[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Kees van Vloten
keesvanvloten at gmail.com
Tue Sep 5 07:37:02 UTC 2023
Op 04-09-2023 om 23:04 schreef Rowland Penny via samba:
> On Mon, 4 Sep 2023 22:50:56 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> On 04-09-2023 22:26, Rowland Penny via samba wrote:
>>> On Mon, 4 Sep 2023 22:09:35 +0200
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi Team,
>>>>
>>>>
>>>> I am setting up a new AD-domain, the first DC is just operational
>>>> and some users and groups are created.
>>>>
>>>> This run on Debian 11, Samba 4.18.6 and it is set up with the same
>>>> (but evolved) Ansible code I used for my other domains (all of them
>>>> on different networks and independent of each other). The older
>>>> domains were initially set up with Samba 4.14 and another with 4.15
>>>> and upgraded many times since, the new setup with 4.18.6. In all
>>>> places gets installed from the same debian packages.
>>>>
>>>> Due to the repeatable Ansible setup the /etc/samba/smb.conf is
>>>> exactly the same (apart from the domain name etc.) on the existing
>>>> domains and the new domain. And all domains were provisioned with
>>>> '--use-rfc2307'.
>>>>
>>>> 'samba-tool processes | wc -l' is equal between old and new: 24
>>>> lines. And ps aux | grep winbindd also shows an equal number of
>>>> winbind processes.
>>>>
>>>> '/etc/nsswitch.conf' is also equal and includes winbind for passwd
>>>> and group.
>>>>
>>>>
>>>> Now the mystery starts: there is a difference in id (uid/gid)
>>>> lookups on a DC between the older domains and the new domain.
>>>>
>>>> It looks like the new domain is not querying
>>>> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas
>>>> the older once are.
>>>>
>>>> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins'
>>>>
>>>> On the old domain(s) this results (as expected) in:
>>>>
>>>> OLDDOM\domain admins:*:3000004:3000004::/home/domain
>>>> admins:/bin/bash
>>>>
>>>> But on the new domain the lookup has no result.
>>>>
>>>> The winbind logging is equally different, on the old domain
>>>> (success):
>>>>
>>>> [2023/09/04 20:55:56.243929, 3]
>>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
>>>> winbindd_interface_version: [nss_winbind (2502996)]: request
>>>> interface version (version = 32)
>>>> [2023/09/04 20:55:56.243999, 3]
>>>> ../../source3/winbindd/winbindd.c:497(process_request_send)
>>>> process_request_send: [nss_winbind (2502996)] Handling async
>>>> request: GETPWNAM
>>>> [2023/09/04 20:55:56.244007, 3]
>>>> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
>>>> [nss_winbind (2502996)] Winbind external command GETPWNAM
>>>> start. Query username 'OLDDOM\domain admins'.
>>>> [2023/09/04 20:55:56.244312, 3]
>>>> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv)
>>>> Winbind external command GETPWNAM end.
>>>> (name:passwd:uid:gid:gecos:dir:shell)
>>>> OLDDOM\domain admins:*:3000004:3000004::/home/domain
>>>> admins:/bin/bash [2023/09/04 20:55:56.244322, 3]
>>>> ../../source3/winbindd/winbindd.c:564(process_request_done)
>>>> process_request_done: [nss_winbind(2502996):GETPWNAM]:
>>>> NT_STATUS_OK [2023/09/04 20:55:57.091601, 3]
>>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
>>>> winbindd_interface_version: [nss_winbind (2502997)]: request
>>>> interface version (version = 32)
>>>> [2023/09/04 20:55:57.091800, 3]
>>>> ../../source3/winbindd/winbindd.c:497(process_request_send)
>>>> process_request_send: [nss_winbind (2502997)] Handling async
>>>> request: GETGROUPS
>>>> [2023/09/04 20:55:57.091817, 3]
>>>> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
>>>> [nss_winbind (2502997)] Winbind external command GETGROUPS
>>>> start. Searching groups for username 'root'.
>>>> [2023/09/04 20:55:57.093936, 3]
>>>> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached)
>>>> : lookup_usergroups_cached
>>>> [2023/09/04 20:55:57.106212, 3]
>>>> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv)
>>>> Winbind external command GETGROUPS end.
