[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Rowland Penny
rpenny at samba.org
Tue Sep 5 08:00:07 UTC 2023
On Tue, 5 Sep 2023 09:37:02 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
> Op 04-09-2023 om 23:04 schreef Rowland Penny via samba:
> > On Mon, 4 Sep 2023 22:50:56 +0200
> > Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >
> >> On 04-09-2023 22:26, Rowland Penny via samba wrote:
> >>> On Mon, 4 Sep 2023 22:09:35 +0200
> >>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Hi Team,
> >>>>
> >>>>
> >>>> I am setting up a new AD-domain, the first DC is just operational
> >>>> and some users and groups are created.
> >>>>
> >>>> This run on Debian 11, Samba 4.18.6 and it is set up with the
> >>>> same (but evolved) Ansible code I used for my other domains (all
> >>>> of them on different networks and independent of each other).
> >>>> The older domains were initially set up with Samba 4.14 and
> >>>> another with 4.15 and upgraded many times since, the new setup
> >>>> with 4.18.6. In all places gets installed from the same debian
> >>>> packages.
> >>>>
> >>>> Due to the repeatable Ansible setup the /etc/samba/smb.conf is
> >>>> exactly the same (apart from the domain name etc.) on the
> >>>> existing domains and the new domain. And all domains were
> >>>> provisioned with '--use-rfc2307'.
> >>>>
> >>>> 'samba-tool processes | wc -l' is equal between old and new: 24
> >>>> lines. And ps aux | grep winbindd also shows an equal number of
> >>>> winbind processes.
> >>>>
> >>>> '/etc/nsswitch.conf' is also equal and includes winbind for
> >>>> passwd and group.
> >>>>
> >>>>
> >>>> Now the mystery starts: there is a difference in id (uid/gid)
> >>>> lookups on a DC between the older domains and the new domain.
> >>>>
> >>>> It looks like the new domain is not querying
> >>>> /var/lib/samba/private/idmap.ldb (but is does exist there),
> >>>> whereas the older once are.
> >>>>
> >>>> As an example I tried: getent passwd '<DOMAIN-NAME>\domain
> >>>> admins'
> >>>>
> >>>> On the old domain(s) this results (as expected) in:
> >>>>
> >>>> OLDDOM\domain admins:*:3000004:3000004::/home/domain
> >>>> admins:/bin/bash
> >>>>
> >>>> But on the new domain the lookup has no result.
> >>>>
> >>>> The winbind logging is equally different, on the old domain
> >>>> (success):
> >>>>
> >>>> [2023/09/04 20:55:56.243929, 3]
> >>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> >>>> winbindd_interface_version: [nss_winbind (2502996)]: request
> >>>> interface version (version = 32)
> >>>> [2023/09/04 20:55:56.243999, 3]
> >>>> ../../source3/winbindd/winbindd.c:497(process_request_send)
> >>>> process_request_send: [nss_winbind (2502996)] Handling async
> >>>> request: GETPWNAM
> >>>> [2023/09/04 20:55:56.244007, 3]
> >>>> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
> >>>> [nss_winbind (2502996)] Winbind external command GETPWNAM
> >>>> start. Query username 'OLDDOM\domain admins'.
> >>>> [2023/09/04 20:55:56.244312, 3]
> >>>> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv)
> >>>> Winbind external command GETPWNAM end.
> >>>> (name:passwd:uid:gid:gecos:dir:shell)
> >>>> OLDDOM\domain admins:*:3000004:3000004::/home/domain
> >>>> admins:/bin/bash [2023/09/04 20:55:56.244322, 3]
> >>>> ../../source3/winbindd/winbindd.c:564(process_request_done)
> >>>> process_request_done: [nss_winbind(2502996):GETPWNAM]:
> >>>> NT_STATUS_OK [2023/09/04 20:55:57.091601, 3]
> >>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> >>>> winbindd_interface_version: [nss_winbind (2502997)]: request
> >>>> interface version (version = 32)
> >>>> [2023/09/04 20:55:57.091800, 3]
> >>>> ../../source3/winbindd/winbindd.c:497(process_request_send)
> >>>> process_request_send: [nss_winbind (2502997)] Handling async
> >>>> request: GETGROUPS
> >>>> [2023/09/04 20:55:57.091817, 3]
> >>>> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
> >>>> [nss_winbind (2502997)] Winbind external command GETGROUPS
> >>>> start. Searching groups for username 'root'.
