[Samba] Duplicate xidNumbers

Bob Thomas bthomas at cybernetics.com
Fri Jan 13 15:24:28 UTC 2017


Hello Samba team,

I have 3 production samba DCs  version 4.5.1 serving the same domain (2 
sites) and all are having the same problems, I believe based on two 
duplicate xidNumbers described below.
xidNumbers 3000002 & 3000003 have two SIDs assigned while xidNumbers 
3000011 & 3000012 have no SIDs assigned.  Is fixing this as simple as 
moving one of the duplicates to the empty xidNumber and if so how can I 
safely accomplish the move?
Details below.
Thank you in advance for your assistance
Bob Thomas

Problem 1. Duplicate xidNumbers

3000002  dn: CN=S-1-5-21-976934076-1976663741-3168181429-501    = Guest
3000002  dn: CN=S-1-5-18                    = Local System
3000003  dn: CN=S-1-5-21-976934076-1976663741-3168181429-514    = Domain 
Guests
3000003  dn: CN=S-1-5-11                    = Authenticated Users
Empty xidNumbers
3000011
3000012
wbinfo --gid-info shows:
root at CY-DC:~# wbinfo --gid-info 3000002
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000002

root at CY-DC:~# wbinfo --gid-info 3000003
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000003

root at CY-DC:~# wbinfo --gid-info 3000011
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000011

root at CY-DC:~# wbinfo --gid-info 3000012
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000012

all other gid-info work
smb.conf:

[global]
         netbios name = DC1
         realm = MY.DOMAIN.COM
         workgroup = MY
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         ldap server require strong auth = no
         allow dns updates = nonsecure and secure
         log level = 1
         ntlm auth = yes
         lanman auth = yes
# stops cups errors in log file
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
[netlogon]
         path = /var/lib/samba/sysvol/my.domain.com/scripts
         read only = No
[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

nsswitch.conf:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

root at CY-DC:~#  getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Problem 2.  Not sure it is related but When I run: samba-tool ntacl 
sysvolreset I get hundreds of:
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
This behavior started after removing the following from smb.conf as 
recommended by this forum:

       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

If you need any additional information don't hesitate to ask - Thanks again



More information about the samba mailing list