gid numbers changed after upgrading from 4.1.14 to 4.2.1

Daniele Dario d.dario76 at gmail.com
Wed Apr 22 02:29:08 MDT 2015


Good morning everybody,
yesterday I completed the upgrade of my two DCs to 4.2.1 but after doing
that I noticed that the gid of some groups changed on one of the two
DCs.

The problem is that the DC on which the gid numbers changed acts also as
a file server and now some users can't anymore connect to some shares.

Replication seems to work correctly but I used samba-tool ldapcmp to see
if everything is right and found that 

[root at kdc03:/usr/local/samba/private]# samba-tool ldapcmp sam.ldb
ldap://kdc01 -Uadministrator
Password for [SAITEL\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 563

Comparing:
'CN=Administrators,CN=Builtin,DC=saitel,DC=loc' [sam.ldb]
'CN=Administrators,CN=Builtin,DC=saitel,DC=loc' [ldap://kdc01]
    Difference in attribute values:
        whenChanged => 
['20150421175958.0Z']
['20150421180002.0Z']
    FAILED

Comparing:
'CN=Denied RODC Password Replication
Group,CN=Users,DC=saitel,DC=loc' [sam.ldb]
'CN=Denied RODC Password Replication
Group,CN=Users,DC=saitel,DC=loc' [ldap://kdc01]
    Difference in attribute values:
        whenChanged => 
['20140508110910.0Z']
['20121005115240.0Z']
    FAILED

...

Comparing:
'CN=Users,CN=Builtin,DC=saitel,DC=loc' [sam.ldb]
'CN=Users,CN=Builtin,DC=saitel,DC=loc' [ldap://kdc01]
    Difference in attribute values:
        whenChanged => 
['20140508110910.0Z']
['20130403165537.0Z']
    FAILED

Comparing:
'CN=Windows Authorization Access
Group,CN=Builtin,DC=saitel,DC=loc' [sam.ldb]
'CN=Windows Authorization Access
Group,CN=Builtin,DC=saitel,DC=loc' [ldap://kdc01]
    Difference in attribute values:
        whenChanged => 
['20140508110910.0Z']
['20130403165514.0Z']
    FAILED

Comparing:
'CN=remote_users,OU=groups,OU=saitel,DC=saitel,DC=loc' [sam.ldb]
'CN=remote_users,OU=groups,OU=saitel,DC=saitel,DC=loc' [ldap://kdc01]
    Difference in attribute values:
        whenChanged => 
['20150310161212.0Z']
['20150310161209.0Z']
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes with different values:

    whenChanged

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1621

Comparing:
'CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=saitel,DC=loc' [sam.ldb]
'CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=saitel,DC=loc' [ldap://kdc01]
    Difference in attribute values:
        whenChanged => 
['20140508110910.0Z']
['20121005115240.0Z']
    FAILED

Comparing:
'CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc' [sam.ldb]
'CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc' [ldap://kdc01]
    Difference in attribute values:
        whenChanged => 
['20140508110910.0Z']
['20121005115240.0Z']
    FAILED

...

Comparing:
'CN=eecaf35f-0c7e-42e1-a08b-f0ac897160a9,CN=Partitions,CN=Configuration,DC=saitel,DC=loc' [sam.ldb]
'CN=eecaf35f-0c7e-42e1-a08b-f0ac897160a9,CN=Partitions,CN=Configuration,DC=saitel,DC=loc' [ldap://kdc01]
    Difference in attribute values:
        whenChanged => 
['20140508110910.0Z']
['20121005115240.0Z']
    FAILED

* Result for [CONFIGURATION]: FAILURE

SUMMARY
---------

Attributes with different values:

    whenChanged

* Comparing [SCHEMA] context...

* Objects to be compared: 1550

* Result for [SCHEMA]: SUCCESS

* Comparing [DNSDOMAIN] context...

* Objects to be compared: 158

* Result for [DNSDOMAIN]: SUCCESS

* Comparing [DNSFOREST] context...

* Objects to be compared: 19

* Result for [DNSFOREST]: SUCCESS
ERROR: Compare failed: -1

To me seems that something is wrong here.

Looking at the gid numbers that I found changed I see this:
group ufficio tecnico:
     kdc01   kdc03
gid 4000113 3000022
on both kdc01 and kdc03 I get that

[root at kdc03:/usr/local/samba/private]# wbinfo -G 3000022
S-1-5-21-1132727046-140625262-2935381992-1105
[root at kdc03:/usr/local/samba/private]# wbinfo -G 4000113
S-1-5-21-1132727046-140625262-2935381992-1105

so it seems that I have two gidNumber that map on the same sid
and looking into idmap.ldb I get

[root at kdc03:/usr/local/samba/private]# ldbsearch -H idmap.ldb -a
objectSid=S-1-5-21-1132727046-140625262-2935381992-1105
# record 1
dn: CN=S-1-5-21-1132727046-140625262-2935381992-1105
cn: S-1-5-21-1132727046-140625262-2935381992-1105
objectClass: sidMap
objectSid: S-1-5-21-1132727046-140625262-2935381992-1105
type: ID_TYPE_BOTH
xidNumber: 3000022
distinguishedName: CN=S-1-5-21-1132727046-140625262-2935381992-1105

# returned 1 records
# 1 entries
# 0 referrals

while on sam.ldb I find

[root at kdc03:/usr/local/samba/private]# ldbsearch -H sam.ldb -a
objectSid=S-1-5-21-1132727046-140625262-2935381992-1105
# record 1
dn: CN=Ufficio Tecnico,OU=groups,OU=saitel,DC=saitel,DC=loc
objectClass: top
objectClass: group
cn: Ufficio Tecnico
description: Personale Ufficio Tecnico
instanceType: 4
whenCreated: 20120924144535.0Z
uSNCreated: 3592
name: Ufficio Tecnico
objectGUID: 2e58f8d0-5a28-47c1-9468-ec7b202cf560
objectSid: S-1-5-21-1132727046-140625262-2935381992-1105
sAMAccountName: Ufficio Tecnico
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=saitel,DC=loc
gidNumber: 4000113
member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
whenChanged: 20140516075814.0Z
uSNChanged: 7616
distinguishedName: CN=Ufficio
Tecnico,OU=groups,OU=saitel,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/CN=Configuration,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/DC=DomainDnsZones,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/DC=ForestDnsZones,DC=saitel,DC=loc

# returned 4 records
# 1 entries
# 3 referrals

Is this a normal behavior or is this related to the problem I'm having
now in connecting to the shares "owned" by the group "ufficio tecnico"?

Any help would be appreciated,
Daniele.



More information about the samba-technical mailing list