[SOLVED] Samba loosing SID UID mapping

MPH426 · 05-08-2014, 06:54 AM

Hi all,

I don't know how many times I've setup samba shares, but... It's been a while since the last time. The SID UID maps used to always seem random. I.E. if I had to move the data to another box, I'd have to note all of the SID / UID relations and write scripts to convert them on the new box.

This last time I used the rid method (first time I'd seen it). All went well for a while. Users authenticated from the domain with no issue, etc... After about a week of operation, the mappings started to drop off. When this happens the only way to fix it is use wbinfo -R UID and get the user name, then find the files with the UID+offset and chown them. I've written a scipt file to do this, but that's not the point.

Attached is my smb config file. What am I missing here.

Thanks in advance.

MPH

Code:

[global]
        workgroup = OURDOMAIN
        realm = OURDOMAIN.LOCAL
        preferred master = no
        server string = server01
        security = ADS
        encrypt passwords = Yes
        allow trusted domains = No
        client lanman auth = No
        client plaintext auth = No
        log file = /var/log/samba/log.%m
        log level = 2 passdb:2 auth:2 winbind:2
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = no
        printing = bsd
        printcap name = /dev/null
        local master = Yes
        domain master = No
        dns proxy = No
        ldap ssl = no
        ldap timeout = 30
        idmap config * : backend = rid
        idmap config * : base_rid = 0
        idmap config * : range = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 3000
        winbind separator = +
        winbind use default domain = Yes
        template shell = /bin/bash
        hosts allow = 10.1.x.x/24, 10.2.x.x/24
        directory mask = 0000
        create mask = 0644
        browseable = No
        available = No
        deadtime = 15
        vfs objects = full_audit
        full_audit:prefix = %u|%I|%S
        full_audit:success = write pwrite unlink
        full_audit:failure = none
        full_audit:facility = LOCAL6
        full_audit:priority = ALERT


[share]
        path = /share
        valid users = @OURDOMAIN+valid_users
        force group = trans
        read only = No
        max connections = 75
        available = Yes

dijetlo · 05-22-2014, 01:18 AM

Quote:

max connections = 75

Could you be exceeding 75 concurrent mappings, how many users are you supporting?

MPH426 · 05-22-2014, 01:33 PM

dijetlo, thanks for the response.

I don't think so, there are only 35 total in the allowed group.

On one server there's usually no more than 10 concurrent users, the other could get upto around 30. I also put in

Quote:

deadtime = 15

to keep the count down.

I wouldn't think that exceeding the limit here would cause it not to be able to look up a user name when doing a file listing. Hmm.

Just to be clear, the problem is as follows,

Working:

Quote:

ls -l
-rw-r--r-- 1 user1 users 902 Mar 6 14:22 1
-rw-r--r-- 1 user2 users 902 Mar 6 14:23 2

For whatever reason, after some time the mapping between the RID and the user gets lost. Any further listings produce these results.

Not working:

Quote:

ls -l
-rw-r--r-- 1 106823 users 902 Mar 6 14:22 1
-rw-r--r-- 1 user2 users 902 Mar 6 14:23 2

Workaround:

Quote:

find ./ -uid 6823 -exec chown user1 {} \;

Regards, MPH

dijetlo · 05-22-2014, 04:35 PM

Quote:

I wouldn't think that exceeding the limit here would cause it not to be able to look up a user name when doing a file listing. Hmm.

It depends if they're accessing the Samba server as local accounts or is Samba using a remote PAM (such as a domain server) to authenticate them, I don't think it's directly related to this problem because if they claim a share and log in, the remote PAM has done all it's supposed to do here.
Have you got a link to this "rid" method you're talking about? I'm wondering how you have windbind configured.

MPH426 · 05-23-2014, 07:46 AM

http://www.samba.org/samba/docs/man/...map_rid.8.html

If they were using a local login using rid wouldn't work, would it? This IS my first time using rid, but AFAIK, it's only for domain use. That's the only example the man page uses anyway.

Also, AFAIK the only winbind config is in the samba config file which is in the original post.

Thanks, MPH

dijetlo · 05-23-2014, 09:50 AM

Quote:

Thanks

?
Why thank me ? You volunteered to let us Frankenstein your machine in the interest of advancing human knowledge, you're the hero.

It's lunchtime on Friday my time, I'll get a chance to look at it tonight.

MPH426 · 05-23-2014, 10:14 AM

I thank you because I appreciate your effort.

Hopefully it won't take too many joules to get the beast under control.

Regards, MPH

dijetlo · 05-23-2014, 07:11 PM

I ran across this when researching SAMBA mappings dropping out on windows machines...

Quote:

\HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
look for the key "sesstimeout" and give it a value of 3000 (or more)

...yeah... it's an apple site...pretend they're a distro, that's what I do....

From the RID link

Quote:

The idmap_rid backend provides a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs. No database is required in this case as the mapping is deterministic.

OK, what do we know.
This isn't a problem either of us have encountered before but then again we've never used a deterministic mapping scheme... and this thing directly relates to the problem we're seeing here, right down to the user names flipping over to UIDs as they loose the map...and there's nothing in the samba log to suggest that Samba sees anything wrong with the mappings...

MP, at this point I'd ask, do you want to troubleshoot the rid mapping or do you want to roll it back to the standard PAM map.

MPH426 · 05-27-2014, 08:31 AM

I think I might have found a solution. Well, it's been working for four days now anyway.

In all the research that I've done and after re-reading the man page. I noticed that I couldn't find a single instance where the rid method of mapping was the only type in the config file. So, I add and changed the following lines.

Quote:

Added:
idmap config * : backend = tdb
idmap config * : range = 100000-200000

Changed:
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : base_rid = 0
idmap config MYDOMAIN : range = 10000-20000

I have two servers running almost identical config files. I made the change on the first server Friday morning. I left the second server alone. When I came in to work this morning the first server hadn't lost any mappings, the second server lost one.

I'll follow up at weeks end with an update.

Regards,

MPH

dijetlo · 05-27-2014, 12:04 PM

I wish I could stay in touch with you and monitor this, MP. It looks like you've got this resolved but the first post mentioned a significant amount of activity before the problem appeared,

Quote:

idmap config * : range = 100000-200000
#matching
idmap config MYDOMAIN : range = 10000-20000

was probably the key.
If we're done here, close up the thread. When I search these threads for solutions, and I do quit often, I always look at the resolved threads first, resolving it will help the next guy, which is the basis of all open source thinking.
We stand on the shoulders of giants.

MPH426 · 05-30-2014, 10:29 AM

I gotta call this one solved!

Making the changes above seems to have done the trick! It's been one week and not a single drop.

Regards,

MPH

dijetlo · 05-30-2014, 03:22 PM

Very cool, let me make a note of that because that RID mapping system seems like the way to go if it's stable.

Thank you very much