[Samba] Samba v3.0.23a BROKE my network

Chris Hall chris.hall at halldom.com
Wed Jan 24 15:59:30 GMT 2007

I run Samba as a PDC for a small network.  I used to use smbpassword and
went through the pain of changing up to tdbsam.

I have just upgraded from v3.0.14a to v3.0.23a.

The immediate effect was that nobody could use their domain log in any

I was upset.  My users wished me to understand their frustration.  It
was not my fault.  I became cross.  The dog got my dinner (it's an ill

When I, finally, discovered that what was needed was some new
configuration (explicit groupmap for the 'Domain xxxx' groups) I was no
longer upset or cross.  I was LIVID.

I make the following observations:

  * if a change is made that invalidates existing configurations
    the documentation SHOULD SAY THAT, and it SHOULD SAY WHAT CHANGES

  * better yet, since these are required settings THE NEW SOFTWARE

  * since these settings are fundamental, why not put at least default
    settings in smb.conf ?  testparm could check for them ?

  * getting a Samba installation to work is an exercise in the dark
    arts.  This is partly because Windows networking is arcane and
    badly documented -- so it is effectively impossible to discover
    how things are supposed to work, what the components really are
    and how they fit together...

    There is a ton of documentation (the HOWTO runs to 950 pages).
    Well done guys.  Nevertheless, because the concepts are obscure,
    there's a lot of text that is impenetrable.

  * I see a reference to 'net sam' commands in the archived mailing
    list [YES, I have read (some of) the archive before posting !]

    'net help' gives some idea of what these commands are, but the man
    page is silent on the subject.

IMNSHO as a one time software developer, the failure here is not just in
the documentation (no amount of documentation is ever quite enough) but
particularly in the software.  The software should not silently accept
an obviously deficient configuration, particularly if it leads to some
obscure failures later.

I wonder if I have been alone in tripping over this ?  I failed to find
anything which obviously fitted the symptoms, which made me feel I was
looking for something obscure or that some bit rot had eaten the
foundations of my installation.

Thanks for a very useful package (despite occasional infuriation, due in
no small part, I am sure, to Windows Networking's broken architecture).

But, PLEASE work on the basis that most users are stumbling around in
the dark.  Setting this kind of trap is hardly sporting !

After the upgrade what happened to me, blow by blow, was:

It looked as though the machine trust accounts were broken.  (Windows
login whimpered about the Domain Controller not playing nicely.)

I ran testparm.  No problems.

I turned up the logging.

It still looked as though the machine trust accounts were broken (some
secrets or other could not be found).

Plus, when I ran pdbedit to see what was going on, it started whining
about not being able to look up various SID or RID things.

I ran tbdbackup -v passdb.tbd -- no problems.  And secrets.tbd, ditto.

I deleted and recreated a machine account (pdbedit -x xxxx$; pdbedit -a
-m xxxx$) and moved that machine out and back into the domain.

It still looked as though the machine trust accounts were broken.

I ran through Chapter 38, THE SAMBA CHECKLIST of the HOWTO.  No problems

I read the FAQ.  Nothing relevant.

I read the release notes.  I found (under 3.0.23):

  User and Group changes

  The user and group internal management routines have been
  rewritten to prevent overlaps of assigned Relative Identifiers
  (RIDs).  In the past the has been a potential problem when either
  manually mapping Unix groups with the 'net groupmap' command or
  when migrating a Windows domain to a Samba domain using 'net rpc

... I've never felt the need to manually map any groups... and I've
never migrated a Windows domain...  So, this doesn't seem to apply to
me, I guess ?

  Unmapped users are now assigned a SID in the S-1-22-1 domain and
  unmapped groups are assigned a SID in the S-1-22-2 domain.
  Previously they were assign a RID within the SAM on the Samba
  server.  For a DC this would have been under the authority of the
  domain SID where as on a member server or standalone host, this
  would have been under the authority of the local SAM (hint: net

... unmapped user ?  I searched the 950 pages of HOWTO, without
discovering what a mapped user was, or how to map a user.  This could be
referring to the contents of smb.username.map file, which would make
most users unmapped ?  An unmapped group seemed less mysterious, at
least I could see a command to set up group mappings.

Now I'm just puzzled, but with a sinking feeling that something I don't
understand is biting me in the backside...

  The result is that any unmapped users or groups on an upgraded
  Samba domain controller may be assigned a new SID.  Because the
  SID rather than a name is stored in Windows security descriptors,
  this can cause a user to no longer have access to a resource for
  example if a file was copied from a Samba file server to a local
  NTFS partition.  Any files stored on the Samba server itself will
  continue to be accessible because Unix stores the Unix gid and not
  the SID for authorization checks.

