[Samba] "wbinfo --sid-to-gid" returns false gids

Andrej Surkov surae at yandex.ru
Fri Jul 17 13:28:49 UTC 2015 


17.07.2015, 17:30, "Rowland Penny" <rowlandpenny241155 at gmail.com>:
> On 17/07/15 12:03, Andrej Surkov wrote:
>>  I've got this on the backup DC
>>
>>  root at bdc:~# wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516
>>  3000000
>
> OK, you have problems there, but not what you think. On my first DC
> (note I don't have a 'primary' or a 'backup' DC, I just have DC's) if I
> run 'wbinfo --name-to-sid=Domain\ Controllers' , I get:
>
> S-1-5-21-2025076216-3455336656-3842161122-516 SID_DOM_GROUP (2)
>
> If I then run 'wbinfo
> --sid-to-gid=S-1-5-21-2025076216-3455336656-3842161122-516' , I get:
>
> 3000025
>
> But if I run the same command on my other DC, I get:
>
> 3000021
>
> This is because idmap.ldb is not replicated between DC's . This can be
> checked by running 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb'
> on both machines and then searching for the relevant xidNumber. On the
> first DC, I get:
>
> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516
> cn: S-1-5-21-2025076216-3455336656-3842161122-516
> objectClass: sidMap
> objectSid: S-1-5-21-2025076216-3455336656-3842161122-516
> type: ID_TYPE_BOTH
> xidNumber: 3000025
> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516
>
> On the second DC, I get:
>
> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516
> cn: S-1-5-21-2025076216-3455336656-3842161122-516
> objectClass: sidMap
> objectSid: S-1-5-21-2025076216-3455336656-3842161122-516
> type: ID_TYPE_BOTH
> xidNumber: 3000021
> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516
>

disagree, note - I've 3000019 in idmap.ldb, while wbinfo gives me 3000000 on the same DC, it is rather weird!

> So, provided you only use the DC's for authentication, this will not be
> a problem.
>
> Now we come to your problem, you seem somehow to have '3000000' mapped
> to 'Domain Controllers', on *both* my DC's, if I search in idmap.ldb for
> '3000000' I get this on both:
>
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
> Running 'wbinfo --sid-to-name=S-1-5-32-544' produces:
>
> BUILTIN\Administrators 4
>
> This is correct and it this you need to fix, have you any idea how your
> 'Domain Controllers' group got mapped to the 'Administrators' group?

I've not any ... but this DC is a debian OS in the lxc container, which was actually cloned from another DC in another domain. samba-tool join was applied then, idmap.ldb was replicated of the primary DC (the first DC in the domiain, if you compian about primary). BTW, it is vanilla samba 4.2.0.

>
> Rowland
>
>>  while
>>
>>  root at bdc:~# ldbedit -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-1166961617-3197558402-3341820450-516
>>  shows correct xid 3000019
>>
>>  and on the primary DC I've got
>>
>>  itk at dc:/$ wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516
>>  3000019
>>
>>  which is actually correct.
>>
>>  How's that passible?
>>
>>  Andrej
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list