gid numbers changed after upgrading from 4.1.14 to 4.2.1

Daniele Dario d.dario76 at gmail.com
Wed Apr 22 04:11:15 MDT 2015



On mer, 2015-04-22 at 09:57 +0100, Rowland Penny wrote:
> On 22/04/15 09:29, Daniele Dario wrote:
> > Good morning everybody,
> > yesterday I completed the upgrade of my two DCs to 4.2.1 but after doing
> > that I noticed that the gid of some groups changed on one of the two
> > DCs.
> >
> > The problem is that the DC on which the gid numbers changed acts also as
> > a file server and now some users can't anymore connect to some shares.
> >
> > Replication seems to work correctly but I used samba-tool ldapcmp to see
> > if everything is right and found that
> >
> > [root at kdc03:/usr/local/samba/private]# samba-tool ldapcmp sam.ldb
> > ldap://kdc01 -Uadministrator
> > Password for [SAITEL\administrator]:
> >
> > * Comparing [DOMAIN] context...
> >
> > * Objects to be compared: 563
> >
> > Comparing:
> > 'CN=Administrators,CN=Builtin,DC=saitel,DC=loc' [sam.ldb]
> > 'CN=Administrators,CN=Builtin,DC=saitel,DC=loc' [ldap://kdc01]
> >      Difference in attribute values:
> >          whenChanged =>
> > ['20150421175958.0Z']
> > ['20150421180002.0Z']
> >      FAILED
> 
> you can ignore the 'whenChanged' attribute, it is not replicated, so 
> could be different.
> 
> >
> >
> > Looking at the gid numbers that I found changed I see this:
> > group ufficio tecnico:
> >       kdc01   kdc03
> > gid 4000113 3000022
> > on both kdc01 and kdc03 I get that
> >
> > [root at kdc03:/usr/local/samba/private]# wbinfo -G 3000022
> > S-1-5-21-1132727046-140625262-2935381992-1105
> > [root at kdc03:/usr/local/samba/private]# wbinfo -G 4000113
> > S-1-5-21-1132727046-140625262-2935381992-1105
> 
> Do both DCs have 'idmap_ldb:use rfc2307 = yes' in smb.conf ?
> 
> >
> > so it seems that I have two gidNumber that map on the same sid
> > and looking into idmap.ldb I get
> >
> > [root at kdc03:/usr/local/samba/private]# ldbsearch -H idmap.ldb -a
> > objectSid=S-1-5-21-1132727046-140625262-2935381992-1105
> > # record 1
> > dn: CN=S-1-5-21-1132727046-140625262-2935381992-1105
> > cn: S-1-5-21-1132727046-140625262-2935381992-1105
> > objectClass: sidMap
> > objectSid: S-1-5-21-1132727046-140625262-2935381992-1105
> > type: ID_TYPE_BOTH
> > xidNumber: 3000022
> > distinguishedName: CN=S-1-5-21-1132727046-140625262-2935381992-1105
> >
> > # returned 1 records
> > # 1 entries
> > # 0 referrals
> >
> > while on sam.ldb I find
> >
> > [root at kdc03:/usr/local/samba/private]# ldbsearch -H sam.ldb -a
> > objectSid=S-1-5-21-1132727046-140625262-2935381992-1105
> > # record 1
> > dn: CN=Ufficio Tecnico,OU=groups,OU=saitel,DC=saitel,DC=loc
> > objectClass: top
> > objectClass: group
> > cn: Ufficio Tecnico
> > description: Personale Ufficio Tecnico
> > instanceType: 4
> > whenCreated: 20120924144535.0Z
> > uSNCreated: 3592
> > name: Ufficio Tecnico
> > objectGUID: 2e58f8d0-5a28-47c1-9468-ec7b202cf560
> > objectSid: S-1-5-21-1132727046-140625262-2935381992-1105
> > sAMAccountName: Ufficio Tecnico
> > sAMAccountType: 268435456
> > groupType: -2147483646
> > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=saitel,DC=loc
> > gidNumber: 4000113
> > member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> > member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> > member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> > member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> > member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> > member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> > member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
> > whenChanged: 20140516075814.0Z
> > uSNChanged: 7616
> > distinguishedName: CN=Ufficio
> > Tecnico,OU=groups,OU=saitel,DC=saitel,DC=loc
> >
> 
> If you run the same commands on the other DC, do you get the same results ?
> It should be the same for sam.ldb, but may be different for idmap.ldb, 
> this is a know problem, as it is not replicated between DCs.
> 
> Rowland
> >
> > Is this a normal behavior or is this related to the problem I'm having
> > now in connecting to the shares "owned" by the group "ufficio tecnico"?
> >
> > Any help would be appreciated,
> > Daniele.
> >
> 

Hi Rowland,
yes, both DCs have 'idmap_ldb:use rfc2307 = yes' in smb.conf and
ldapsearch gives the same results on the other DC.

