[Samba] Problem with one User after upgrade to 4.5.0
Paul R. Ganci
ganci at nurdog.com
Mon Oct 10 03:50:44 UTC 2016
On 10/09/2016 12:14 PM, Rowland Penny via samba wrote:
> On Sun, 9 Oct 2016 11:50:42 -0600
> "Paul R. Ganci via samba"<samba at lists.samba.org> wrote:
>
>> >On 10/09/2016 02:51 AM, Rowland Penny via samba wrote:
>>> > >Have you by any chance got another 3001108 'xidNumber' in
>>> > >idmap.ldb ? If you give a user a 'uidNumber' attribute, the
>>> > >contents of this will be used instead of the 'xidNumber' in
>>> > >idmap.ldb, hence you do not need to (and probably shouldn't) use
>>> > >numbers in the '3000000' range.
So I am still seeing some flakiness with the uidNumber 3001108. I just
added a new client to the domain and for some weird reason it is getting
the incorrect group id for the ssh_users group I created. On the DC and
2 Windows 7 Boxes and 3 CentOS 6 boxes getent returns the correct:
> getent group ssh_users
ssh_users:x:3001109:
But on the new CentOS 7 box with a fresh install off sernet-samba 4.5.0
I get this incorrect result:
> getent group ssh_users
ssh_users:x:3001108:
I went through every entry in the idmap.ldb and there are no duplicates.
In fact the only place 3001108 shows up is as the uidNumber for account
sln-11868bg which I showed earlier in the day:
> getent passwd sln-11868bg
sln-11868bg:*:3001108:3000513:John Q. Public:/home/sln-11868bg:/bin/bash
Here is the idmap.txt. The SIDs are listed in first column, the
description of the SID is in the second column, the xidNumber is in the
third column and where appropriate the uidNumber is in the 4th column
and gidNumber in the 5th column. I sorted the idmap.ldb xidNumber in
ascending order and determined there are no duplicate xidNumbers. Given
this table does anyone see anything stand out that is wrong that would
cause one client to get the incorrect group gidNumber? This is
everything in the domain...
SID Description xidNumber uidNumber gidNumber
S-1-5-21-729452656-3029571206-2736118167-500 SAMDOM\Administrator 1 0
S-1-5-32-544 BUILTIN\Administrators 4 3000000
S-1-5-32-549 BUILTIN\Server Operators 4 3000001
S-1-5-21-729452656-3029571206-2736118167-572 SAMDOM\Denied RODC Password Replication Group 4 3000005
S-1-5-32-545 BUILTIN\Users 4 3000009
S-1-5-32-546 BUILTIN\Guests 4 3000015
S-1-5-21-729452656-3029571206-2736118167-1000 SAMDOM\NIKITA$ 1 3000016
S-1-5-32-560 BUILTIN\Windows Authorization Access Group 4 3000018
S-1-5-32-554 BUILTIN\Pre-Windows 2000 Compatible Access 4 3000019
S-1-5-21-729452656-3029571206-2736118167-1105 SAMDOM\SASHA$ 1 3000027
S-1-5-21-729452656-3029571206-2736118167-1114 SAMDOM\NANOOK$ 1 3000035
S-1-5-21-729452656-3029571206-2736118167-1115 SAMDOM\Roaming Profile and Folder Redirection Users 2 3000036
S-1-5-21-729452656-3029571206-2736118167-1116 SAMDOM\nas$ 1 3000037
S-1-5-21-729452656-3029571206-2736118167-1117 SAMDOM\imap-nikita 1 3000038
S-1-5-21-729452656-3029571206-2736118167-1118 SAMDOM\smtp-nikita 1 3000039
