[Samba] Duplicate xidNumbers

Rowland Penny rpenny at samba.org
Fri Jan 13 21:58:27 UTC 2017 

On Fri, 13 Jan 2017 16:43:39 -0500
Bob Thomas via samba <samba at lists.samba.org> wrote:

> On 1/13/2017 3:30 PM, Rowland Penny wrote:
> 
> > On Fri, 13 Jan 2017 15:20:52 -0500
> > Bob Thomas <bthomas at cybernetics.com> wrote:
> >
> >> On 1/13/2017 1:45 PM, Rowland Penny wrote:
> >>> On Fri, 13 Jan 2017 13:30:14 -0500
> >>> Bob Thomas <bthomas at cybernetics.com> wrote:
> >>>
> >>>> Rowland,
> >>>>>> Thank you for the quick response.
> >>>>>>
> >>>>>> I have just run net cache flush no change in problem.  I have
> >>>>>> dumped the idmap.ldp using ldbsearch
> >>>>>> -H /var/lib/samba/private/idmap.ldb > idmap.txt and did some
> >>>>>> sorting, that is how I found the duplicates.
> >>>>>>
> >>>>>>
> >>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba wrote:
> >>>>>>> samba-tool ntacl
> >>>>>>>> sysvolreset
> >>>>> OK, idmap.ldb contains records like this:
> >>>>>
> >>>>> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>> objectClass: sidMap
> >>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>> type: ID_TYPE_BOTH
> >>>>> xidNumber: 3000045
> >>>>> distinguishedName:
> >>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>
> >>>>> As you can see, it maps a user/groups SID to an xidNumber. So I
> >>>>> see no problem with just using the xidNumber for another SID
> >>>>> when you have duplicates, but I would try this instead. Stop
> >>>>> Samba, backup idmap.ldb and then delete both duplicates and any
> >>>>> other records that don't match the above sample, then restart
> >>>>> Samba, this should recreate the records, but with new
> >>>>> xidNumbers.
> >>>>>
> >>>>> Run 'net cache flush' and sysvolreset again.
> >>>>>
> >>>>> Rowland
> >>>>>
> >>>> I tried two ways but it didn't seem to help,
> >>>>
> >>>> First stopped Samba, backed up idmap.ldp and ldpedit deleted the
> >>>> duplicates.   Started Samba and it did recreate the records so I
> >>>> did net cache flush but wbinfo --gid-info  failed for the new
> >>>> xids: failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> >>>> No change in sysvolreset also.
> >>>>
> >>>> Second, I stopped samba, restored backup idmap.ldp and just
> >>>> edited: 3000002  dn:
> >>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to 3000011
> >>>> 3000003  dn: CN=S-1-5-21-976934076-1976663741-3168181429-514 to
> >>>> 3000012
> >>>>
> >>>> Note all other idmap records are in the correct format, complete
> >>>> and no SIDs are duplicated
> >>>>
> >>>> result wbinfo --gid-info was correct for 3000011 & 3000012 but
> >>>> still fails for 3000002 & 3000003
> >>>> however wbinfo --sid-to-gid results are good
> >>>>
> >>>> sysvolreset still shows repeated: idmap range not specified for
> >>>> domain '*'
> >>>>
> >>>> Bob
> >>>>
> >>> Try restarting Samba, perhaps this will help
> >>> Have you given any AD group other than Domain Users a gidNumber ?
> >>>
> >>> Rowland
> >> I have assigned gidNumbers to all the groups I created and to
> >> Domain Admins, Domain Computers, Enterprise Admins and DNS Admins.
> >>
> >> Restarting Samba has no effect.
> > Assigning gidNumbers to groups you have created should not be a
> > problem, but the only AD group I would add a gidNumber to, is Domain
> > Users and I only add that because the winbind 'ad' backend will not
> > work on a domain member unless the group has one. I would remove the
> > gidNumber attributes from the others and see if that helps.
> >
> > Rowland
> Rowland,
> 
> At least the two duplicate xidNumbers are gone and things seem to be
> working.
> 
> I removed the gidNumber from all but my groups and domain users.
> 
> restarted the server - still no change with sysvolreset, a forever
> list of:
> 
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'

Where is this message being printed ?
I have checked the logs on one of my DCs and I do not have it anywhere,
but I have found this Univention bug report:

https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
 
Which seems to describe your problem.

Rowland

More information about the samba mailing list