[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..

L.P.H. van Belle belle at bazuin.nl
Thu Apr 30 04:09:43 MDT 2015 

>>
>> wbinfo --uid-info 0
>> administrator:*:0:100::/home/DOMAIN/administrator:/bin/false
>> wbinfo -i DOMAIN\\administrator
>> DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false
>>
>> wbinfo -i DOMAIN\\Administrator
>> administrator:*:0:100::/home/BAZRTD/administrator:/bin/false
>> converted Adminsitrator to administrator.
>>
>> look at the homedir..  Caps A and not caps.  so 2 different folders.
>> 2 different users.
>> in total 3 users with uid 0 ( root, administrator and Administrator )
>
>Now that is a problem

now time has passed dont know how much .. and...  how strange again..  

root at dc1:~# wbinfo -i DOMAIN\\Administrator
administrator:*:0:100::/home/DOMAIN/administrator:/bin/false

root at dc1:~# wbinfo -i DOMAIN\\administrator
administrator:*:0:100::/home/DOMAIN/administrator:/bin/false

root at dc1:~# wbinfo --uid-info 0
administrator:*:0:100::/home/DOMAIN/administrator:/bin/false

.. im thinking there is something slow in responding/modify-ing.. 

This is the second time i see this, but i cant figure out, the how and where..  
well.. it works now.. (again)  :-)  im not going to hunt this one..  

if you also notice this. 
This is what i did. 

for x in `ls /etc/init.d/sernet-samba-*` ; do $x restart  ; done
net cache flush 
id administrator

now wait a few min and check again. 




