[Samba] Duplicate xidNumbers

Rowland Penny rpenny at samba.org
Fri Jan 13 16:09:39 UTC 2017


On Fri, 13 Jan 2017 10:24:28 -0500
Bob Thomas via samba <samba at lists.samba.org> wrote:

> Hello Samba team,
> 
> I have 3 production samba DCs  version 4.5.1 serving the same domain
> (2 sites) and all are having the same problems, I believe based on
> two duplicate xidNumbers described below.
> xidNumbers 3000002 & 3000003 have two SIDs assigned while xidNumbers 
> 3000011 & 3000012 have no SIDs assigned.  Is fixing this as simple as 
> moving one of the duplicates to the empty xidNumber and if so how can
> I safely accomplish the move?
> Details below.
> Thank you in advance for your assistance
> Bob Thomas
> 
> Problem 1. Duplicate xidNumbers
> 
> 3000002  dn: CN=S-1-5-21-976934076-1976663741-3168181429-501    =
> Guest 3000002  dn: CN=S-1-5-18                    = Local System
> 3000003  dn: CN=S-1-5-21-976934076-1976663741-3168181429-514    =
> Domain Guests
> 3000003  dn: CN=S-1-5-11                    = Authenticated Users
> Empty xidNumbers
> 3000011
> 3000012
> wbinfo --gid-info shows:
> root at CY-DC:~# wbinfo --gid-info 3000002
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000002
> 
> root at CY-DC:~# wbinfo --gid-info 3000003
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000003
> 
> root at CY-DC:~# wbinfo --gid-info 3000011
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000011
> 
> root at CY-DC:~# wbinfo --gid-info 3000012
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000012
> 
> all other gid-info work
> smb.conf:
> 
> [global]
>          netbios name = DC1
>          realm = MY.DOMAIN.COM
>          workgroup = MY
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 = yes
>          ldap server require strong auth = no
>          allow dns updates = nonsecure and secure
>          log level = 1
>          ntlm auth = yes
>          lanman auth = yes
> # stops cups errors in log file
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> [netlogon]
>          path = /var/lib/samba/sysvol/my.domain.com/scripts
>          read only = No
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> nsswitch.conf:
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> root at CY-DC:~#  getfacl /var/lib/samba/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:BUILTIN\134server\040operators:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:BUILTIN\134server\040operators:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> Problem 2.  Not sure it is related but When I run: samba-tool ntacl 
> sysvolreset I get hundreds of:
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> This behavior started after removing the following from smb.conf as 
> recommended by this forum:
> 
>        idmap config *:backend = tdb
>        idmap config *:range = 2000-9999
> 
> If you need any additional information don't hesitate to ask - Thanks
> again
> 

Problem 1: have you tried running 'net cache flush' ?
Have you also tried using ldbedit to look inside idmap.ldb ?

Problem 2: The lines shouldn't be in a DC smb.conf, so you did the
right thing removing them, perhaps 'net cache flush' will fix this as
well.

Rowland



More information about the samba mailing list