[samba-jp:19834] idmap_cache.tdbの内容がバタつく

Toshio Kobayashi toshio.kobayashi @ aquacast.co.jp
2007年 11月 13日 (火) 21:20:43 JST 

小林と申します.

3ノード(PDC,BDC,DMS)構成で,Sambaドメイン構築し,メンバーサーバとした
samba を利用してファイル共有も実施しようとしています.メンバーサーバは今
後増設予定を検討しています.
現在,SID←→UID/GID のマッピングがバタつくことがあり,原因を追究してお
ります.
ナレッジがあれば,幸いです.

■環境(抜粋)
PDC:centos5 / samba3-3.0.26a-35 / openldap-2.3.27-5
BDC:centos5 / samba3-3.0.26a-35 / openldap-2.3.27-5
ファイルサーバ:centos5 / samba3-3.0.26a-35 / nss_ldap-253-3(ドメインメ
   ンバサーバとして設定/ext3,acl付きで共有に利用する領域をマウント)
クライアント:windows xp pro sp2

3ノードとも nsswitch.conf の passwd shadow group それぞれ files ldap の
み記述
ユーザのPrimaryグループは "Domain Users"で,その他セカンダリグループ複数
に属している

■確認事項
windows XP Pro client を利用しアクセス制御を用いたファイル共有を行いたい
場合

1.ファイルサーバ上で winbind を走らせることは must でしょうか?

2.ファイルサーバ上で winbind を走らせる場合,nsswitch.conf へ winbind 
の記述は must でしょうか?

3.windows XP Pro client でファイル共有に対してディレクトリ/ファイル作成
を行った場合,OS側から見た場合どの(idmap されたもの,ldap 上の uid/gid)
UID/GIDが付与されるのが正でしょうか?

■問題としている事象
・ユーザ側
突然,ファイルサーバ上の共有ディレクトリにアクセスできなくなる事がある
→ ファイルサーバ上の idmap_cache.tdb を削除して,winbind を再起動し,再
 度アクセスする(idmap_cache.tdbを更新する)と復旧する事がほとんど

・ファイルサーバ側
ファイルサーバのファイル/ディレクトリは idmap でマップされた id で acl 
を定義
idmap_cache.tdb が期待したSID/GIDのマップ内容でキャッシュされない(←ユ
 ーザ側で発生する事象の原因?と思われる)
  idmap_cache.tdb 更新時の操作は様々で,client 上でディレクトリのセキュ
  リティタブから acl を表示しようとした時やファイルサーバーの shell 上
  でid コマンドを発行した時など,発生トリガは確立できていません.

[root @ nas00]# grep timeout log.winbindd-idmap |grep Add|grep 2545657024-3037
  Adding cache entry with key = IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037; value =   1194921378/IDMAP/GID/16777237 and timeout = Tue Nov 13 11:36:18 2007
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  Adding cache entry with key = IDMAP/GID/16777237; value =   1194921378/IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037 and timeout = Tue Nov 13 11:36:18 2007
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  Adding cache entry with key = IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037; value =   1194923204/IDMAP/GID/16777237 and timeout = Tue Nov 13 12:06:44 2007
  Adding cache entry with key = IDMAP/GID/16777237; value =   1194923204/IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037 and timeout = Tue Nov 13 12:06:44 2007
  Adding cache entry with key = IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037; value =   1194924429/IDMAP/GID/16777237 and timeout = Tue Nov 13 12:27:09 2007
  Adding cache entry with key = IDMAP/GID/16777237; value =   1194924429/IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037 and timeout = Tue Nov 13 12:27:09 2007
  Adding cache entry with key = IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037; value =   1194924520/IDMAP/GID/16777237 and timeout = Tue Nov 13 12:28:40 2007
  Adding cache entry with key = IDMAP/GID/16777237; value =   1194924520/IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037 and timeout = Tue Nov 13 12:28:40 2007
  Adding cache entry with key = IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037; value =   1194927233/IDMAP/GID/16777237 and timeout = Tue Nov 13 13:13:53 2007
  Adding cache entry with key = IDMAP/GID/16777237; value =   1194927233/IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037 and timeout = Tue Nov 13 13:13:53 2007
  Adding cache entry with key = IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037; value =   1194933699/IDMAP/GID/16777237 and timeout = Tue Nov 13 15:01:39 2007
  Adding cache entry with key = IDMAP/GID/16777237; value =   1194933699/IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037 and timeout = Tue Nov 13 15:01:39 2007
  Adding cache entry with key = IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037; value =   1194933871/IDMAP/GID/1018 and timeout = Tue Nov 13 15:04:31 2007
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  Adding cache entry with key = IDMAP/GID/1018; value =   1194933871/IDMAP/SID/S-1-5-21-3364022190-44180768-2545657024-3037 and timeout = Tue Nov 13 15:04:31 2007
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root @ nas00]#

