[Samba] Duplicate xidNumbers
Bob Thomas
bthomas at cybernetics.com
Fri Jan 13 15:24:28 UTC 2017
Hello Samba team,
I have 3 production samba DCs version 4.5.1 serving the same domain (2
sites) and all are having the same problems, I believe based on two
duplicate xidNumbers described below.
xidNumbers 3000002 & 3000003 have two SIDs assigned while xidNumbers
3000011 & 3000012 have no SIDs assigned. Is fixing this as simple as
moving one of the duplicates to the empty xidNumber and if so how can I
safely accomplish the move?
Details below.
Thank you in advance for your assistance
Bob Thomas
Problem 1. Duplicate xidNumbers
3000002 dn: CN=S-1-5-21-976934076-1976663741-3168181429-501 = Guest
3000002 dn: CN=S-1-5-18 = Local System
3000003 dn: CN=S-1-5-21-976934076-1976663741-3168181429-514 = Domain
Guests
3000003 dn: CN=S-1-5-11 = Authenticated Users
Empty xidNumbers
3000011
3000012
wbinfo --gid-info shows:
root at CY-DC:~# wbinfo --gid-info 3000002
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000002
root at CY-DC:~# wbinfo --gid-info 3000003
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000003
root at CY-DC:~# wbinfo --gid-info 3000011
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000011
root at CY-DC:~# wbinfo --gid-info 3000012
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000012
all other gid-info work
smb.conf:
[global]
netbios name = DC1
realm = MY.DOMAIN.COM
workgroup = MY
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
allow dns updates = nonsecure and secure
log level = 1
ntlm auth = yes
lanman auth = yes
# stops cups errors in log file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[netlogon]
path = /var/lib/samba/sysvol/my.domain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root at CY-DC:~# getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
Problem 2. Not sure it is related but When I run: samba-tool ntacl
sysvolreset I get hundreds of:
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
This behavior started after removing the following from smb.conf as
recommended by this forum:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
If you need any additional information don't hesitate to ask - Thanks again
More information about the samba
mailing list