samba 4.3.4: winbindd is mapping a user uid to an incorrected value

Daniele Dario d.dario76 at gmail.com
Thu Jan 14 13:57:14 UTC 2016 

Hi Rowland (again ;-))

Please see some ans inline:

On gio, 2016-01-14 at 13:24 +0000, Rowland Penny wrote:
> On 14/01/16 12:19, Daniele Dario wrote:
> > Hi all,
> > after upgrading my AD DCs to 4.3.4, today I found that some users are
> > mapped to a uid that I'm not able to find in sam.ldb nor in idmap.ldb
> > and now they are not able to log in their personal home directories on
> > the server.
> >
> > It happened once after updating to a 4.2.x and it seems that the problem
> > was related to winbindd and the suggestion to use the
> > server services = -winbindd +winbind
> > solved the issue. Then I updated to the 4.2.x+1 release and found that
> > the directive was not necessary anymore but now the problem came up
> > again.
> >
> > The thing is that the DCs seems to be correctly synced (samba-tool drs
> > showrepl) and trying to find the uid with
> > ldbsearch --cross-ncs --show-deleted -H /usr/local/samba/private/sam.ldb
> > -a uidNumber=3000033
> > # returned 0 records
> > # 0 entries
> > # 0 referrals
> 
> Try your search like this:
> 
> ldbsearch -H /usr/local/samba/private/sam.ldb '(uidNumber=3000033)'
> 
> This should return the entire users object from AD, provided that you 
> have manually given the user a 'uidNumber' attribute containing '3000033'
> 
> >
> > and same for gid or xid also on idmap.ldb.
> >
> > On kdc01 I can see the user being mapped to the uid present in sam.ldb
> > while on kdc03 no.
> >
> > Another thing I can say is that
> > [root at kdc03:~]# wbinfo --uid-info=4001107
> > SAITEL\marco:*:3000033:100:Marco Gandini:/home/SAITEL/marco:/bin/bash
> > (this should look into the AD db guess and finds the correct uidNumber
> > for the user or better finds the user associated to the uidNumber)
> 
> Now this is confusing, you ask for the info for '4001107' and get back 
> the info for '3000033'
That's why my comment: If I ask wbinfo for the uidNumber I assigned to
the user which is 4001107 it resolves that way and showing that the uid
is the wrong one (3000033).
> 
> > [root at kdc03:~]# wbinfo --uid-to-sid=4001107
> > S-1-5-21-1132727046-140625262-2935381992-1121
> > (same as before I think)
> > [root at kdc03:~]# wbinfo
> > --sid-to-uid=S-1-5-21-1132727046-140625262-2935381992-1121
> > 3000033
> > (here the conversion is made picking the info from somewhere that I
> > can't find)
> 
> It is also the same here, '4001107' becomes '3000033'

Again here: using the uid 4001107 to get the sid and than going back
from sid to uid I get the wrong one.
> 
> Can you please post your smb.conf from both machines.
> 
> Your user will only (ultimately) get their uid from either idmap.ldb or 
> sam.ldb, the first will be used if your users do not have 'uidNumber' 
> attributes. If your users do have 'uidNumber' attributes, these will be 
> used instead of the 'xidNumber' attributes found in idmap.ldb. You 
> probably need to clear out the cache with 'net cache flush', there is 
> also gencache.tdb, you may have to delete this as well. There is however 
> another problem, you may have files that belong to '4001107' & 
> '3000033', some of these may become orphaned when you sort out your uid 
> problem.

All users have a uidNumber in AD (I can see it with ldbedit/search) so I
hope to not have orphans later.

> You should also be aware that the 'idmap.ldb' files can be (and probably 
> are) different on each DC. All of the above are reasons why you 
> shouldn't use the DCs as fileservers, you should setup a domain member 
> as a fileserver.
> 
> Rowland
> 
> 
> > Both servers are configured with
> > idmap_ldb:use rfc2307 = yes
> >
> > Does anyone have any idea why this is happening and how to solve it?
> > What info can I provide to help solving this issue?
> >
> > Thanks in advance,
> > Daniele.
> >
> >
> 
> 

First off, thanks again. It seems I'm your nemesis :-(

I know I need to setup a domain member as a fileserver. Just as a side
question, would it be possible to make a DC become a domain member?

Getting back to my problem:

ldbsearch -H /usr/local/samba/private/sam.ldb '(uidNumber=3000033)'
# Referral
ref: ldap://saitel.loc/CN=Configuration,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/DC=DomainDnsZones,DC=saitel,DC=loc

# Referral
ref: ldap://saitel.loc/DC=ForestDnsZones,DC=saitel,DC=loc

# returned 3 records
# 0 entries
# 3 referrals

So it seems the uidNumber is present but I can't find which records
contain it.

This is the smb.conf of kdc01

# Global parameters
[global]
        workgroup = SAITEL
        realm = saitel.loc
        netbios name = KDC01
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        log file = /var/log/log.samba
        log level = 3
#       server services = -winbindd +winbind

        load printers = no
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
        read only = no

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = no

And this is the one of kdc03

# Global parameters
[global]
        workgroup = SAITEL
        realm = saitel.loc
        netbios name = KDC03
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        log file = /var/log/log.samba
        log level = 2
#       server services = -winbindd +winbind

        printing = cups
        printcap name = /var/run/cups/printcap
        load printers = yes

        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
        read only = no

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = no

More information about the samba-technical mailing list