...and, what's more, may be about to deny my users access to their
files, possibly ?  But nothing about not being able to log in.

  A further example will help illustrate the change.  Assume that a
  group named 'developers' exists with a Unix gid of 782 but this
  user does not exist in Samba's group mapping table. it would be
  perfectly normal for this group to be appear in an ACL editor.
  Prior to 3.0.23, the group SID might appear as
  S-1-5-21-647511796-4126122067-3123570092-2565. With 3.0.23, the
  group SID would be reported as S-1-22-2-782. Any security
  descriptors associated with files stored on an NTFS disk partition
  would not allow access based on the group permissions if the user
  was not a member of the
  S-1-5-21-647511796-4126122067-3123570092-2565 group. Because this
  group SID not reported in a user's token is S-1-22-2-782, Windows
  would fail the authorization check even though both SIDs in some
  respect referred to the same Unix group.

  The current workaround is to create a manual domain group mapping
  entry for the group 'developers' to point at the
  S-1-5-21-647511796-4126122067-3123570092-2565 SID.

...so that's all right, then ??  But,  I need to be able to log in,
first !

  Passdb Changes

  The "passdb backend" parameter no long accepts multiple backends
  in a chaining configuration.  Also be aware that the SQL and XML
  based passdb modules have been removed in this release.  More
  information of external support for a SQL passdb module can be
  found at http://pdbsql.sourceforge.net/.

Since I wasn't using SQL or XML I guessed this didn't affect me.  As a
matter of style, I think it is clearer to state what the software WILL
do.  That can be contrasted with what it used to do, by all means.

  Group Mapping Changes

  The default mapping entries for groups such as "Domain Admins" are
  no longer created when using an smbpasswd file or a tdbsam passdb
  backend.  This means that it is necessary to use 'net groupmap
  add' rather than 'net groupmap modify' to set these entries.
  This change has no effect on winbindd's IDmap functionality for
  domain groups.

This is probably the paragraph that should have told me what I needed to
do.  However:

  * it does NOT say "if you do not set up explicit group mappings for:

      Domain Admins, RID 512
      Domain Users,  RID 513
      Domain Guests, RID 514

    then your configuration WILL NOT WORK (ANY MORE).  So you I
    would create those mappings if I were you, John."

  * it does say that 'net groupmap add' should be used instead of 'net
    groupmap modify', without touching on why one would need or want to.

    Since I'd never had to worry about groupmaps, this did not seem to
    be something to worry about.

So...  I tried the mailing list archive.  Absent any way to search that,
I scanned subjects for a while, but didn't see anything relevant to
3.0.26a breaking all network logins.

So... the more logging information I looked at, the more it appeared
that the upgraded software was not happy with either the passdb.tdb or
the secrets.tdb.  And there were complaints about not finding records
for some RID(s).

I went back to the HOWTO and looked for stuff to do with user, machine
and domain properties.

Chapter 9: IMPORTANT SAMBA-3.0.23 CHANGE NOTES -- repeated the release
note information.  There was clearly something being hinted at here
whose significance was lost on me, but it looked important.

Chapter 11: ACCOUNT INFORMATION DATABASES (p187-230) -- looked hopeful,
but no dice.

Then, finally, Chapter 12: GROUP MAPPING: MS WINDOWS AND UNIX -- I
couldn't see what this had to do with the problem, but the release notes
bothered me, so best to see if I could understand this better.  And then
I found, in a NOTE box:

  Note   It is the administrator's responsibility to create the
         essential domain groups and to assign each its default RID.

Ah ha.  At last, something direct and specific.  To be honest I could
not see why that was anything to do with the problem I had.  But it is
always a good idea to fix the obvious just in case it is obscuring the
not so obvious.



Anyway... I summarised my observations already.  I hope the above is
useful as a report from a user perspective.

Oh, and I repeat my plea to anyone developing any software -- when you
need to change how the thing is configured:

  a. make sure the documentation says so DIRECTLY,

  b. better, MUCH BETTER, make the new software detect the now
     broken legacy configuration and SAY SO, DIRECTLY.

Which can be generalised to cover any major change.

OK.  I found the problem, eventually, using the documentation.  This is
a good thing.

I'm not stupid (my mother says I'm a genius) but I fell into a trap that
should not have been there in the first place :-(

Chris Hall

More information about the samba mailing list