Hi,

I have recently upgraded a system with a Samba BDC, PDC and a couple of member servers from 3.2.14 to 3.4.9 (and also tested with 3.5.6).

There appears to be some problem with Winbind (we need to run it on all servers as we have a trust relationship to a domain at another office).

I have an Idmap range set up in our LDAP database.

With 3.2.14, all worked well. The Idmap ou would be populated with, and only with, entries for the accounts on the trusted domain.

However, with 3.4.9 and 3.5.6, as soon as a member server is accessed, spurious entries appear in the Idmap ou from the "own domain". In addition, other entries are added for local groups (these are not showing in the screenshot but they are S-1-1-0,S-1-5-11 and S-1-5-2). On another test domain I get entries like
A screenshot from an LDAP client illustrates the issue:

http://www.nanogherkin.com/ldap.png

The green box shows the entries I expect (from the trusted domain). The red boxes show entries that have only appeared since the upgrade.

I am concerned about this as all the entries for the local domain (dom sid ends 8426) may be causing access control to stop working correctly - I have not seen any hard evidence of this so far, but there have been times we had to restart winbind on the member servers after the initial startup as no-one could access shares on them.

The trusted domain is the one ending 4828. Please also note the entry highlighted in red at the bottom. That SID is the one for one of the newly upgraded member servers (plus -513 for Domain Users). Again I don't know why that has been added.

Member server smb.conf:
[global]
unix charset = LOCALE
workgroup = CENSORED_domain
netbios name = CENSORED_server
security = DOMAIN
interfaces = eth0, lo

passdb backend = ldapsam:ldap://192.168.1.137
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 1048576
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = no
printcap name = CUPS
show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=censored,dc=net
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=manager,dc=censored,dc=net
ldap timeout = 20
idmap backend = ldap:ldap://192.168.1.137
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind trusted domains only = yes
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
#winbind cache time = 1200
allow trusted domains = yes
map acl inherit = Yes
ea support = Yes
wins server = 192.168.1.137
nt acl support = yes

PDC smb.conf:

[global]
workgroup = CENSORED_domain
netbios name = CENSORED_DC
interfaces = eth0, lo
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/%m
max log size = 104857
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = yes
#printcap name = CUPS
show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=censored,dc=net
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=manager,dc=censored,dc=net
ldap ssl = no
ldap timeout = 60
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind trusted domains only = yes
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes
map acl inherit = Yes
ea support = Yes
#printing = cups
# printer admin = root
wins support = yes
log level = 1
domain logons = yes
domain master = yes
preferred master = yes
logon drive = H:
#os level = 35
passdb expand explicit = yes
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
enable privileges = Yes
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon home = ""
logon path = ""

On the test domain I set up with 3.5.6 I get further phantom entries as soon as a member server is utilised in any way which involves looking up users:

dn: sambaSID=S-1-22-2-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10032
sambaSID: S-1-22-2-0
structuralObjectClass: sambaSidEntry
entryUUID: f93738b4-7565-102f-938e-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000001#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-1,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10033
sambaSID: S-1-22-2-1
structuralObjectClass: sambaSidEntry
entryUUID: f937bfb4-7565-102f-938f-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10034
sambaSID: S-1-22-2-2
structuralObjectClass: sambaSidEntry
entryUUID: f93828d2-7565-102f-9390-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-3,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10035
sambaSID: S-1-22-2-3
structuralObjectClass: sambaSidEntry
entryUUID: f9389114-7565-102f-9391-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000007#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-4,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10036
sambaSID: S-1-22-2-4
structuralObjectClass: sambaSidEntry
entryUUID: f9390388-7565-102f-9392-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000009#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-6,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10037
sambaSID: S-1-22-2-6
structuralObjectClass: sambaSidEntry
entryUUID: f9399cd0-7565-102f-9393-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000b#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-10,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10038
sambaSID: S-1-22-2-10
structuralObjectClass: sambaSidEntry
entryUUID: f93a2952-7565-102f-9394-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000d#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

Thanks

Alex