LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-08-2014, 06:54 AM   #1
MPH426
LQ Newbie
 
Registered: Feb 2013
Posts: 23

Rep: Reputation: Disabled
Samba loosing SID UID mapping


Hi all,

I don't know how many times I've setup samba shares, but... It's been a while since the last time. The SID UID maps used to always seem random. I.E. if I had to move the data to another box, I'd have to note all of the SID / UID relations and write scripts to convert them on the new box.

This last time I used the rid method (first time I'd seen it). All went well for a while. Users authenticated from the domain with no issue, etc... After about a week of operation, the mappings started to drop off. When this happens the only way to fix it is use wbinfo -R UID and get the user name, then find the files with the UID+offset and chown them. I've written a scipt file to do this, but that's not the point.

Attached is my smb config file. What am I missing here.

Thanks in advance.

MPH

Code:
[global]
        workgroup = OURDOMAIN
        realm = OURDOMAIN.LOCAL
        preferred master = no
        server string = server01
        security = ADS
        encrypt passwords = Yes
        allow trusted domains = No
        client lanman auth = No
        client plaintext auth = No
        log file = /var/log/samba/log.%m
        log level = 2 passdb:2 auth:2 winbind:2
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = no
        printing = bsd
        printcap name = /dev/null
        local master = Yes
        domain master = No
        dns proxy = No
        ldap ssl = no
        ldap timeout = 30
        idmap config * : backend = rid
        idmap config * : base_rid = 0
        idmap config * : range = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 3000
        winbind separator = +
        winbind use default domain = Yes
        template shell = /bin/bash
        hosts allow = 10.1.x.x/24, 10.2.x.x/24
        directory mask = 0000
        create mask = 0644
        browseable = No
        available = No
        deadtime = 15
        vfs objects = full_audit
        full_audit:prefix = %u|%I|%S
        full_audit:success = write pwrite unlink
        full_audit:failure = none
        full_audit:facility = LOCAL6
        full_audit:priority = ALERT


[share]
        path = /share
        valid users = @OURDOMAIN+valid_users
        force group = trans
        read only = No
        max connections = 75
        available = Yes
 
Old 05-22-2014, 01:18 AM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
max connections = 75
Could you be exceeding 75 concurrent mappings, how many users are you supporting?
 
Old 05-22-2014, 01:33 PM   #3
MPH426
LQ Newbie
 
Registered: Feb 2013
Posts: 23

Original Poster
Rep: Reputation: Disabled
dijetlo, thanks for the response.

I don't think so, there are only 35 total in the allowed group.

On one server there's usually no more than 10 concurrent users, the other could get upto around 30. I also put in
Quote:
deadtime = 15
to keep the count down.

I wouldn't think that exceeding the limit here would cause it not to be able to look up a user name when doing a file listing. Hmm.

Just to be clear, the problem is as follows,

Working:
Quote:
ls -l
-rw-r--r-- 1 user1 users 902 Mar 6 14:22 1
-rw-r--r-- 1 user2 users 902 Mar 6 14:23 2
For whatever reason, after some time the mapping between the RID and the user gets lost. Any further listings produce these results.

Not working:
Quote:
ls -l
-rw-r--r-- 1 106823 users 902 Mar 6 14:22 1
-rw-r--r-- 1 user2 users 902 Mar 6 14:23 2
Workaround:
Quote:
find ./ -uid 6823 -exec chown user1 {} \;
Regards, MPH

Last edited by MPH426; 05-22-2014 at 01:34 PM.
 
Old 05-22-2014, 04:35 PM   #4
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
I wouldn't think that exceeding the limit here would cause it not to be able to look up a user name when doing a file listing. Hmm.
It depends if they're accessing the Samba server as local accounts or is Samba using a remote PAM (such as a domain server) to authenticate them, I don't think it's directly related to this problem because if they claim a share and log in, the remote PAM has done all it's supposed to do here.
Have you got a link to this "rid" method you're talking about? I'm wondering how you have windbind configured.
 
