[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Rowland Penny
rpenny at samba.org
Mon Sep 4 20:56:47 UTC 2023
On Mon, 4 Sep 2023 22:30:23 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
> On 04-09-2023 22:26, Rowland Penny via samba wrote:
> > On Mon, 4 Sep 2023 22:09:35 +0200
> > Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >
> >> Hi Team,
> >>
> >>
> >> I am setting up a new AD-domain, the first DC is just operational
> >> and some users and groups are created.
> >>
> >> This run on Debian 11, Samba 4.18.6 and it is set up with the same
> >> (but evolved) Ansible code I used for my other domains (all of them
> >> on different networks and independent of each other). The older
> >> domains were initially set up with Samba 4.14 and another with 4.15
> >> and upgraded many times since, the new setup with 4.18.6. In all
> >> places gets installed from the same debian packages.
> >>
> >> Due to the repeatable Ansible setup the /etc/samba/smb.conf is
> >> exactly the same (apart from the domain name etc.) on the existing
> >> domains and the new domain. And all domains were provisioned with
> >> '--use-rfc2307'.
> >>
> >> 'samba-tool processes | wc -l' is equal between old and new: 24
> >> lines. And ps aux | grep winbindd also shows an equal number of
> >> winbind processes.
> >>
> >> '/etc/nsswitch.conf' is also equal and includes winbind for passwd
> >> and group.
> >>
> >>
> >> Now the mystery starts: there is a difference in id (uid/gid)
> >> lookups on a DC between the older domains and the new domain.
> >>
> >> It looks like the new domain is not querying
> >> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas
> >> the older once are.
> >>
> >> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins'
> >>
> >> On the old domain(s) this results (as expected) in:
> >>
> >> OLDDOM\domain admins:*:3000004:3000004::/home/domain
> >> admins:/bin/bash
> >>
> >> But on the new domain the lookup has no result.
> >>
> >> The winbind logging is equally different, on the old domain
> >> (success):
> >>
> >> [2023/09/04 20:55:56.243929, 3]
> >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> >> winbindd_interface_version: [nss_winbind (2502996)]: request
> >> interface version (version = 32)
> >> [2023/09/04 20:55:56.243999, 3]
> >> ../../source3/winbindd/winbindd.c:497(process_request_send)
> >> process_request_send: [nss_winbind (2502996)] Handling async
> >> request: GETPWNAM
> >> [2023/09/04 20:55:56.244007, 3]
> >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
> >> [nss_winbind (2502996)] Winbind external command GETPWNAM
> >> start. Query username 'OLDDOM\domain admins'.
> >> [2023/09/04 20:55:56.244312, 3]
> >> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv)
> >> Winbind external command GETPWNAM end.
> >> (name:passwd:uid:gid:gecos:dir:shell)
> >> OLDDOM\domain admins:*:3000004:3000004::/home/domain
> >> admins:/bin/bash [2023/09/04 20:55:56.244322, 3]
> >> ../../source3/winbindd/winbindd.c:564(process_request_done)
> >> process_request_done: [nss_winbind(2502996):GETPWNAM]:
> >> NT_STATUS_OK [2023/09/04 20:55:57.091601, 3]
> >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> >> winbindd_interface_version: [nss_winbind (2502997)]: request
> >> interface version (version = 32)
> >> [2023/09/04 20:55:57.091800, 3]
> >> ../../source3/winbindd/winbindd.c:497(process_request_send)
> >> process_request_send: [nss_winbind (2502997)] Handling async
> >> request: GETGROUPS
> >> [2023/09/04 20:55:57.091817, 3]
> >> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
> >> [nss_winbind (2502997)] Winbind external command GETGROUPS
> >> start. Searching groups for username 'root'.
> >> [2023/09/04 20:55:57.093936, 3]
> >> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached)
> >> : lookup_usergroups_cached
> >> [2023/09/04 20:55:57.106212, 3]
> >> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv)
> >> Winbind external command GETGROUPS end.
> >> Received 2 entries.
> >> [2023/09/04 20:55:57.106337, 3]
> >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
> >> 0: GID 10000
> >> [2023/09/04 20:55:57.106344, 3]
> >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
> >> 1: GID 10019
> >> [2023/09/04 20:55:57.106350, 3]
> >> ../../source3/winbindd/winbindd.c:564(process_request_done)
> >> process_request_done: [nss_winbind(2502997):GETGROUPS]:
> >> NT_STATUS_OK
> >>
> >> On the new domain (no result):
> >>
> >> [2023/09/04 20:54:18.579629, 3]
> >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> >> winbindd_interface_version: [nss_winbind (43590)]: request
> >> interface version (version = 32)
> >> [2023/09/04 20:54:18.579686, 3]
> >> ../../source3/winbindd/winbindd.c:497(process_request_send)
> >> process_request_send: [nss_winbind (43590)] Handling async
> >> request: GETPWNAM
> >> [2023/09/04 20:54:18.579701, 3]
> >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
> >> [nss_winbind (43590)] Winbind external command GETPWNAM start.
> >> Query username 'NEWDOM\domain admins'.
> >> [2023/09/04 20:54:18.582975, 1]
> >> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid)
> >> XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH.
> >> [2023/09/04 20:54:18.582990, 1]
> >> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
> >> Could not convert sid
> >> S-1-5-21-435088123-233829246-2133031062-512: NT_STATUS_NO_SUCH_USER
> >> [2023/09/04 20:54:18.582995, 3]
> >> ../../source3/winbindd/winbindd.c:564(process_request_done)
> >> process_request_done: [nss_winbind(43590):GETPWNAM]:
> >> NT_STATUS_NO_SUCH_USER
> >>
> >> Another indication that /var/lib/samba/private/idmap.ldb is not
> >> used comes from the group lookup of domain admins:
> >>
> >> getent group '<DOMAIN-NAME>\domain admins'
> >>
> >> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the
> >> xidNumber in idmap.ldb)
> >>
> >> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber
> >> in the ldap record of the group)
> >>
> >>
> >> Would could cause this different behaviour (on these 2 very similar
> >> environments)?
> > You giving Domain Admins a gidNumber attribute, which by the way has
> > just broken sysvol.
> >
> > Rowland
> >
> >
> That is not unique for the new domain, all my domains have it and as
> you see above it works on the other one...
>
> On old domain: samba-tool group show 'domain admins':
>
> dn: CN=Domain Admins,CN=Users,DC=composers,DC=lan
> sAMAccountName: Domain Admins
> gidNumber: 10047
You posted:
As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins'
On the old domain(s) this results (as expected) in:
OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash
This either means that Domain Admins on that domain does not have a
gidNumber attribute (which you have proven it does) or it does not have
'idmap_ldb:use rfc2307 = yes' set in smb.conf.
If you give a user a uidNumber or give a group a gidNumber, then that
is what is used on a DC, provided that 'idmap_ldb:use rfc2307 = yes' is
set. If it isn't set, then the xidNumber found in idmap.ldb is used and
these numbers are all in the 3000000 range and are only found in
idmap.ldb
If you do have 'idmap_ldb:use rfc2307 = yes' in a DC smb.conf, with
uidNumber & gidNumber attributes set and you are getting numbers in the
3000000 range, then try 'net cache flush' and if this doesn't fix it,
then you may have hit a bug.
Rowland
More information about the samba
mailing list