gid numbers changed after upgrading from 4.1.14 to 4.2.1

Rowland Penny repenny241155 at gmail.com
Wed Apr 22 04:45:02 MDT 2015 

On 22/04/15 11:11, Daniele Dario wrote:
>
> On mer, 2015-04-22 at 09:57 +0100, Rowland Penny wrote:
>> On 22/04/15 09:29, Daniele Dario wrote:
>>> Good morning everybody,
>>> yesterday I completed the upgrade of my two DCs to 4.2.1 but after doing
>>> that I noticed that the gid of some groups changed on one of the two
>>> DCs.
>>>
>>> The problem is that the DC on which the gid numbers changed acts also as
>>> a file server and now some users can't anymore connect to some shares.
>>>
>>> Replication seems to work correctly but I used samba-tool ldapcmp to see
>>> if everything is right and found that
>>>
>>> [root at kdc03:/usr/local/samba/private]# samba-tool ldapcmp sam.ldb
>>> ldap://kdc01 -Uadministrator
>>> Password for [SAITEL\administrator]:
>>>
>>> * Comparing [DOMAIN] context...
>>>
>>> * Objects to be compared: 563
>>>
>>> Comparing:
>>> 'CN=Administrators,CN=Builtin,DC=saitel,DC=loc' [sam.ldb]
>>> 'CN=Administrators,CN=Builtin,DC=saitel,DC=loc' [ldap://kdc01]
>>>       Difference in attribute values:
>>>           whenChanged =>
>>> ['20150421175958.0Z']
>>> ['20150421180002.0Z']
>>>       FAILED
>> you can ignore the 'whenChanged' attribute, it is not replicated, so
>> could be different.
>>
>>>
>>> Looking at the gid numbers that I found changed I see this:
>>> group ufficio tecnico:
>>>        kdc01   kdc03
>>> gid 4000113 3000022
>>> on both kdc01 and kdc03 I get that
>>>
>>> [root at kdc03:/usr/local/samba/private]# wbinfo -G 3000022
>>> S-1-5-21-1132727046-140625262-2935381992-1105
>>> [root at kdc03:/usr/local/samba/private]# wbinfo -G 4000113
>>> S-1-5-21-1132727046-140625262-2935381992-1105
>> Do both DCs have 'idmap_ldb:use rfc2307 = yes' in smb.conf ?
>>
>>> so it seems that I have two gidNumber that map on the same sid
>>> and looking into idmap.ldb I get
>>>
>>> [root at kdc03:/usr/local/samba/private]# ldbsearch -H idmap.ldb -a
>>> objectSid=S-1-5-21-1132727046-140625262-2935381992-1105
>>> # record 1
>>> dn: CN=S-1-5-21-1132727046-140625262-2935381992-1105
>>> cn: S-1-5-21-1132727046-140625262-2935381992-1105
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1132727046-140625262-2935381992-1105
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000022
>>> distinguishedName: CN=S-1-5-21-1132727046-140625262-2935381992-1105
>>>
>>> # returned 1 records
>>> # 1 entries
>>> # 0 referrals
>>>
>>> while on sam.ldb I find
>>>
>>> [root at kdc03:/usr/local/samba/private]# ldbsearch -H sam.ldb -a
>>> objectSid=S-1-5-21-1132727046-140625262-2935381992-1105
>>> # record 1
>>> dn: CN=Ufficio Tecnico,OU=groups,OU=saitel,DC=saitel,DC=loc
>>> objectClass: top
>>> objectClass: group
>>> cn: Ufficio Tecnico
>>> description: Personale Ufficio Tecnico
>>> instanceType: 4
>>> whenCreated: 20120924144535.0Z
>>> uSNCreated: 3592
>>> name: Ufficio Tecnico
>>> objectGUID: 2e58f8d0-5a28-47c1-9468-ec7b202cf560
>>> objectSid: S-1-5-21-1132727046-140625262-2935381992-1105
>>> sAMAccountName: Ufficio Tecnico
>>> sAMAccountType: 268435456
>>> groupType: -2147483646
>>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=saitel,DC=loc
>>> gidNumber: 4000113
>>> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
>>> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
>>> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
>>> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
>>> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
>>> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
>>> member: CN=...,OU=users,OU=saitel,DC=saitel,DC=loc
>>> whenChanged: 20140516075814.0Z
>>> uSNChanged: 7616
>>> distinguishedName: CN=Ufficio
>>> Tecnico,OU=groups,OU=saitel,DC=saitel,DC=loc
>>>
>> If you run the same commands on the other DC, do you get the same results ?
>> It should be the same for sam.ldb, but may be different for idmap.ldb,
>> this is a know problem, as it is not replicated between DCs.
>>
>> Rowland
>>> Is this a normal behavior or is this related to the problem I'm having
>>> now in connecting to the shares "owned" by the group "ufficio tecnico"?
>>>
>>> Any help would be appreciated,
>>> Daniele.
>>>
> Hi Rowland,
> yes, both DCs have 'idmap_ldb:use rfc2307 = yes' in smb.conf and
