or increase your idmap range.
Created attachment 2928 [details] Logs (log level 10) during setting rights and resetting the ldap gid During the last maintanance window, i had the chance to fetch the level 10 logs. Please find attached, the logs during setting rights with a new group and during the reset of the LDAP gid and afterwards setting rights with the new group.
Is there anything we can do for further assistance in this case? The service is running in a productive environment and soon the group ids are running out. Please let us know if you need more detailed information in this case.
The error is still present. Please let us know if we can do anything to help in this case.
this is more of a support case than a bug, please consult an option from https://www.samba.org/samba/support/ for further assistace if needed.