■各 smb.conf
***** PDC *****
[global]
	dos charset = CP920
	display charset = UTF-8
	workgroup = DOMDOM
	server string = Domain Controller
	passdb backend = ldapsam:"ldap://192.168.100.30 ldap://192.168.100.31"
	log level = 10 passdb:10 sam:10 auth:10
	syslog = 0
	max log size = 0
	name resolve order = wins host bcast
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	load printers = No
	disable spoolss = Yes
	add user script = /usr/sbin/smbldap-useradd '%u'
	delete user script = /usr/sbin/smbldap-userdel '%u'
	add group script = /usr/sbin/smbldap-groupadd '%g'
	delete group script = /usr/sbin/smbldap-groupdel '%g'
	add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
	delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
	add machine script = /usr/sbin/smbldap-useradd -w '%u'
	logon path = 
	logon home = 
	domain logons = Yes
	os level = 96
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	wins support = Yes
	ldap admin dn = "cn=DirManager,dc=nt,dc=domdom,dc=co,dc=jp"
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Computers
	ldap passwd sync = Yes
	ldap suffix = dc=nt,dc=domdom,dc=co,dc=jp
	ldap user suffix = ou=Users
	host msdfs = No
	idmap backend = ldap:ldap://192.168.100.30
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	winbind separator = _
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind normalize names = Yes
	admin users = administrator
	hosts allow = 192.168.100.30, 192.168.100.31, 192.168.100.32, 192.168.100.181, 192.168.100.182, 192.168.100.183, 192.168.100.184, 192.168.100.185, 192.168.100.186, 192.168.100.187, 192.168.100.188

[netlogon]
	path = /var/lib/samba/netlogon
	guest ok = Yes
	browseable = No
	locking = No

***** BDC *****
[global]
	dos charset = CP920
	display charset = UTF-8
	workgroup = DOMDOM
	server string = Domain Controller
	passdb backend = ldapsam:"ldap://192.168.100.30 ldap://192.168.100.31"
	log level = 10 passdb:10 sam:10 auth:10
	syslog = 0
	name resolve order = wins host bcast
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	load printers = No
	disable spoolss = Yes
	add user script = /usr/sbin/smbldap-useradd '%u'
	delete user script = /usr/sbin/smbldap-userdel '%u'
	add group script = /usr/sbin/smbldap-groupadd '%g'
	delete group script = /usr/sbin/smbldap-groupdel '%g'
	add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
	delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
	add machine script = /usr/sbin/smbldap-useradd -w '%u'
	logon path = 
	logon home = 
	domain logons = Yes
	os level = 64
	preferred master = Yes
	domain master = No
	dns proxy = No
	wins server = 192.168.100.30
	ldap admin dn = "cn=DirManager,dc=nt,dc=domdom,dc=co,dc=jp"
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Computers
	ldap passwd sync = Yes
	ldap suffix = dc=nt,dc=domdom,dc=co,dc=jp
	ldap user suffix = ou=Users
	host msdfs = No
	idmap backend = ldap:ldap://192.168.100.30
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	winbind separator = _
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind normalize names = Yes
	admin users = administrator
	hosts allow = 192.168.100.30, 192.168.100.31, 192.168.100.32, 192.168.100.181, 192.168.100.182, 192.168.100.183, 192.168.100.184, 192.168.100.185, 192.168.100.186, 192.168.100.187, 192.168.100.188

[netlogon]
	path = /var/lib/samba/netlogon
	guest ok = Yes
	browseable = No
	locking = No

***** FS *****
[global]
	dos charset = CP920
	display charset = UTF-8
	workgroup = DOMDOM
	server string = File Server
	security = DOMAIN
	passdb backend = ldapsam:"ldap://192.168.100.30 ldap://192.168.100.31"
	log level = 10 passdb:10 sam:10 auth:10
	syslog = 0
	max log size = 0
	name resolve order = wins host bcast
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	load printers = No
	disable spoolss = Yes
	logon path = 
	logon home = 
	os level = 33
	preferred master = Yes
	domain master = No
	dns proxy = No
	wins server = 192.168.100.30
	ldap admin dn = "cn=DirManager,dc=nt,dc=domdom,dc=co,dc=jp"
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Computers
	ldap passwd sync = Yes
	ldap suffix = dc=nt,dc=domdom,dc=co,dc=jp
	ldap user suffix = ou=Users
	host msdfs = No
	idmap backend = ldap:ldap://192.168.100.30
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	winbind separator = _
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind normalize names = Yes
	admin users = administrator
	create mask = 0740
	directory mask = 0750
	hosts allow = 192.168.100.30, 192.168.100.31, 192.168.100.32, 192.168.100.181, 192.168.100.182, 192.168.100.183, 192.168.100.184, 192.168.100.185, 192.168.100.186, 192.168.100.187, 192.168.100.188

[test]
	comment = test Folder
	path = /smb00/DIR/test
	read only = No
	guest ok = Yes

[Proj]
	comment = project Folder
	path = /smb00/DIR/Proj
	read only = No

[Sys]
	comment = it Folder
	path = /smb00/DIR/Sys
	write list = @DOMDOM_sys00

[Dept]
	comment = dept Folder
	path = /smb00/DIR/Dept
	read only = No
	vfs objects = full_audit
	full_audit:success = connect disconnect mkdir rmdir open close rename unlink
	full_audit:failure = connect disconnect opendir closedir mkdir rmdir open close rename unlink
	full_audit:priority = DEBUG
	full_audit:facility = LOCAL6

[Bkup]
	comment = system_bkup Folder
	path = /smb00/DIR/Bkup
	valid users = "@DOMDOM_domain admins", @DOMDOM_sys00
	write list = @DOMDOM_sys00

samba-jp メーリングリストの案内