Bug 8079 - idmap_rid: confusion in uid/gid<->RID mapping
Summary: idmap_rid: confusion in uid/gid<->RID mapping
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.5.6
Hardware: All Linux
: P5 major
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2011-04-12 12:02 UTC by Piviul
Modified: 2018-03-27 20:03 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Piviul 2011-04-12 12:02:45 UTC
Hi, base_rid in idmap_rid now is deprecated but if yu put base_rid in smb.conf and flush the cache (net cache flush) getent group doesn't show users and groups domain any more (but wbinfo works).

Furthermore how idmap_rid calculate now the uid/gid from RID? The equation ID = RID - BASE_RID + LOW_RANGE_ID works but sometimes BASE_RID is 0 and sometimes BASE_RID is 1000 even if you don't change smb.conf. This can cause a lot of problems if you use acl or if you use winbind authentication.

This is the idmap_rid settings of my smb.conf:
	workgroup = DOMINIOCSA
	security = DOMAIN
	idmap uid = 10000-25000
	idmap gid = 10000-25000
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind offline logon = Yes
	idmap config DOMINIOCSA : range = 10000-25000
	idmap config DOMINIOCSA : backend = rid

Have a great day

Comment 1 Piviul 2011-04-12 12:35:02 UTC
I've understood something more. If you try to add base_rid to smb.conf (I've ever used base_rid=1000) wbinfo works but getent doesn't ; but the cache will be filled with the idmap having the base_rid you specified in the smb.conf. Now to have winbind working you have to remove base_rid from smb.conf and when you restart winbind, winbind has old and incongruent idmap values in the cache. When the value in cache expires the mapping change even if you have not changed smb.conf.

I hope this help you to understand better my bug report

Have a great day

Comment 2 Björn Jacke 2018-03-27 20:03:47 UTC
your issues came from an invalid idmap config I think id ranges may not overlap. With a correct idmap config no such errors should pop up, the wiki should have some good examples, the mailing list can offer help also.