[Samba] Duplicate xidNumbers

Bob Thomas bthomas at cybernetics.com
Fri Jan 13 18:30:14 UTC 2017 

Rowland,
>> Thank you for the quick response.
>>
>> I have just run net cache flush no change in problem.  I have dumped
>> the idmap.ldp using ldbsearch -H /var/lib/samba/private/idmap.ldb >
>> idmap.txt and did some sorting, that is how I found the duplicates.
>>
>>
>> On 1/13/2017 11:09 AM, Rowland Penny via samba wrote:
>>> samba-tool ntacl
>>>> sysvolreset
>>
> OK, idmap.ldb contains records like this:
>
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
> type: ID_TYPE_BOTH
> xidNumber: 3000045
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-502
>
> As you can see, it maps a user/groups SID to an xidNumber. So I see no
> problem with just using the xidNumber for another SID when you have
> duplicates, but I would try this instead. Stop Samba, backup idmap.ldb
> and then delete both duplicates and any other records that don't match
> the above sample, then restart Samba, this should recreate the records,
> but with new xidNumbers.
>
> Run 'net cache flush' and sysvolreset again.
>
> Rowland
>
I tried two ways but it didn't seem to help,

First stopped Samba, backed up idmap.ldp and ldpedit deleted the 
duplicates.   Started Samba and it did recreate the records so I did net 
cache flush but wbinfo --gid-info  failed for the new xids: failed to 
call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
No change in sysvolreset also.

Second, I stopped samba, restored backup idmap.ldp and just edited:
3000002  dn: CN=S-1-5-21-976934076-1976663741-3168181429-501 to 3000011
3000003  dn: CN=S-1-5-21-976934076-1976663741-3168181429-514 to 3000012

Note all other idmap records are in the correct format, complete and no 
SIDs are duplicated

result wbinfo --gid-info was correct for 3000011 & 3000012 but still 
fails for 3000002 & 3000003
however wbinfo --sid-to-gid results are good

sysvolreset still shows repeated: idmap range not specified for domain '*'

Bob

More information about the samba mailing list