The ranges set by idmap uid and idmap gid are used as the allocation range for the unixid-allocator, but for the default idmap config, they are not used as a mapping filter. This has the effect that mappings that are present in the winbindd_idmap.tdb database but are not within the configured range, are returned by the sids_to_unixids call. an example how to reproduce: (this uses registry config but this is just for convenience, irrelevant for the bug) $ net conf getparm global "idmap gid" 20000-30000 $ winbindd $ wbinfo -Y S-1-5-21-198380148-81607542-3125035400-1102 20014 $ killall winbindd $ net cache flush $ net conf setparm global "idmap gid" 20000-20010 $ winbindd $ wbinfo -Y S-1-5-21-198380148-81607542-3125035400-1102 20014 $ This bug was introduced in 3.3.0. Idmap config of catchall default domains was different before 3.3 Michael
fix pushed to master
pushed to v3-4-test
Created attachment 4215 [details] fix for v3-3-test please review
I'm not 100% certain I would call this a bug. Changing a configuration and leaving the idmap database unchanged is really begging for trouble. Yes, it might be a change in behavior between 3.2 and 3.3, but I'm not certain which of both is buggier than the other. Volker
Ok, I got convinced this is a bug that needs fixing. Karolin, please put this into 3.3. Thanks, Volker
Pushed, will be in 3.3.5. Thanks!