[Samba] [bug?] idmap.ldb xidNumber attributes overlap with existing users'/groups' uidNumber/gidNumber

Andrey Repin anrdaemon at yandex.ru
Sun Apr 19 15:02:11 MDT 2015 

Greetings, All!

I've discovered a nasty mismatch in my recently upgraded domain.
It seems that a number of builtin groups have mappings in idmap.ldb that
overlap with posixAccount mappings in the sam.ldb.
Namely,

# file: var/lib/samba/sysvol/ads.example.com/scripts/
# owner: root
# group: 544
user::rwx
user:root:rwx
group::rwx
group:544:rwx
group:30000:r-x
group:30001:rwx
group:EXAMPLE\134RemoteUsers:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:544:rwx
default:group:30000:r-x
default:group:30001:rwx
default:group:EXAMPLE\134RemoteUsers:r-x
default:mask::rwx
default:other::---


As you can see, the groups 544, 30000 and 30001 weren't resolved.
Something similar happens, if I'm trying to look at it from Windows side:

icacls \\dc1\netlogon\

544(BUILTIN\Administrators) and 30001(SYSTEM) are resolved properly, but for
30000, the error message is along the lines of "Unable to resolve SID into
account name".

But when I bring up GUI on the same share, it magically resolve SID's
into "Server Operators" which is matching the

# ldbsearch -s sub -H /var/lib/samba/private/idmap.ldb '(|(xidNumber=30000)(xidNumber=30001))'

# record 1
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 30000
distinguishedName: CN=S-1-5-32-549

# record 2
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 30001
distinguishedName: CN=S-1-5-18


However, there lies the problem:

# getent passwd 30000 30001
EXAMPLE\domainuser:*:30000:513:User 1:/home/domainuser:/bin/bash
EXAMPLE\otheruser:*:30001:513:User 2:/home/otheruser:/bin/bash

It all looks much like if idmap assignment has been created before the users
(with their corresponding uidNumber's) were imported from old domain.

Should this be considered a bug, perhaps?

And how to best resolve this mess? Should I nuke idmap from the orbit and
recreate the maps anew?


-- 
With best regards,
Andrey Repin
Sunday, April 19, 2015 22:35:56

Sorry for my terrible english...

More information about the samba mailing list