samba 4.3.4: winbindd is mapping a user uid to an incorrected value

[Rowland Penny]

On 14/01/16 12:19, Daniele Dario wrote:
> Hi all,
> after upgrading my AD DCs to 4.3.4, today I found that some users are
> mapped to a uid that I'm not able to find in sam.ldb nor in idmap.ldb
> and now they are not able to log in their personal home directories on
> the server.
>
> It happened once after updating to a 4.2.x and it seems that the problem
> was related to winbindd and the suggestion to use the
> server services = -winbindd +winbind
> solved the issue. Then I updated to the 4.2.x+1 release and found that
> the directive was not necessary anymore but now the problem came up
> again.
>
> The thing is that the DCs seems to be correctly synced (samba-tool drs
> showrepl) and trying to find the uid with
> ldbsearch --cross-ncs --show-deleted -H /usr/local/samba/private/sam.ldb
> -a uidNumber=3000033
> # returned 0 records
> # 0 entries
> # 0 referrals

Try your search like this:

ldbsearch -H /usr/local/samba/private/sam.ldb '(uidNumber=3000033)'

This should return the entire users object from AD, provided that you 
have manually given the user a 'uidNumber' attribute containing '3000033'

>
> and same for gid or xid also on idmap.ldb.
>
> On kdc01 I can see the user being mapped to the uid present in sam.ldb
> while on kdc03 no.
>
> Another thing I can say is that
> [root at kdc03:~]# wbinfo --uid-info=4001107
> SAITEL\marco:*:3000033:100:Marco Gandini:/home/SAITEL/marco:/bin/bash
> (this should look into the AD db guess and finds the correct uidNumber
> for the user or better finds the user associated to the uidNumber)

Now this is confusing, you ask for the info for '4001107' and get back 
the info for '3000033'

> [root at kdc03:~]# wbinfo --uid-to-sid=4001107
> S-1-5-21-1132727046-140625262-2935381992-1121
> (same as before I think)
> [root at kdc03:~]# wbinfo
> --sid-to-uid=S-1-5-21-1132727046-140625262-2935381992-1121
> 3000033
> (here the conversion is made picking the info from somewhere that I
> can't find)

It is also the same here, '4001107' becomes '3000033'

Can you please post your smb.conf from both machines.

Your user will only (ultimately) get their uid from either idmap.ldb or 
sam.ldb, the first will be used if your users do not have 'uidNumber' 
attributes. If your users do have 'uidNumber' attributes, these will be 
used instead of the 'xidNumber' attributes found in idmap.ldb. You 
probably need to clear out the cache with 'net cache flush', there is 
also gencache.tdb, you may have to delete this as well. There is however 
another problem, you may have files that belong to '4001107' & 
'3000033', some of these may become orphaned when you sort out your uid 
problem.
You should also be aware that the 'idmap.ldb' files can be (and probably 
are) different on each DC. All of the above are reasons why you 
shouldn't use the DCs as fileservers, you should setup a domain member 
as a fileserver.

Rowland


> Both servers are configured with
> idmap_ldb:use rfc2307 = yes
>
> Does anyone have any idea why this is happening and how to solve it?
> What info can I provide to help solving this issue?
>
> Thanks in advance,
> Daniele.
>
>