What seems to happen is that on kdc03 the lookup comes from idmap
instead than from AD but only for some groups.

An example: Domain Users has his own entry in AD both in kdc01 and kdc03

[root at kdc01:/usr/local/samba]# ldbsearch -H private/sam.ldb -a
name=Domain\ Users
# record 1
dn: CN=Domain Users,CN=Users,DC=saitel,DC=loc
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20120924143100.0Z
uSNCreated: 3223
name: Domain Users
objectGUID: d40e9068-18cf-4524-9f94-3cf5a63a030a
objectSid: S-1-5-21-1132727046-140625262-2935381992-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=saitel,DC=loc
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=saitel,DC=loc
objectClass: top
objectClass: group
gidNumber: 4000001
whenChanged: 20140515073926.0Z
uSNChanged: 13534
distinguishedName: CN=Domain Users,CN=Users,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/CN=Configuration,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/DC=DomainDnsZones,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/DC=ForestDnsZones,DC=saitel,DC=loc

# returned 4 records
# 1 entries
# 3 referrals

[root at kdc03:/usr/local/samba/private]# ldbsearch -H sam.ldb -a
name=Domain\ Users
# record 1
dn: CN=Domain Users,CN=Users,DC=saitel,DC=loc
objectClass: top
objectClass: group
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20120924143100.0Z
uSNCreated: 3227
name: Domain Users
objectGUID: d40e9068-18cf-4524-9f94-3cf5a63a030a
objectSid: S-1-5-21-1132727046-140625262-2935381992-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=saitel,DC=loc
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=saitel,DC=loc
whenChanged: 20140515073926.0Z
uSNChanged: 7511
gidNumber: 4000001
distinguishedName: CN=Domain Users,CN=Users,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/CN=Configuration,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/DC=DomainDnsZones,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/DC=ForestDnsZones,DC=saitel,DC=loc

# returned 4 records
# 1 entries
# 3 referrals

and lookup of SID in idmap.ldb has entries on both DCs

[root at kdc01:/usr/local/samba]# ldbsearch -H private/idmap.ldb -a
objectSid=S-1-5-21-1132727046-140625262-2935381992-513
# record 1
dn: CN=S-1-5-21-1132727046-140625262-2935381992-513
cn: S-1-5-21-1132727046-140625262-2935381992-513
objectClass: sidMap
objectSid: S-1-5-21-1132727046-140625262-2935381992-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-1132727046-140625262-2935381992-513

# returned 1 records
# 1 entries
# 0 referrals

[root at kdc03:/usr/local/samba/private]# ldbsearch -H idmap.ldb -a
objectSid=S-1-5-21-1132727046-140625262-2935381992-513
# record 1
dn: CN=S-1-5-21-1132727046-140625262-2935381992-513
cn: S-1-5-21-1132727046-140625262-2935381992-513
objectClass: sidMap
objectSid: S-1-5-21-1132727046-140625262-2935381992-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-1132727046-140625262-2935381992-513

# returned 1 records
# 1 entries
# 0 referrals

but as you can see, on kdc01 and kdc03 they appear different

[root at kdc01:/usr/local/samba]# getent group Domain\ Users
domain users:x:4000001:

[root at kdc03:/usr/local/samba/private]# getent group Domain\ Users
domain users:x:100:

On other groups I see that SIDs are present both on AD and idmap.ldb but
on both DCs they are resolved as per AD content and not per idmap.ldb
and it seems that the problem in accessing the shares is that when
trying to connect the share samba uses AD while disk permissions appear
to be retrieved from idmap (or vice-versa).

Any idea?
Daniele.



More information about the samba-technical mailing list