S-1-5-21-729452656-3029571206-2736118167-498 SAMDOM\Enterprise Read-Only Domain Controllers 2 3000052
S-1-5-21-729452656-3029571206-2736118167-1133 SAMDOM\mcduff$ 1 3000054
S-1-5-21-729452656-3029571206-2736118167-1134 SAMDOM\shamu$ 1 3000055
S-1-5-21-729452656-3029571206-2736118167-1143 SAMDOM\sln-11868bg 1 3000062 3001108 30000513
S-1-5-21-729452656-3029571206-2736118167-1145 SAMDOM\media-server$ 1 3000064
S-1-5-32-548 BUILTIN\Account Operators 4 3000066
S-1-5-32-551 BUILTIN\Backup Operators 4 3000068
S-1-5-32-550 BUILTIN\Print Operators 4 3000067
S-1-5-32-552 BUILTIN\Replicator 3000069
S-1-5-32-555 BUILTIN\Remote Desktop Users 4 3000070
S-1-5-32-556 BUILTIN\Network Configuration Operators 4 3000071
S-1-5-32-557 BUILTIN\Incoming Forest Trust Builders 4 3000072
S-1-5-32-558 BUILTIN\Performance Monitor Users 4 3000073
S-1-5-32-559 BUILTIN\Performance Log Users 4 3000074
S-1-5-32-561 BUILTIN\Terminal Server License Servers 4 3000075
S-1-5-32-562 BUILTIN\Distributed COM Users 4 3000076
S-1-5-32-568 BUILTIN\IIS_IUSRS 4 3000077
S-1-5-32-573 BUILTIN\Event Log Readers 4 3000079
S-1-5-32-569 BUILTIN\Cryptographic Operators 4 3000078
S-1-5-32-574 BUILTIN\Certificate Service DCOM Access 4 3000080
S-1-5-21-729452656-3029571206-2736118167-517 SAMDOM\Cert Publishers 4 3000081
S-1-5-21-729452656-3029571206-2736118167-553 SAMDOM\RAS and IAS Servers 4 3000082
S-1-5-21-729452656-3029571206-2736118167-571 SAMDOM\Allowed RODC Password Replication Group 4 3000083
S-1-5-21-729452656-3029571206-2736118167-1102 SAMDOM\DnsAdmins 4 3000084
CN=CONFIG lowerBound: 3000000 upperBound: 4000000 3000086
S-1-5-21-729452656-3029571206-2736118167-501 SAMDOM\Guest 1 3000501
S-1-5-21-729452656-3029571206-2736118167-502 SAMDOM\krbtgt 1 3000502
S-1-5-21-729452656-3029571206-2736118167-512 SAMDOM\Domain Admins 2 3000512 3000512
S-1-5-21-729452656-3029571206-2736118167-513 SAMDOM\Domain Users 2 3000513 3000513
S-1-5-21-729452656-3029571206-2736118167-514 SAMDOM\Domain Guests 2 3000514
S-1-5-21-729452656-3029571206-2736118167-515 SAMDOM\Domain Computers 2 3000515
S-1-5-21-729452656-3029571206-2736118167-516 SAMDOM\Domain Controllers 2 3000516
S-1-5-21-729452656-3029571206-2736118167-518 SAMDOM\Schema Admins 2 3000518
S-1-5-21-729452656-3029571206-2736118167-519 SAMDOM\Enterprise Admins 2 3000519
S-1-5-21-729452656-3029571206-2736118167-521 SAMDOM\Read-Only Domain Controllers 2 3000521
S-1-5-21-729452656-3029571206-2736118167-1101 SAMDOM\dns-nikita 1 3001101
S-1-5-21-729452656-3029571206-2736118167-1103 SAMDOM\DnsUpdateProxy 2 3001103
S-1-5-21-729452656-3029571206-2736118167-1144 SAMDOM\prg-11868bg 1 3001107 3001107 3000513
S-1-5-21-729452656-3029571206-2736118167-1109 SAMDOM\ssh_users 2 3001109 3001109
I only have a two accounts (not counting the Administrator account) and
3 groups that maybe I care about so changing gidNumbers and/or
uidNumbers should not be too big a deal. But I am not convinced that is
going to fix anything.
--
Paul (ganci at nurdog.com)
Cell: (303)257-5208
More information about the samba
mailing list