[Samba] Duplicate xidNumbers

Bob Thomas bthomas at cybernetics.com
Fri Jan 13 22:22:15 UTC 2017 


On 1/13/2017 4:58 PM, Rowland Penny via samba wrote:
> On Fri, 13 Jan 2017 16:43:39 -0500
> Bob Thomas via samba <samba at lists.samba.org> wrote:
>
>> On 1/13/2017 3:30 PM, Rowland Penny wrote:
>>
>>> On Fri, 13 Jan 2017 15:20:52 -0500
>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>
>>>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
>>>>> On Fri, 13 Jan 2017 13:30:14 -0500
>>>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>>>
>>>>>> Rowland,
>>>>>>>> Thank you for the quick response.
>>>>>>>>
>>>>>>>> I have just run net cache flush no change in problem.  I have
>>>>>>>> dumped the idmap.ldp using ldbsearch
>>>>>>>> -H /var/lib/samba/private/idmap.ldb > idmap.txt and did some
>>>>>>>> sorting, that is how I found the duplicates.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba wrote:
>>>>>>>>> samba-tool ntacl
>>>>>>>>>> sysvolreset
>>>>>>> OK, idmap.ldb contains records like this:
>>>>>>>
>>>>>>> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> objectClass: sidMap
>>>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> type: ID_TYPE_BOTH
>>>>>>> xidNumber: 3000045
>>>>>>> distinguishedName:
>>>>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>
>>>>>>> As you can see, it maps a user/groups SID to an xidNumber. So I
>>>>>>> see no problem with just using the xidNumber for another SID
>>>>>>> when you have duplicates, but I would try this instead. Stop
>>>>>>> Samba, backup idmap.ldb and then delete both duplicates and any
>>>>>>> other records that don't match the above sample, then restart
>>>>>>> Samba, this should recreate the records, but with new
>>>>>>> xidNumbers.
>>>>>>>
>>>>>>> Run 'net cache flush' and sysvolreset again.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> I tried two ways but it didn't seem to help,
>>>>>>
>>>>>> First stopped Samba, backed up idmap.ldp and ldpedit deleted the
>>>>>> duplicates.   Started Samba and it did recreate the records so I
>>>>>> did net cache flush but wbinfo --gid-info  failed for the new
>>>>>> xids: failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> No change in sysvolreset also.
>>>>>>
>>>>>> Second, I stopped samba, restored backup idmap.ldp and just
>>>>>> edited: 3000002  dn:
>>>>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to 3000011
>>>>>> 3000003  dn: CN=S-1-5-21-976934076-1976663741-3168181429-514 to
>>>>>> 3000012
>>>>>>
>>>>>> Note all other idmap records are in the correct format, complete
>>>>>> and no SIDs are duplicated
>>>>>>
>>>>>> result wbinfo --gid-info was correct for 3000011 & 3000012 but
>>>>>> still fails for 3000002 & 3000003
>>>>>> however wbinfo --sid-to-gid results are good
>>>>>>
>>>>>> sysvolreset still shows repeated: idmap range not specified for
>>>>>> domain '*'
>>>>>>
>>>>>> Bob
>>>>>>
>>>>> Try restarting Samba, perhaps this will help
>>>>> Have you given any AD group other than Domain Users a gidNumber ?
>>>>>
>>>>> Rowland
>>>> I have assigned gidNumbers to all the groups I created and to
>>>> Domain Admins, Domain Computers, Enterprise Admins and DNS Admins.
>>>>
>>>> Restarting Samba has no effect.
>>> Assigning gidNumbers to groups you have created should not be a
>>> problem, but the only AD group I would add a gidNumber to, is Domain
>>> Users and I only add that because the winbind 'ad' backend will not
>>> work on a domain member unless the group has one. I would remove the
>>> gidNumber attributes from the others and see if that helps.
>>>
>>> Rowland
>> Rowland,
>>
>> At least the two duplicate xidNumbers are gone and things seem to be
>> working.
>>
>> I removed the gidNumber from all but my groups and domain users.
>>
>> restarted the server - still no change with sysvolreset, a forever
>> list of:
>>
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
> Where is this message being printed ?
> I have checked the logs on one of my DCs and I do not have it anywhere,
> but I have found this Univention bug report:
>
> https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
>   
> Which seems to describe your problem.
>
> Rowland
>
It is not in a log is shows when running sysvolreset and continues for 
about 3 minutes short example below:

 From how I read the bug report it was an for 4.1rc, I am running 
version 4.5.1.   I think at version 4.4.? is when it was not good
for smb.conf to have:

	idmap config *:backend = tdb
        	idmap config *:range = 2000-9999

If I insert them back in smb.conf, restart samba then sysvolreset runs clean


root at CY-PRO-DC:/var/log/samba# samba-tool ntacl sysvolreset
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'

More information about the samba mailing list