[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb

Kees van Vloten keesvanvloten at gmail.com
Mon Sep 4 20:09:35 UTC 2023 

Hi Team,


I am setting up a new AD-domain, the first DC is just operational and 
some users and groups are created.

This run on Debian 11, Samba 4.18.6 and it is set up with the same (but 
evolved) Ansible code I used for my other domains (all of them on 
different networks and independent of each other). The older domains 
were initially set up with Samba 4.14 and another with 4.15 and upgraded 
many times since, the new setup with 4.18.6. In all places gets 
installed from the same debian packages.

Due to the repeatable Ansible setup the /etc/samba/smb.conf is exactly 
the same (apart from the domain name etc.) on the existing domains and 
the new domain. And all domains were provisioned with '--use-rfc2307'.

'samba-tool processes | wc -l' is equal between old and new: 24 lines. 
And ps aux | grep winbindd also shows an equal number of winbind processes.

'/etc/nsswitch.conf' is also equal and includes winbind for passwd and 
group.


Now the mystery starts: there is a difference in id (uid/gid) lookups on 
a DC between the older domains and the new domain.

It looks like the new domain is not querying 
/var/lib/samba/private/idmap.ldb (but is does exist there), whereas the 
older once are.

As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins'

On the old domain(s) this results (as expected) in:

OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash

But on the new domain the lookup has no result.

The winbind logging is equally different, on the old domain (success):

[2023/09/04 20:55:56.243929,  3] 
../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
   winbindd_interface_version: [nss_winbind (2502996)]: request 
interface version (version = 32)
[2023/09/04 20:55:56.243999,  3] 
../../source3/winbindd/winbindd.c:497(process_request_send)
   process_request_send: [nss_winbind (2502996)] Handling async request: 
GETPWNAM
[2023/09/04 20:55:56.244007,  3] 
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
   [nss_winbind (2502996)] Winbind external command GETPWNAM start.
   Query username 'OLDDOM\domain admins'.
[2023/09/04 20:55:56.244312,  3] 
../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv)
   Winbind external command GETPWNAM end.
   (name:passwd:uid:gid:gecos:dir:shell)
   OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash
[2023/09/04 20:55:56.244322,  3] 
../../source3/winbindd/winbindd.c:564(process_request_done)
   process_request_done: [nss_winbind(2502996):GETPWNAM]: NT_STATUS_OK
[2023/09/04 20:55:57.091601,  3] 
../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
   winbindd_interface_version: [nss_winbind (2502997)]: request 
interface version (version = 32)
[2023/09/04 20:55:57.091800,  3] 
../../source3/winbindd/winbindd.c:497(process_request_send)
   process_request_send: [nss_winbind (2502997)] Handling async request: 
GETGROUPS
[2023/09/04 20:55:57.091817,  3] 
../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
   [nss_winbind (2502997)] Winbind external command GETGROUPS start.
   Searching groups for username 'root'.
[2023/09/04 20:55:57.093936,  3] 
../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached)
   : lookup_usergroups_cached
[2023/09/04 20:55:57.106212,  3] 
../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv)
   Winbind external command GETGROUPS end.
   Received 2 entries.
[2023/09/04 20:55:57.106337,  3] 
../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
   0: GID 10000
[2023/09/04 20:55:57.106344,  3] 
../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
   1: GID 10019
[2023/09/04 20:55:57.106350,  3] 
../../source3/winbindd/winbindd.c:564(process_request_done)
   process_request_done: [nss_winbind(2502997):GETGROUPS]: NT_STATUS_OK

On the new domain (no result):

[2023/09/04 20:54:18.579629,  3] 
../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
   winbindd_interface_version: [nss_winbind (43590)]: request interface 
version (version = 32)
[2023/09/04 20:54:18.579686,  3] 
../../source3/winbindd/winbindd.c:497(process_request_send)
   process_request_send: [nss_winbind (43590)] Handling async request: 
GETPWNAM
[2023/09/04 20:54:18.579701,  3] 
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
   [nss_winbind (43590)] Winbind external command GETPWNAM start.
   Query username 'NEWDOM\domain admins'.
[2023/09/04 20:54:18.582975,  1] 
../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid)
   XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH.
[2023/09/04 20:54:18.582990,  1] 
../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
   Could not convert sid S-1-5-21-435088123-233829246-2133031062-512: 
NT_STATUS_NO_SUCH_USER
[2023/09/04 20:54:18.582995,  3] 
../../source3/winbindd/winbindd.c:564(process_request_done)
   process_request_done: [nss_winbind(43590):GETPWNAM]: 
NT_STATUS_NO_SUCH_USER

Another indication that /var/lib/samba/private/idmap.ldb is not used 
comes from the group lookup of domain admins:

getent group '<DOMAIN-NAME>\domain admins'

Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber in 
idmap.ldb)

New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in the 
ldap record of the group)


Would could cause this different behaviour (on these 2 very similar 
environments)?


- Kees.

More information about the samba mailing list