[Samba] idmap & migration to rfc2307
Michael Adam
obnox at samba.org
Sun Nov 8 11:10:47 UTC 2015
On 2015-11-08 at 03:13 +0000, Jonathan Hunter wrote:
> On 7 November 2015 at 18:57, Michael Adam <obnox at samba.org> wrote:
> > The mapping should indeed be consistent for a user on the DC,
> > so it should not intermittently switch between idmap.ldb and
> > the rfc attributes. That would be a bug that we need to
> > understand.
> >
> > One step as written in a previous mail would be to change
> > the dc code to _never_ fall back to idmap.ldb when configured
> > with "idmap_ldb:use rfc2307 = yes".
> >
> > Then you write that when you see the wrong uid,
> > a 'net cache flush' gets you back the correct uid.
> > That is interesting. That flush command flushes
> > winbindd's idmap cache (which is also used r/o by
> > smbd).
> >
> > We need to understand what happens here.
> > Rowland has already correctly asked for higher-level
> > logs.
>
> I now have these logs available - I will email the full extracts
> direct to you Michael, but I don't want to post them on a public forum
> as there is rather a lot of information to sanitise and I will no
> doubt break consistency in the logs if I do so. If anybody else on the
> dev team would like a copy, that's fine - just email me and I will
> send them to you also.
>
> In summary, /usr/local/samba/var/log.winbindd-idmap shows the
> following 3000007 UID being allocated to my user that already has a
> UID from rfc2307 attributes e.g. 41234. I don't know why.. but this is
> where the problem occurs:
>
> [2015/11/08 01:07:02.077532, 4, pid=24816, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual.c:1389(child_handler)
> child daemon request 59
> [2015/11/08 01:07:02.077573, 10, pid=24816, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual.c:512(child_process_request)
> child_process_request: request fn NDRCMD
> [2015/11/08 01:07:02.077616, 10, pid=24816, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd)
> winbindd_dual_ndrcmd: Running command WBINT_GID2SID (no domain)
> [2015/11/08 01:07:02.077666, 10, pid=24816, effective(0, 0), real(0,
> 0), class=idmap]
> ../source3/winbindd/idmap_util.c:106(idmap_gid_to_sid)
> idmap_gid_to_sid: gid = [3000007]
> [2015/11/08 01:07:02.077732, 10, pid=24816, effective(0, 0), real(0,
> 0), class=idmap]
> ../source3/winbindd/idmap.c:518(idmap_backends_unixid_to_sid)
> idmap_backend_unixid_to_sid: xid = 3000007 (type 2)
> [2015/11/08 01:07:02.081098, 4, pid=24816, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual.c:1397(child_handler)
> Finished processing child request 59
>
> I can raise this in bugzilla if that is helpful, now.
>
> My working theory is that there is maybe a file on the server,
> somewhere, that is mapped to an old UID i.e. 3000007, either via an
> acl or by simple UID ownership.. and in some way samba is coming
> across this file and it's triggering the behaviour above??
It looks like a gid_to_sid call triggers the problem.
Interestingly, gid not uid. And this seems to be
coming from nsswitch, may e.g. have been a
ls -l on a file with 3000007 as GID.
That makes perfect sense,
with this possible chain of events:
- user created. no rfc attribute configured yet.
- user accesses dc, mapping sid<->3000007 is created.
- the mappings of idmap.ldb are can serve for both
uids and gids. hence the gid can have ended up in
the group perms of a file somehow.
- now the rfc uid is set for the user. and later
access as the user also fills the idmap cache
with sid<->40000X.
- for the time being this user is always treated
as uid 40000X.
- but then somehting like ls -l triggers the
getgrgid 3000007 call and this leads to
gid_to_sid(3000007) in winbindd. Since this is
coming via Unix IDs it finds the entry 3000007
in idmap.ldb and returns that mapping, also
filling the cache with that mapping.
- henceforth (until the cache expires) idmap
requests for the SID are answered from the cache
and 3000007 is returned instead of the 400000X.
You could try to prove this by:
- net cache flush
- getent passwd <your user>
- net cache list | grep <your.sid>
- ls -l on the file with gid 3000007
- net cache list | grep <your.sid>
A more 'realistic' variant would be:
- find a file with gid 3000007 in your tree.
- net cache flush
- access the samba with your user
- net cache list | grep <your.sid>
- getent group 3000007
- net cache list | grep <your.sid>
Also dump of idmap entries from idmap.ldb with id 3000007
could be interesting.
> I think the previous suggestion of never falling back to idmap.ldb if
> rfc2307 is configured makes perfect sense.
Indeed. That would have prevented the above problem!
This is also the reason why in the s3-winbindd code
we do not use these layered idmap systems. (This here
is the s4-winbind idmap code.)
So as part of solving the problem, I think we need
to disable the fallback to idmap.ldb.
The above chain of events could be turned into
a nice general reproducer and that might be sufficient
to create a bug and justify the patch.
I'd love to hear the experts of the AD code comment on it though.
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20151108/5d881d63/signature.sig>
More information about the samba
mailing list