> >>>> [2023/09/04 20:55:57.093936, 3]
> >>>> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached)
> >>>> : lookup_usergroups_cached
> >>>> [2023/09/04 20:55:57.106212, 3]
> >>>> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv)
> >>>> Winbind external command GETGROUPS end.
> >>>> Received 2 entries.
> >>>> [2023/09/04 20:55:57.106337, 3]
> >>>> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
> >>>> 0: GID 10000
> >>>> [2023/09/04 20:55:57.106344, 3]
> >>>> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
> >>>> 1: GID 10019
> >>>> [2023/09/04 20:55:57.106350, 3]
> >>>> ../../source3/winbindd/winbindd.c:564(process_request_done)
> >>>> process_request_done: [nss_winbind(2502997):GETGROUPS]:
> >>>> NT_STATUS_OK
> >>>>
> >>>> On the new domain (no result):
> >>>>
> >>>> [2023/09/04 20:54:18.579629, 3]
> >>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> >>>> winbindd_interface_version: [nss_winbind (43590)]: request
> >>>> interface version (version = 32)
> >>>> [2023/09/04 20:54:18.579686, 3]
> >>>> ../../source3/winbindd/winbindd.c:497(process_request_send)
> >>>> process_request_send: [nss_winbind (43590)] Handling async
> >>>> request: GETPWNAM
> >>>> [2023/09/04 20:54:18.579701, 3]
> >>>> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
> >>>> [nss_winbind (43590)] Winbind external command GETPWNAM
> >>>> start. Query username 'NEWDOM\domain admins'.
> >>>> [2023/09/04 20:54:18.582975, 1]
> >>>> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid)
> >>>> XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH.
> >>>> [2023/09/04 20:54:18.582990, 1]
> >>>> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
> >>>> Could not convert sid
> >>>> S-1-5-21-435088123-233829246-2133031062-512:
> >>>> NT_STATUS_NO_SUCH_USER [2023/09/04 20:54:18.582995, 3]
> >>>> ../../source3/winbindd/winbindd.c:564(process_request_done)
> >>>> process_request_done: [nss_winbind(43590):GETPWNAM]:
> >>>> NT_STATUS_NO_SUCH_USER
> >>>>
> >>>> Another indication that /var/lib/samba/private/idmap.ldb is not
> >>>> used comes from the group lookup of domain admins:
> >>>>
> >>>> getent group '<DOMAIN-NAME>\domain admins'
> >>>>
> >>>> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the
> >>>> xidNumber in idmap.ldb)
> >>>>
> >>>> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber
> >>>> in the ldap record of the group)
> >>>>
> >>>>
> >>>> Would could cause this different behaviour (on these 2 very
> >>>> similar environments)?
> >>> You giving Domain Admins a gidNumber attribute, which by the way
> >>> has just broken sysvol.
>
> This is required to be able to use 'domain admins' on Linux
> member-server when idmap = ad. Normally the idmap.ldb xidNumber has
> priority over gidNumber when the GID lookup is done on a DC.
The problem is that Domain Admins has to own things in Sysvol and it is
a group, a group cannot normally own things on Unix, so Domain Admins
is mapped to 'ID_TYPE_BOTH' in idmap.ldb
If you give Domain Admins a gidNumber, you break this mapping and the
group cannot own things in sysvol, this breaks sysvol.
You have two options, create a new group to use instead of Domain
Admins, or remove 'idmap_ldb:use rfc2307 = yes' from the DCs
>
> On this new domain it looks like winbindd is not doing an attempt to
> lookup the xidNumber, as you can see in the logs above.
>
It does look that way, but why ????
Rowland
More information about the samba
mailing list