[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Kees van Vloten
keesvanvloten at gmail.com
Mon Sep 4 20:09:35 UTC 2023
Hi Team,
I am setting up a new AD-domain, the first DC is just operational and
some users and groups are created.
This run on Debian 11, Samba 4.18.6 and it is set up with the same (but
evolved) Ansible code I used for my other domains (all of them on
different networks and independent of each other). The older domains
were initially set up with Samba 4.14 and another with 4.15 and upgraded
many times since, the new setup with 4.18.6. In all places gets
installed from the same debian packages.
Due to the repeatable Ansible setup the /etc/samba/smb.conf is exactly
the same (apart from the domain name etc.) on the existing domains and
the new domain. And all domains were provisioned with '--use-rfc2307'.
'samba-tool processes | wc -l' is equal between old and new: 24 lines.
And ps aux | grep winbindd also shows an equal number of winbind processes.
'/etc/nsswitch.conf' is also equal and includes winbind for passwd and
group.
Now the mystery starts: there is a difference in id (uid/gid) lookups on
a DC between the older domains and the new domain.
It looks like the new domain is not querying
/var/lib/samba/private/idmap.ldb (but is does exist there), whereas the
older once are.
As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins'
On the old domain(s) this results (as expected) in:
OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash
But on the new domain the lookup has no result.
The winbind logging is equally different, on the old domain (success):
[2023/09/04 20:55:56.243929, 3]
../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
winbindd_interface_version: [nss_winbind (2502996)]: request
interface version (version = 32)
[2023/09/04 20:55:56.243999, 3]
../../source3/winbindd/winbindd.c:497(process_request_send)
process_request_send: [nss_winbind (2502996)] Handling async request:
GETPWNAM
[2023/09/04 20:55:56.244007, 3]
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
[nss_winbind (2502996)] Winbind external command GETPWNAM start.
Query username 'OLDDOM\domain admins'.
[2023/09/04 20:55:56.244312, 3]
../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv)
Winbind external command GETPWNAM end.
(name:passwd:uid:gid:gecos:dir:shell)
OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash
[2023/09/04 20:55:56.244322, 3]
../../source3/winbindd/winbindd.c:564(process_request_done)
process_request_done: [nss_winbind(2502996):GETPWNAM]: NT_STATUS_OK
[2023/09/04 20:55:57.091601, 3]
../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
winbindd_interface_version: [nss_winbind (2502997)]: request
interface version (version = 32)
[2023/09/04 20:55:57.091800, 3]
../../source3/winbindd/winbindd.c:497(process_request_send)
process_request_send: [nss_winbind (2502997)] Handling async request:
GETGROUPS
[2023/09/04 20:55:57.091817, 3]
../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
[nss_winbind (2502997)] Winbind external command GETGROUPS start.
Searching groups for username 'root'.
[2023/09/04 20:55:57.093936, 3]
../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached)
: lookup_usergroups_cached
[2023/09/04 20:55:57.106212, 3]
../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv)
Winbind external command GETGROUPS end.
Received 2 entries.
[2023/09/04 20:55:57.106337, 3]
../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
0: GID 10000
[2023/09/04 20:55:57.106344, 3]
../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
1: GID 10019
[2023/09/04 20:55:57.106350, 3]
../../source3/winbindd/winbindd.c:564(process_request_done)
process_request_done: [nss_winbind(2502997):GETGROUPS]: NT_STATUS_OK
On the new domain (no result):
[2023/09/04 20:54:18.579629, 3]
../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
winbindd_interface_version: [nss_winbind (43590)]: request interface
version (version = 32)
[2023/09/04 20:54:18.579686, 3]
../../source3/winbindd/winbindd.c:497(process_request_send)
process_request_send: [nss_winbind (43590)] Handling async request:
GETPWNAM
[2023/09/04 20:54:18.579701, 3]
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
[nss_winbind (43590)] Winbind external command GETPWNAM start.
Query username 'NEWDOM\domain admins'.
[2023/09/04 20:54:18.582975, 1]
../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid)
XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH.
[2023/09/04 20:54:18.582990, 1]
../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-435088123-233829246-2133031062-512:
NT_STATUS_NO_SUCH_USER
[2023/09/04 20:54:18.582995, 3]
../../source3/winbindd/winbindd.c:564(process_request_done)
process_request_done: [nss_winbind(43590):GETPWNAM]:
NT_STATUS_NO_SUCH_USER
Another indication that /var/lib/samba/private/idmap.ldb is not used
comes from the group lookup of domain admins:
getent group '<DOMAIN-NAME>\domain admins'
Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber in
idmap.ldb)
New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in the
ldap record of the group)
Would could cause this different behaviour (on these 2 very similar
environments)?
- Kees.
More information about the samba
mailing list