[Samba] (Re-open Bug #3056) Tries to re-create Builtin-Groups over
and over again
Matthias Nagel
mh-nagel at web.de
Mon Sep 8 07:43:32 GMT 2008
Hello everbody,
first some technical data:
Samba version: 3.0.28
Distro: Gentoo
PDB backend: OpenLDAP 2.3.43
Server role: PDC
My Samba server continuously complains about not beeing able to create the BUILTIN\Administrators and BUILTIN\Users group, because they already exist.
groupdb/mapping.c:pdb_create_builtin_alias(739)
pdb_create_builtin_alias: Could not add group mapping entry for alias 544
(NT_STATUS_GROUP_EXISTS)
auth/auth_util.c:create_builtin_administrators(792)
create_builtin_administrators: Failed to create Administrators
The latter is correct and I am wondering why Samba wants to re-create them. If I delete those group mappings from the LDAP directory, Samba re-creates them silently (of course with a different Unix group id) and a short time later the error recurrences. But apparently everything works fine, even nested group membership. For example if a type "groups administrator" on the console I get "BUILTIN\administratoren dadmins" where "dadmins" is the domain administrator group, which in turn is member of "BUILTIN\administratoren". "getent group" gives a correct output, too.
After running Samba and OpenLDAP in debug mode (real-time logging to the console), I found the core of the problem.
Inside the function "passdb/lookup_sid.c:sid_to_gid" the function "winbind_sid_to_gid" is invoked. And at this point I get the following errors in my logs:
smbd[7917]: passdb/lookup_sid.c:sid_to_gid(1468)
smbd[7917]: smbd: winbind failed to find a gid for sid S-1-5-32-544
and from the winbind daemon:
winbindd[7905]: [2008/09/07 12:55:54, 5] nsswitch/winbindd_async.c:lookupsid_recv(706)
winbindd[7905]: lookupsid returned an error
winbindd[7905]: [2008/09/07 12:55:54, 5]
nsswitch/winbindd_sid.c:sid2gid_lookupsid_recv(274)
winbindd[7905]: sid2gid_lookupsid_recv: Could not convert get sid type for S-1-5-32-544
The problem is that winbindd refuses to look up SIDs that do not match my domain SID. For example "wbinfo -Y" works for domain SIDs, but not for builtin SIDs. This behavior is described in bug #3056 (https://bugzilla.samba.org/show_bug.cgi?id=3056). The proposed solution is to add an id range for the BUILTIN accounts. But the syntax for the "idmap" related option changed, and I do not get it working.
My previous version of smb.conf looked like that:
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=schule,dc=gymnasiumportawestfalica,dc=de
ldap admin dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldapsam:editposix=yes
ldapsam:trusted = yes
encrypt passwords = yes
null passwords = yes
ldap passwd sync = yes
idmap domains = SCHULE
idmap config SCHULE:backend = ldap
idmap config SCHULE:readonly = no
idmap config SCHULE:default = yes
idmap config SCHULE:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap config SCHULE:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap config SCHULE:ldap_url = ldap://localhost
idmap config SCHULE:range = 2000-65000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap alloc config:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 2000-65000
winbind enum groups = yes
winbind enum users = yes
After I read the bug description I changed it to:
passdb backend = ldapsam:ldap://localhost
ldap ssl = off
ldap suffix = dc=schule,dc=gymnasiumportawestfalica,dc=de
ldap admin dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldapsam:editposix=yes
ldapsam:trusted = yes
encrypt passwords = yes
null passwords = yes
guest account = gast
ldap passwd sync = yes
idmap domains = BUILTIN SCHULE
idmap config SCHULE:backend = ldap
idmap config SCHULE:readonly = no
idmap config SCHULE:default = yes
idmap config SCHULE:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap config SCHULE:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap config SCHULE:ldap_url = ldap://localhost
idmap config BUILTIN:backend = ldap
idmap config BUILTIN:readonly = no
idmap config BUILTIN:default = no
idmap config BUILTIN:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap config BUILTIN:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap config BUILTIN:ldap_url = ldap://localhost
idmap uid = 2000-65000
idmap gid = 2000-65000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap alloc config:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 2000-65000
winbind enum groups = yes
winbind enum users = yes
My directory looks like that:
###########################################################################################
#
# Container structure
dn: dc=schule,dc=gymnasiumportawestfalica,dc=de
objectClass: dcObject
objectClass: organizationalUnit
dc: schule
ou: schule
dn: uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de
objectClass: account
objectClass: simpleSecurityObject
uid: samba
description: Account used by smbd and nmbd for read/write access
userPassword: not for you
dn: ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: Users
objectClass: organizationalUnit
dn: ou=Schild,ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: Schild
objectClass: organizationalUnit
dn: ou=WellKnown,ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: WellKnown
objectClass: organizationalUnit
dn: ou=Aux,ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: Aux
objectClass: organizationalUnit
dn: ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: Groups
objectClass: organizationalUnit
dn: ou=Schild,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: Schild
objectClass: organizationalUnit
dn: ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: WellKnown
objectClass: organizationalUnit
dn: ou=Aux,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: Aux
objectClass: organizationalUnit
dn: ou=Computers,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: Computers
objectClass: organizationalUnit