Greetz, 

Louis




>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 30 april 2015 10:32
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] FW: [Bug 11241] different ids even when 
>idmap.ldb copied. not abug..
>
>On 30/04/15 09:09, L.P.H. van Belle wrote:
>> ( sorry for mailing directly bjorn, but please have a look )
>>
>> I still think this is a bug..
>>
>> why not a bug:
>> If i do assign a UID/GID to a user, then yes, this wil work fine.
>> new users and groups sure.. but now im talking about the 
>default domain groups..
>>
>> why a bug:
>> User administrator and the domain groups are set by default by samba.
>> and its not consistant at all which is needed for a 
>replicated sysvol.
>> yes, not supported by samba, but i hope samba is working on 
>that, and then
>> this wil be an issue also, better fix it now imo.
>>
>> let met explain what i see..
>>
>> administrator has uid 0..
>> wbinfo -i DOMAIN\\administrator
>> DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false
>> Administrator ... and not administrator..
>>
>> so now this is my result of my sysvol...
>>   ls -n
>> total 8
>> drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 internal.domain.tld
>> wbinfo --uid-info 0
>> administrator:*:0:100::/home/DOMAIN/administrator:/bin/false
>> administrator and not Administrator ?
>>
>> first 2 differences in usernames :  Administrator and administrator
>
>Don't worry about that, this is just winbind normalising names
>
>>
>> wbinfo --uid-info 0
>> administrator:*:0:100::/home/DOMAIN/administrator:/bin/false
>> wbinfo -i DOMAIN\\administrator
>> DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false
>>
>> wbinfo -i DOMAIN\\Administrator
>> administrator:*:0:100::/home/BAZRTD/administrator:/bin/false
>> converted Adminsitrator to administrator.
>>
>> look at the homedir..  Caps A and not caps.  so 2 different folders.
>> 2 different users.
>> in total 3 users with uid 0 ( root, administrator and Administrator )
>
>Now that is a problem
>
>>
>>
>> in the sysvol/internal.domain.tld :
>> ls -n
>> total 16
>> drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 Policies
>> drwxrwx---+ 2 0 3000000 4096 Apr 28 13:32 scripts
>>
>> ls -l
>> total 8
>> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 28 13:32 
>internal.domain.tld
>>
>> wbinfo --group-info "BUILTIN\administrators"
>> BUILTIN\administrators:x:3000000:
>>
>> for the Policies folder :
>> Policies# ls -n
>> total 16
>> drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32 
>{31B2F340-016D-11D2-945F-00C04FB984F9}
>> drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32 
>{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>
>> wbinfo --uid-info 3000008
>> domain admins:*:3000008:3000008::/home/DOMAIN/domain 
>admins:/bin/false
>>
>> wbinfo --gid-info 3000008
>> domain admins:x:3000008:administrator
>>
>> wbinfo --group-info "DOMAIN\domain admins"
>> domain admins:x:3000008:administrator
>>
>> wbinfo --user-info "DOMAIN\domain admins"
>> domain admins:*:3000008:3000008::/home/BAZRTD/domain 
>admins:/bin/false
>>
>>
>> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
>> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
>> # owner: domain\040admins
>> # group: domain\040admins
>> user::rwx
>> group::rwx
>> group:3000002:rwx
>> group:3000003:r-x
>> group:enterprise\040admins:rwx
>> group:domain\040admins:rwx
>> group:3000010:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:domain\040admins:rwx
>> default:group::---
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:group:enterprise\040admins:rwx
>> default:group:domain\040admins:rwx
>> default:group:3000010:r-x
>> default:mask::rwx
>> default:other::---
>>
>> the user owner is the group ?  how can the user owner be a group ?
>> I this allowed ?  This i really dont know.
>
>Yes this a mess and is caused by stupid stupid windows allowing groups 
>to own files, therefore you end up with ID_TYPE_BOTH in 
>idmap.ldb. From 
>my investigations, it is only one group that owns files: 
>Administrators, 
>but instead of just making this group 'ID_TYPE_BOTH', samba 
>makes a lot 
>of groups 'ID_TYPE_BOTH', have a look in idmap.ldb.
>
>I also tested replacing the ownership of files and dirs in sysvol, I 
>changed 'Administrators' for 'Administrator' and changed all 
>occurrences 
>of  'ID_TYPE_BOTH' in idmap.ldb to what it actually is. Looking from 
>windows, I couldn't see any difference, because (and I am no windows 
>expert) I think that windows doesn't actually care who owns the files, 
>it only seems to care about the ACLs.
>
>Rowland
>
>>
>> so i have "user" : "domain admins"
>> and i have group : "domain admins"
>>
>> Documentation lacks here, or i really cant find it..
>>
>> anyone any comment on this ?
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>>> Namens L.P.H. van Belle
>>> Verzonden: donderdag 30 april 2015 8:10
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] FW: [Bug 11241] different ids even when
>>> idmap.ldb copied. not abug..
>>>
>>> Please read the reported bug and bjorn answer.. which does not
>>> help any to a solution of fix, or explenation.
>>> But the big question now is, does someone somewhere know what
>>> bjorn is talking about.
>>>
>>> i did search for "gencache" but no go here..
>>> just from old documentation.
>>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html
>>> gencache.tdb  Generic caching database.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org]
>>> Verzonden: woensdag 29 april 2015 17:51
>>> Aan: L.P.H. van Belle
>>> Onderwerp: [Bug 11241] different ids even when idmap.ldb copied.
>>>
>>> https://bugzilla.samba.org/show_bug.cgi?id=11241
>>>
>>> Björn Jacke <bj at sernet.de> changed:
>>>
>>>            What    |Removed                     |Added
>>> ---------------------------------------------------------------
>>> -------------
>>>          Resolution|---                         |INVALID
>>>              Status|NEW                         |RESOLVED
>>>
>>> --- Comment #1 from Björn Jacke <bj at sernet.de> ---
>>> this is not a supported thing to do, so this is not a valid
>>> bug. winbindd has a
>>> different way of caching (investigate gencache for example)
>>> entries and this is
>>> probably what makes that hack stop working for you with winbindd.
>>>
>>> -- 
>>> You are receiving this mail because:
>>> You reported the bug.
>>>
>>> REPORTED BUG..
>>>
>>> Louis     2015-04-29 08:51:03 UTC
>>> Hai. getting same ids on 2 DC's does not work anymore on samba 4.2.1
>>> with in smb.conf
>>> server services = -dns +winbindd -winbind
>>> Of i set it to
>>> server services = -dns -winbindd +winbind
>>> it does work again.
>>>
>>> with 4.1.17 the solution was simple.. we stop samba on both servers.
>>> scp /var/lib/samba/private/idmap.ldb
>>> root at 192.168.0.2:/var/lib/samba/private/
>>> started samba on both servers and
>>> id administrator gave the same id's for all groups.
>>>
>>> Now on 4.2.1
>>> DC1:  id administrator
>>> uid=0(root) gid=100(users) groups=0(root),100(users),
>>> 3000004(group policy creator owners),
>>> 3000006(enterprise admins),
>>> 3000008(domain admins),
>>> 3000007(schema admins),
>>> 3000005(denied rodc password replication group),
>>> 3000009(BUILTIN\users),
>>> 3000000(BUILTIN\administrators)
>>>
>>> id administrator
>>> uid=0(root) gid=100(users) groups=0(root),100(users),
>>> 3000011(group policy creator owners),
>>> 3000010(enterprise admins),
>>> 3000007(domain admins),
>>> 3000009(schema admins),
>>> 3000008(denied rodc password replication group),
>>> 3000001(BUILTIN\users),
>>> 3000000(BUILTIN\administrators)
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list