>>>> Received 2 entries.
>>>> [2023/09/04 20:55:57.106337, 3]
>>>> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
>>>> 0: GID 10000
>>>> [2023/09/04 20:55:57.106344, 3]
>>>> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
>>>> 1: GID 10019
>>>> [2023/09/04 20:55:57.106350, 3]
>>>> ../../source3/winbindd/winbindd.c:564(process_request_done)
>>>> process_request_done: [nss_winbind(2502997):GETGROUPS]:
>>>> NT_STATUS_OK
>>>>
>>>> On the new domain (no result):
>>>>
>>>> [2023/09/04 20:54:18.579629, 3]
>>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
>>>> winbindd_interface_version: [nss_winbind (43590)]: request
>>>> interface version (version = 32)
>>>> [2023/09/04 20:54:18.579686, 3]
>>>> ../../source3/winbindd/winbindd.c:497(process_request_send)
>>>> process_request_send: [nss_winbind (43590)] Handling async
>>>> request: GETPWNAM
>>>> [2023/09/04 20:54:18.579701, 3]
>>>> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
>>>> [nss_winbind (43590)] Winbind external command GETPWNAM start.
>>>> Query username 'NEWDOM\domain admins'.
>>>> [2023/09/04 20:54:18.582975, 1]
>>>> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid)
>>>> XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH.
>>>> [2023/09/04 20:54:18.582990, 1]
>>>> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
>>>> Could not convert sid
>>>> S-1-5-21-435088123-233829246-2133031062-512: NT_STATUS_NO_SUCH_USER
>>>> [2023/09/04 20:54:18.582995, 3]
>>>> ../../source3/winbindd/winbindd.c:564(process_request_done)
>>>> process_request_done: [nss_winbind(43590):GETPWNAM]:
>>>> NT_STATUS_NO_SUCH_USER
>>>>
>>>> Another indication that /var/lib/samba/private/idmap.ldb is not
>>>> used comes from the group lookup of domain admins:
>>>>
>>>> getent group '<DOMAIN-NAME>\domain admins'
>>>>
>>>> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the
>>>> xidNumber in idmap.ldb)
>>>>
>>>> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber
>>>> in the ldap record of the group)
>>>>
>>>>
>>>> Would could cause this different behaviour (on these 2 very similar
>>>> environments)?
>>> You giving Domain Admins a gidNumber attribute, which by the way has
>>> just broken sysvol.
This is required to be able to use 'domain admins' on Linux
member-server when idmap = ad. Normally the idmap.ldb xidNumber has
priority over gidNumber when the GID lookup is done on a DC.
On this new domain it looks like winbindd is not doing an attempt to
lookup the xidNumber, as you can see in the logs above.
>>>
>>> Rowland
>>>
>>>
>> ok, it was worth testing your hypothesis:
>>
>> # destroy domain:
>> dpkg -l | grep 4.18.6 | awk '{print $2}' | xargs apt-get -y purge
>> # everything including /var/lib/samba is removed
>>
>> # rerun ansible playbook for samba_dc_install
>>
>> getent group 'domain admins'
>> # no result
>>
>> So no more gidNumber from the ldap group record, but nothing from
>> idmap.ldb either :-(
>>
>> - Kees.
>>
>>
>>
> It has worked for over 10 years, so if it has stopped working, why?
> These are probably stupid questions, but are libpam-winbind and
> libnss-winbind installed ? Also is /etc/nsswitch.conf set up correctly?
The reason for this post is that I am puzzled myself, have been looking
into it for a few days now and I can't figure it out.
I am using the Debian packages (on bullseye) and indeed I checked if
libnss-winbind is in place (and it is :-) ).
nsswitch.conf is in order, otherwise I would not get answers from
winbind in the first place. As the log fragments above show, it does
reach winbind and gets logged.
I am thinking about reverting to older versions of Samba (4.17, 4.16,
4.15) to see if it works then. I known for sure it worked with the same
setup in May last year. Although the code runs on the existing domains
on every Samba upgrade, I have not set up new domains since then.
>
> Rowland
>
More information about the samba
mailing list