gid numbers changed after upgrading from 4.1.14 to 4.2.1

Rowland Penny repenny241155 at gmail.com
Wed Apr 22 02:57:41 MDT 2015


On 22/04/15 09:29, Daniele Dario wrote:
> Good morning everybody,
> yesterday I completed the upgrade of my two DCs to 4.2.1 but after doing
> that I noticed that the gid of some groups changed on one of the two
> DCs.
>
> The problem is that the DC on which the gid numbers changed acts also as
> a file server and now some users can't anymore connect to some shares.
>
> Replication seems to work correctly but I used samba-tool ldapcmp to see
> if everything is right and found that
>
> [root at kdc03:/usr/local/samba/private]# samba-tool ldapcmp sam.ldb
> ldap://kdc01 -Uadministrator
> Password for [SAITEL\administrator]:
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 563
>
> Comparing:
> 'CN=Administrators,CN=Builtin,DC=saitel,DC=loc' [sam.ldb]
> 'CN=Administrators,CN=Builtin,DC=saitel,DC=loc' [ldap://kdc01]
>      Difference in attribute values:
>          whenChanged =>
> ['20150421175958.0Z']
> ['20150421180002.0Z']
>      FAILED

you can ignore the 'whenChanged' attribute, it is not replicated, so 
could be different.

>
>
> Looking at the gid numbers that I found changed I see this:
> group ufficio tecnico:
>       kdc01   kdc03
> gid 4000113 3000022
> on both kdc01 and kdc03 I get that
>
> [root at kdc03:/usr/local/samba/private]# wbinfo -G 3000022
> S-1-5-21-1132727046-140625262-2935381992-1105
> [root at kdc03:/usr/local/samba/private]# wbinfo -G 4000113
> S-1-5-21-1132727046-140625262-2935381992-1105

Do both DCs have 'idmap_ldb:use rfc2307 = yes' in smb.conf ?

>
> so it seems that I have two gidNumber that map on the same sid
> and looking into idmap.ldb I get
>
> [root at kdc03:/usr/local/samba/private]# ldbsearch -H idmap.ldb -a
> objectSid=S-1-5-21-1132727046-140625262-2935381992-1105
> # record 1
> dn: CN=S-1-5-21-1132727046-140625262-2935381992-1105
> cn: S-1-5-21-1132727046-140625262-2935381992-1105
> objectClass: sidMap
> objectSid: S-1-5-21-1132727046-140625262-2935381992-1105
> type: ID_TYPE_BOTH
> xidNumber: 3000022
> distinguishedName: CN=S-1-5-21-1132727046-140625262-2935381992-1105
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> while on sam.ldb I find
>
> [root at kdc03:/usr/local/samba/private]# ldbsearch -H sam.ldb -a
> objectSid=S-1-5-21-1132727046-140625262-2935381992-1105
> # record 1
> dn: CN=Ufficio Tecnico,OU=groups,OU=saitel,DC=saitel,DC=loc
> objectClass: top
> objectClass: group
> cn: Ufficio Tecnico
> description: Personale Ufficio Tecnico
> instanceType: 4
> whenCreated: 20120924144535.0Z
> uSNCreated: 3592
> name: Ufficio Tecnico
> objectGUID: 2e58f8d0-5a28-47c1-9468-ec7b202cf560
> objectSid: S-1-5-21-1132727046-140625262-2935381992-1105
> sAMAccountName: Ufficio Tecnico
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=saitel,DC=loc
> gidNumber: 4000113
> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> whenChanged: 20140516075814.0Z
> uSNChanged: 7616
> distinguishedName: CN=Ufficio
> Tecnico,OU=groups,OU=saitel,DC=saitel,DC=loc
>

If you run the same commands on the other DC, do you get the same results ?
It should be the same for sam.ldb, but may be different for idmap.ldb, 
this is a know problem, as it is not replicated between DCs.

Rowland
>
> Is this a normal behavior or is this related to the problem I'm having
> now in connecting to the shares "owned" by the group "ufficio tecnico"?
>
> Any help would be appreciated,
> Daniele.
>



More information about the samba-technical mailing list