[Samba] Duplicate xidNumbers

Bob Thomas bthomas at cybernetics.com
Fri Jan 13 21:43:39 UTC 2017 

On 1/13/2017 3:30 PM, Rowland Penny wrote:

> On Fri, 13 Jan 2017 15:20:52 -0500
> Bob Thomas <bthomas at cybernetics.com> wrote:
>
>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
>>> On Fri, 13 Jan 2017 13:30:14 -0500
>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>
>>>> Rowland,
>>>>>> Thank you for the quick response.
>>>>>>
>>>>>> I have just run net cache flush no change in problem.  I have
>>>>>> dumped the idmap.ldp using ldbsearch
>>>>>> -H /var/lib/samba/private/idmap.ldb > idmap.txt and did some
>>>>>> sorting, that is how I found the duplicates.
>>>>>>
>>>>>>
>>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba wrote:
>>>>>>> samba-tool ntacl
>>>>>>>> sysvolreset
>>>>> OK, idmap.ldb contains records like this:
>>>>>
>>>>> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>> objectClass: sidMap
>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>> type: ID_TYPE_BOTH
>>>>> xidNumber: 3000045
>>>>> distinguishedName:
>>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>
>>>>> As you can see, it maps a user/groups SID to an xidNumber. So I
>>>>> see no problem with just using the xidNumber for another SID when
>>>>> you have duplicates, but I would try this instead. Stop Samba,
>>>>> backup idmap.ldb and then delete both duplicates and any other
>>>>> records that don't match the above sample, then restart Samba,
>>>>> this should recreate the records, but with new xidNumbers.
>>>>>
>>>>> Run 'net cache flush' and sysvolreset again.
>>>>>
>>>>> Rowland
>>>>>
>>>> I tried two ways but it didn't seem to help,
>>>>
>>>> First stopped Samba, backed up idmap.ldp and ldpedit deleted the
>>>> duplicates.   Started Samba and it did recreate the records so I
>>>> did net cache flush but wbinfo --gid-info  failed for the new xids:
>>>> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
>>>> No change in sysvolreset also.
>>>>
>>>> Second, I stopped samba, restored backup idmap.ldp and just edited:
>>>> 3000002  dn: CN=S-1-5-21-976934076-1976663741-3168181429-501 to
>>>> 3000011 3000003  dn:
>>>> CN=S-1-5-21-976934076-1976663741-3168181429-514 to 3000012
>>>>
>>>> Note all other idmap records are in the correct format, complete
>>>> and no SIDs are duplicated
>>>>
>>>> result wbinfo --gid-info was correct for 3000011 & 3000012 but
>>>> still fails for 3000002 & 3000003
>>>> however wbinfo --sid-to-gid results are good
>>>>
>>>> sysvolreset still shows repeated: idmap range not specified for
>>>> domain '*'
>>>>
>>>> Bob
>>>>
>>> Try restarting Samba, perhaps this will help
>>> Have you given any AD group other than Domain Users a gidNumber ?
>>>
>>> Rowland
>> I have assigned gidNumbers to all the groups I created and to Domain
>> Admins, Domain Computers, Enterprise Admins and DNS Admins.
>>
>> Restarting Samba has no effect.
> Assigning gidNumbers to groups you have created should not be a
> problem, but the only AD group I would add a gidNumber to, is Domain
> Users and I only add that because the winbind 'ad' backend will not work
> on a domain member unless the group has one. I would remove the
> gidNumber attributes from the others and see if that helps.
>
> Rowland
Rowland,

At least the two duplicate xidNumbers are gone and things seem to be
working.

I removed the gidNumber from all but my groups and domain users.

restarted the server - still no change with sysvolreset, a forever list of:

idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'


Bob

More information about the samba mailing list