> ldapsearch gives the same results on the other DC.
>
> What seems to happen is that on kdc03 the lookup comes from idmap
> instead than from AD but only for some groups.
>
> An example: Domain Users has his own entry in AD both in kdc01 and kdc03
>
> [root at kdc01:/usr/local/samba]# ldbsearch -H private/sam.ldb -a
> name=Domain\ Users
> # record 1
> dn: CN=Domain Users,CN=Users,DC=saitel,DC=loc
> cn: Domain Users
> description: All domain users
> instanceType: 4
> whenCreated: 20120924143100.0Z
> uSNCreated: 3223
> name: Domain Users
> objectGUID: d40e9068-18cf-4524-9f94-3cf5a63a030a
> objectSid: S-1-5-21-1132727046-140625262-2935381992-513
> sAMAccountName: Domain Users
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=saitel,DC=loc
> isCriticalSystemObject: TRUE
> memberOf: CN=Users,CN=Builtin,DC=saitel,DC=loc
> objectClass: top
> objectClass: group
> gidNumber: 4000001
> whenChanged: 20140515073926.0Z
> uSNChanged: 13534
> distinguishedName: CN=Domain Users,CN=Users,DC=saitel,DC=loc
>
> # Referral
> ref: ldap://saitel.loc/CN=Configuration,DC=saitel,DC=loc
>
> # Referral
> ref: ldap://saitel.loc/DC=DomainDnsZones,DC=saitel,DC=loc
>
> # Referral
> ref: ldap://saitel.loc/DC=ForestDnsZones,DC=saitel,DC=loc
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
> [root at kdc03:/usr/local/samba/private]# ldbsearch -H sam.ldb -a
> name=Domain\ Users
> # record 1
> dn: CN=Domain Users,CN=Users,DC=saitel,DC=loc
> objectClass: top
> objectClass: group
> cn: Domain Users
> description: All domain users
> instanceType: 4
> whenCreated: 20120924143100.0Z
> uSNCreated: 3227
> name: Domain Users
> objectGUID: d40e9068-18cf-4524-9f94-3cf5a63a030a
> objectSid: S-1-5-21-1132727046-140625262-2935381992-513
> sAMAccountName: Domain Users
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=saitel,DC=loc
> isCriticalSystemObject: TRUE
> memberOf: CN=Users,CN=Builtin,DC=saitel,DC=loc
> whenChanged: 20140515073926.0Z
> uSNChanged: 7511
> gidNumber: 4000001
> distinguishedName: CN=Domain Users,CN=Users,DC=saitel,DC=loc
>
> # Referral
> ref: ldap://saitel.loc/CN=Configuration,DC=saitel,DC=loc
>
> # Referral
> ref: ldap://saitel.loc/DC=DomainDnsZones,DC=saitel,DC=loc
>
> # Referral
> ref: ldap://saitel.loc/DC=ForestDnsZones,DC=saitel,DC=loc
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
> and lookup of SID in idmap.ldb has entries on both DCs
>
> [root at kdc01:/usr/local/samba]# ldbsearch -H private/idmap.ldb -a
> objectSid=S-1-5-21-1132727046-140625262-2935381992-513
> # record 1
> dn: CN=S-1-5-21-1132727046-140625262-2935381992-513
> cn: S-1-5-21-1132727046-140625262-2935381992-513
> objectClass: sidMap
> objectSid: S-1-5-21-1132727046-140625262-2935381992-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-1132727046-140625262-2935381992-513
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> [root at kdc03:/usr/local/samba/private]# ldbsearch -H idmap.ldb -a
> objectSid=S-1-5-21-1132727046-140625262-2935381992-513
> # record 1
> dn: CN=S-1-5-21-1132727046-140625262-2935381992-513
> cn: S-1-5-21-1132727046-140625262-2935381992-513
> objectClass: sidMap
> objectSid: S-1-5-21-1132727046-140625262-2935381992-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-1132727046-140625262-2935381992-513
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> but as you can see, on kdc01 and kdc03 they appear different
>
> [root at kdc01:/usr/local/samba]# getent group Domain\ Users
> domain users:x:4000001:
>
> [root at kdc03:/usr/local/samba/private]# getent group Domain\ Users
> domain users:x:100:
>
> On other groups I see that SIDs are present both on AD and idmap.ldb but
> on both DCs they are resolved as per AD content and not per idmap.ldb
> and it seems that the problem in accessing the shares is that when
> trying to connect the share samba uses AD while disk permissions appear
> to be retrieved from idmap (or vice-versa).
>
> Any idea?
> Daniele.
>

Strange, running 'getent group Domain\ Users' on both my DCs gives the 
same result '10000', which is the gidNumber set in AD.

Is /etc/nsswitch.conf the same on both DCs ?
Have you set up the libnss_winbind links ?
If so, have you done this on both machines ?

Have you altered smb.conf on either of the DCs ?

How was the domain initially provisioned ?

Rowland

More information about the samba-technical mailing list