samba 4.3.4: winbindd is mapping a user uid to an incorrected value

Daniele Dario d.dario76 at gmail.com
Thu Jan 14 14:55:53 UTC 2016 

See inline answers

On gio, 2016-01-14 at 14:27 +0000, Rowland Penny wrote:
> See inline comments:
> 
> On 14/01/16 13:57, Daniele Dario wrote:
> > All users have a uidNumber in AD (I can see it with ldbedit/search) so I
> > hope to not have orphans later.
> >
> >
> > First off, thanks again. It seems I'm your nemesis :-(
> >
> > I know I need to setup a domain member as a fileserver. Just as a side
> > question, would it be possible to make a DC become a domain member?
> 
> Not in the context of an AD domain member, you could however, stop a DC 
> and then reconfigure (as per the wiki) it as a domain member. I wouldn't 
> do this though, it would be easier to set up another domain member.
> 
Yeah. Right now I don't have a machine to set up another domain member.
When I first provisioned the domain (4.0.beta) this was both the DC and
the fileserver. Now moving it means to buy another machine and I'm
waiting for the money slot to do it. I'll catch you up when I'd be
ready ;-)
> >
> > Getting back to my problem:
> >
> > ldbsearch -H /usr/local/samba/private/sam.ldb '(uidNumber=3000033)'
> > # Referral
> > ref: ldap://saitel.loc/CN=Configuration,DC=saitel,DC=loc
> >
> > # Referral
> > ref: ldap://saitel.loc/DC=DomainDnsZones,DC=saitel,DC=loc
> >
> > # Referral
> > ref: ldap://saitel.loc/DC=ForestDnsZones,DC=saitel,DC=loc
> >
> > # returned 3 records
> > # 0 entries
> > # 3 referrals
> >
> > So it seems the uidNumber is present but I can't find which records
> 
> Ah no, that says it cannot find the uidNumber 3000033
> 
Ops. Misunderstood the meaning :-(

> > contain it.
> >
> > This is the smb.conf of kdc01
> >
> > # Global parameters
> > [global]
> >          workgroup = SAITEL
> >          realm = saitel.loc
> >          netbios name = KDC01
> >          server role = active directory domain controller
> >          dns forwarder = 8.8.8.8
> >          idmap_ldb:use rfc2307 = yes
> >          template shell = /bin/bash
> >          log file = /var/log/log.samba
> >          log level = 3
> > #       server services = -winbindd +winbind
> >
> >          load printers = no
> > [netlogon]
> >          path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> >          read only = no
> >
> > [sysvol]
> >          path = /usr/local/samba/var/locks/sysvol
> >          read only = no
> >
> > And this is the one of kdc03
> >
> > # Global parameters
> > [global]
> >          workgroup = SAITEL
> >          realm = saitel.loc
> >          netbios name = KDC03
> >          server role = active directory domain controller
> >          dns forwarder = 8.8.8.8
> >          idmap_ldb:use rfc2307 = yes
> >          template shell = /bin/bash
> >          log file = /var/log/log.samba
> >          log level = 2
> > #       server services = -winbindd +winbind
> >
> >          printing = cups
> >          printcap name = /var/run/cups/printcap
> >          load printers = yes
> >
> >          rpc_server:spoolss = external
> >          rpc_daemon:spoolssd = fork
> >
> > [netlogon]
> >          path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> >          read only = no
> >
> > [sysvol]
> >          path = /usr/local/samba/var/locks/sysvol
> >          read only = no
> >
> >
> >
> 
> Have you given your users an attribute called 'uidNumber', this 
> attribute is *not* created automatically.
> 
> i.e. does:
> 
> ldbsearch -H /usr/local/samba/private/sam.ldb '(uidNumber=*)' uidNumber 
> | grep 'uidNumber'
> return anything ?

uidNumber: 4001101
uidNumber: 4001105
uidNumber: 4001001
uidNumber: 4001002
uidNumber: 4001102
uidNumber: 4001106
uidNumber: 4001110
uidNumber: 4001104
uidNumber: 4001112
uidNumber: 4001108
uidNumber: 4001103
uidNumber: 4001111
uidNumber: 4001114
uidNumber: 4001113
uidNumber: 4001109
uidNumber: 4001003
uidNumber: 4001107

> 
> Does:
> 
> ldbsearch -H /usr/local/samba/private/sam.ldb 
> '(&(objectClass=group)(cn=Domain Users))' gidNumber | grep 'gidNumber'
> 
> return anything and if so what ?
> 
4001107

> what does:
> 
>   ldbsearch -H /usr/local/samba/private/sam.ldb 
> '(&(objectClass=user)(samaccountname=marco))' uidNumber | grep uidNumber 
> | awk '{print $NF}'
> 
> return ? and is it '3000033' or '4001107' ?
> 
4001107

Just take in account I did what you proposed (net cache flush) and now
wbinfo is giving the right uid. If the user tries to connect it's home
folder samba still resolves the wrong uid but I didn't restart it
because people is still working. Would it be that I didn't remove the
gencache.tbd so I need to stop the service, remove gencache.tdb and than
restart it?
> Rowland
> 
> 

Daniele.

More information about the samba-technical mailing list