[Samba] "wbinfo --sid-to-gid" returns false gids

Rowland Penny rowlandpenny241155 at gmail.com
Fri Jul 17 13:48:30 UTC 2015 

On 17/07/15 14:28, Andrej Surkov wrote:
>
> 17.07.2015, 17:30, "Rowland Penny" <rowlandpenny241155 at gmail.com>:
>> On 17/07/15 12:03, Andrej Surkov wrote:
>>>   I've got this on the backup DC
>>>
>>>   root at bdc:~# wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516
>>>   3000000
>> OK, you have problems there, but not what you think. On my first DC
>> (note I don't have a 'primary' or a 'backup' DC, I just have DC's) if I
>> run 'wbinfo --name-to-sid=Domain\ Controllers' , I get:
>>
>> S-1-5-21-2025076216-3455336656-3842161122-516 SID_DOM_GROUP (2)
>>
>> If I then run 'wbinfo
>> --sid-to-gid=S-1-5-21-2025076216-3455336656-3842161122-516' , I get:
>>
>> 3000025
>>
>> But if I run the same command on my other DC, I get:
>>
>> 3000021
>>
>> This is because idmap.ldb is not replicated between DC's . This can be
>> checked by running 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb'
>> on both machines and then searching for the relevant xidNumber. On the
>> first DC, I get:
>>
>> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516
>> cn: S-1-5-21-2025076216-3455336656-3842161122-516
>> objectClass: sidMap
>> objectSid: S-1-5-21-2025076216-3455336656-3842161122-516
>> type: ID_TYPE_BOTH
>> xidNumber: 3000025
>> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516
>>
>> On the second DC, I get:
>>
>> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516
>> cn: S-1-5-21-2025076216-3455336656-3842161122-516
>> objectClass: sidMap
>> objectSid: S-1-5-21-2025076216-3455336656-3842161122-516
>> type: ID_TYPE_BOTH
>> xidNumber: 3000021
>> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516
>>
> disagree, note - I've 3000019 in idmap.ldb, while wbinfo gives me 3000000 on the same DC, it is rather weird!

The actual numbers are a bit irrelevant, you can expect to see different 
xidNumbers between DC's, but 'Administrators' has always been '3000000' 
on every samba4 DC I have seen.

I think you need to find out why '3000000' isn't 'Administrators'.

Rowland

>
>> So, provided you only use the DC's for authentication, this will not be
>> a problem.
>>
>> Now we come to your problem, you seem somehow to have '3000000' mapped
>> to 'Domain Controllers', on *both* my DC's, if I search in idmap.ldb for
>> '3000000' I get this on both:
>>
>> dn: CN=S-1-5-32-544
>> cn: S-1-5-32-544
>> objectClass: sidMap
>> objectSid: S-1-5-32-544
>> type: ID_TYPE_BOTH
>> xidNumber: 3000000
>> distinguishedName: CN=S-1-5-32-544
>>
>> Running 'wbinfo --sid-to-name=S-1-5-32-544' produces:
>>
>> BUILTIN\Administrators 4
>>
>> This is correct and it this you need to fix, have you any idea how your
>> 'Domain Controllers' group got mapped to the 'Administrators' group?
> I've not any ... but this DC is a debian OS in the lxc container, which was actually cloned from another DC in another domain. samba-tool join was applied then, idmap.ldb was replicated of the primary DC (the first DC in the domiain, if you compian about primary). BTW, it is vanilla samba 4.2.0.
>
>> Rowland
>>
>>>   while
>>>
>>>   root at bdc:~# ldbedit -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-1166961617-3197558402-3341820450-516
>>>   shows correct xid 3000019
>>>
>>>   and on the primary DC I've got
>>>
>>>   itk at dc:/$ wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516
>>>   3000019
>>>
>>>   which is actually correct.
>>>
>>>   How's that passible?
>>>
>>>   Andrej
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list