dn: ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de
ou: IdMap
objectClass: organizationalUnit
objectClass: sambaUnixIdPool
uidNumber: 2004
gidNumber: 2048
#########################################################################
#
# Samba Domain Info
#
dn: sambaDomainName=SCHULE,dc=schule,dc=gymnasiumportawestfalica,dc=de
objectClass: sambaDomain
sambaDomainName: SCHULE
sambaSID: S-1-5-21-505984510-834225973-328464969
sambaAlgorithmicRidBase: 1000
sambaPwdHistoryLength: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
#########################################################################
#
# Well-known groups
#
dn: sambaSID=S-1-5-32-544,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=d
e
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-544
sambaGroupType: 4
gidNumber: 2000
sambaSIDList: S-1-5-21-505984510-834225973-328464969-512
displayName: Administratoren
dn: sambaSID=S-1-5-32-545,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=d
e
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Benutzer
gidNumber: 2001
sambaSIDList: S-1-5-21-505984510-834225973-328464969-513
dn: sambaSID=S-1-5-32-546,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc
=de
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
gidNumber: 2002
sambaSID: S-1-5-32-546
sambaGroupType: 4
displayName:: R8Okc3Rl
sambaSIDList: S-1-5-21-505984510-834225973-328464969-514
dn: sambaSID=S-1-5-32-547,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc
=de
objectClass: sambaGroupMapping
objectClass: sambaSidEntry
gidNumber: 2003
sambaSID: S-1-5-32-547
sambaGroupType: 4
displayName: Hauptbenutzer
dn: sambaSID=S-1-5-32-548,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=
de
objectClass: sambaGroupMapping
objectClass: sambaSidEntry
gidNumber: 2004
sambaSID: S-1-5-32-548
sambaGroupType: 4
displayName: Kontenoperatoren
dn: sambaSID=S-1-5-32-549,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=
de
objectClass: sambaGroupMapping
objectClass: sambaSidEntry
gidNumber: 2005
sambaSID: S-1-5-32-549
sambaGroupType: 4
displayName: Serveroperatoren
dn: sambaSID=S-1-5-32-550,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=
de
objectClass: sambaGroupMapping
objectClass: sambaSidEntry
gidNumber: 2006
sambaSID: S-1-5-32-550
sambaGroupType: 4
displayName: Druckoperatoren
dn: sambaSID=S-1-5-32-551,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc
=de
objectClass: sambaGroupMapping
objectClass: sambaSidEntry
gidNumber: 2007
sambaSID: S-1-5-32-551
sambaGroupType: 4
displayName: Sicherungsoperatoren
dn: sambaSID=S-1-5-32-552,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc
=de
objectClass: sambaGroupMapping
objectClass: sambaSidEntry
gidNumber: 2008
sambaSID: S-1-5-32-552
sambaGroupType: 4
displayName: Replikationsoperatoren
# domain users
dn: cn=dadmins,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc
=de
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: dadmins
gidNumber: 2009
sambaSID: S-1-5-21-505984510-834225973-328464969-512
sambaGroupType: 2
displayName:: RG9tw6RuZW4tQWRtaW5pc3RyYXRvcmVu
dn: cn=dusers,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=
de
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: dusers
gidNumber: 2010
sambaSID: S-1-5-21-505984510-834225973-328464969-513
sambaGroupType: 2
displayName:: RG9tw6RuZW4tQmVudXR6ZXI=
dn: cn=dguests,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc
=de
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: dguests
gidNumber: 2011
sambaSID: S-1-5-21-505984510-834225973-328464969-514
sambaGroupType: 2
displayName:: RG9tw6RuZW4tR8Okc3Rl
dn: cn=dcomp,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=d
e
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: dcomp
gidNumber: 2012
sambaSID: S-1-5-21-505984510-834225973-328464969-515
sambaGroupType: 2
displayName:: RG9tw6RuZW4tQ29tcHV0ZXI=
dn: cn=dcontrol,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,d
c=de
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: dcontrol
gidNumber: 2013
sambaSID: S-1-5-21-505984510-834225973-328464969-516
sambaGroupType: 2
displayName:: RG9tw6RuZW4tQ29udHJvbGxlcg==
#########################################################################
#
# Well-known users
#
#
dn: uid=administrator,ou=WellKnown,ou=Users,dc=schule,dc=gymnasiumportawestfal
ica,dc=de
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: administrator
cn: Administrator
displayName: Adminstrator
uidNumber: 2000
gidNumber: 2009
homeDirectory: /home/Administrator
loginShell: /bin/bash
sambaSID: S-1-5-21-505984510-834225973-328464969-500
sambaAcctFlags: [U ]
sambaLMPassword: not for you
sambaNTPassword: not for you
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1220704664
userPassword: not for you
dn: uid=gast,ou=WellKnown,ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: gast
cn: Gast
displayName: Gast
uidNumber: 2001
gidNumber: 2011
homeDirectory: /home/Gast
loginShell: /bin/bash
sambaSID: S-1-5-21-505984510-834225973-328464969-501
sambaAcctFlags: [DU ]
dn: uid=server$,ou=Computers,dc=schule,dc=gymnasiumportawestfalica,dc=de
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: server$
cn: server$
displayName: server
uidNumber: 2002
gidNumber: 2013
homeDirectory: /dev/null
loginShell: /bin/false
sambaSID: S-1-5-21-505984510-834225973-328464969-5004
sambaPrimaryGroupSID: S-1-5-21-505984510-834225973-328464969-516
sambaAcctFlags: [S ]
sambaLMPassword: not for you
sambaNTPassword: not for you
Any suggestions? Beside this major problem I have some minor questions that might be related to this problem:
1) What is the correct start sequence for the daemons? First winbind and then smbd/nmbd or the other way round?
2) Do I need to create a "sambaDomainEntry" for BUILTIN in the directory?
3) After I started winbind there is a long delay (15 minutes) before "wbinfo" works at all. Why?
Matthias Nagel
More information about the samba
mailing list