Old 05-23-2014, 07:46 AM   #5
MPH426
LQ Newbie
 
Registered: Feb 2013
Posts: 23

Original Poster
Rep: Reputation: Disabled
http://www.samba.org/samba/docs/man/...map_rid.8.html

If they were using a local login using rid wouldn't work, would it? This IS my first time using rid, but AFAIK, it's only for domain use. That's the only example the man page uses anyway.

Also, AFAIK the only winbind config is in the samba config file which is in the original post.

Thanks, MPH
 
Old 05-23-2014, 09:50 AM   #6
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Thanks
?
Why thank me ? You volunteered to let us Frankenstein your machine in the interest of advancing human knowledge, you're the hero.
It's lunchtime on Friday my time, I'll get a chance to look at it tonight.
 
Old 05-23-2014, 10:14 AM   #7
MPH426
LQ Newbie
 
Registered: Feb 2013
Posts: 23

Original Poster
Rep: Reputation: Disabled
I thank you because I appreciate your effort.

Hopefully it won't take too many joules to get the beast under control.

Regards, MPH
 
Old 05-23-2014, 07:11 PM   #8
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
I ran across this when researching SAMBA mappings dropping out on windows machines...

Quote:
\HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
look for the key "sesstimeout" and give it a value of 3000 (or more)
...yeah... it's an apple site...pretend they're a distro, that's what I do....

From the RID link
Quote:
The idmap_rid backend provides a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs. No database is required in this case as the mapping is deterministic.
OK, what do we know.
This isn't a problem either of us have encountered before but then again we've never used a deterministic mapping scheme... and this thing directly relates to the problem we're seeing here, right down to the user names flipping over to UIDs as they loose the map...and there's nothing in the samba log to suggest that Samba sees anything wrong with the mappings...

MP, at this point I'd ask, do you want to troubleshoot the rid mapping or do you want to roll it back to the standard PAM map.
 
Old 05-27-2014, 08:31 AM   #9
MPH426
LQ Newbie
 
Registered: Feb 2013
Posts: 23

Original Poster
Rep: Reputation: Disabled
I think I might have found a solution. Well, it's been working for four days now anyway.

In all the research that I've done and after re-reading the man page. I noticed that I couldn't find a single instance where the rid method of mapping was the only type in the config file. So, I add and changed the following lines.

Quote:
Added:
idmap config * : backend = tdb
idmap config * : range = 100000-200000

Changed:
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : base_rid = 0
idmap config MYDOMAIN : range = 10000-20000
I have two servers running almost identical config files. I made the change on the first server Friday morning. I left the second server alone. When I came in to work this morning the first server hadn't lost any mappings, the second server lost one.

I'll follow up at weeks end with an update.

Regards,

MPH
 
Old 05-27-2014, 12:04 PM   #10
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
I wish I could stay in touch with you and monitor this, MP. It looks like you've got this resolved but the first post mentioned a significant amount of activity before the problem appeared,
Quote:
idmap config * : range = 100000-200000
#matching
idmap config MYDOMAIN : range = 10000-20000
was probably the key.
If we're done here, close up the thread. When I search these threads for solutions, and I do quit often, I always look at the resolved threads first, resolving it will help the next guy, which is the basis of all open source thinking.
We stand on the shoulders of giants.
 
Old 05-30-2014, 10:29 AM   #11
MPH426
LQ Newbie
 
Registered: Feb 2013
Posts: 23

Original Poster
Rep: Reputation: Disabled
I gotta call this one solved!

Making the changes above seems to have done the trick! It's been one week and not a single drop.

Regards,

MPH
 
Old 05-30-2014, 03:22 PM   #12
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Very cool, let me make a note of that because that RID mapping system seems like the way to go if it's stable.

Thank you very much
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba : Mapping User home direcories, and forcing UID's and GID's Nerdio Linux - Server 2 10-20-2011 02:56 AM
Samba Permissions and UID Mapping Woes dadams982 Linux - Server 7 03-16-2010 04:32 PM
Samba SMB.CONF + UID/SID range? JeffC1 Linux - Software 3 08-06-2008 02:15 PM
Samba uid/gid mapping (Server to client) problems mcle Linux - Networking 2 01-07-2005 08:16 AM
What is UID mapping? darai Linux - Newbie 2 06-22-2004 11:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration