[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Kees van Vloten
keesvanvloten at gmail.com
Tue Sep 5 07:24:29 UTC 2023
Op 04-09-2023 om 23:11 schreef Andrew Bartlett:
> On Mon, 2023-09-04 at 22:09 +0200, Kees van Vloten via samba wrote:
>> Hi Team,
>> I am setting up a new AD-domain, the first DC is just operational and
>> some users and groups are created.
>> This run on Debian 11, Samba 4.18.6 and it is set up with the same (but
>> evolved) Ansible code I used for my other domains (all of them on
>> different networks and independent of each other). The older domains
>> were initially set up with Samba 4.14 and another with 4.15 and upgraded
>> many times since, the new setup with 4.18.6. In all places gets
>> installed from the same debian packages.
>> Due to the repeatable Ansible setup the /etc/samba/smb.conf is exactly
>> the same (apart from the domain name etc.) on the existing domains and
>> the new domain. And all domains were provisioned with '--use-rfc2307'.
>> 'samba-tool processes | wc -l' is equal between old and new: 24 lines.
>> And ps aux | grep winbindd also shows an equal number of winbind processes.
>> '/etc/nsswitch.conf' is also equal and includes winbind for passwd and
>> group.
>> Now the mystery starts: there is a difference in id (uid/gid) lookups on
>> a DC between the older domains and the new domain.
>> It looks like the new domain is not querying
>> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas the
>> older once are.
>> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins'
>> On the old domain(s) this results (as expected) in:
>> OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash
>> But on the new domain the lookup has no result.
>> Another indication that /var/lib/samba/private/idmap.ldb is not used
>> comes from the group lookup of domain admins:
>> getent group '<DOMAIN-NAME>\domain admins'
>> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber in
>> idmap.ldb)
>> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in the
>> ldap record of the group)
>> Would could cause this different behaviour (on these 2 very similar
>> environments)?
> Did you bring the idmap.ldb from an earlier environment the first time, or only set the IDs into LDAP later?
No, it is a brand new independent environment.
My Ansible code runs the samba-tool provision (o.a. with --use-rfc2307)
and shortly after it sets the gidNumber on all groups so that groups
like 'domain admins' are visible with 'getent group' on member-servers
than the DCs.
What I see in all other (older) domains is that on the DCs with getent
the xidNumber (from idmap.ldb) is returned (it has priority over
gidNumber), whereas on member-servers it is the gidNumber.
On this new domain (it does not yet have members and there is just 1 DC
at this point), the 'getent group' lookup does not query idmap.ldb but
uses the gidNumber immediately and if that is not set then nothing is
returned.
In the logs I see the same, log.winbind on my new domain even at level
10 is really short :-(
> I don't recall how I set up the preference logic here, but it may have priority.
> Andrew Bartlett
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead https://catalyst.net.nz/services/samba
> Catalyst.Net Ltd
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
>
> Samba Development and Support: https://catalyst.net.nz/services/samba
>
> Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list