[Samba] Duplicate xidNumbers

Rowland Penny rpenny at samba.org
Fri Jan 13 22:35:22 UTC 2017 

On Fri, 13 Jan 2017 17:22:15 -0500
Bob Thomas <bthomas at cybernetics.com> wrote:

> 
> 
> On 1/13/2017 4:58 PM, Rowland Penny via samba wrote:
> > On Fri, 13 Jan 2017 16:43:39 -0500
> > Bob Thomas via samba <samba at lists.samba.org> wrote:
> >
> >> On 1/13/2017 3:30 PM, Rowland Penny wrote:
> >>
> >>> On Fri, 13 Jan 2017 15:20:52 -0500
> >>> Bob Thomas <bthomas at cybernetics.com> wrote:
> >>>
> >>>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
> >>>>> On Fri, 13 Jan 2017 13:30:14 -0500
> >>>>> Bob Thomas <bthomas at cybernetics.com> wrote:
> >>>>>
> >>>>>> Rowland,
> >>>>>>>> Thank you for the quick response.
> >>>>>>>>
> >>>>>>>> I have just run net cache flush no change in problem.  I have
> >>>>>>>> dumped the idmap.ldp using ldbsearch
> >>>>>>>> -H /var/lib/samba/private/idmap.ldb > idmap.txt and did some
> >>>>>>>> sorting, that is how I found the duplicates.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba wrote:
> >>>>>>>>> samba-tool ntacl
> >>>>>>>>>> sysvolreset
> >>>>>>> OK, idmap.ldb contains records like this:
> >>>>>>>
> >>>>>>> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>>> objectClass: sidMap
> >>>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>>> type: ID_TYPE_BOTH
> >>>>>>> xidNumber: 3000045
> >>>>>>> distinguishedName:
> >>>>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>>>
> >>>>>>> As you can see, it maps a user/groups SID to an xidNumber. So
> >>>>>>> I see no problem with just using the xidNumber for another SID
> >>>>>>> when you have duplicates, but I would try this instead. Stop
> >>>>>>> Samba, backup idmap.ldb and then delete both duplicates and
> >>>>>>> any other records that don't match the above sample, then
> >>>>>>> restart Samba, this should recreate the records, but with new
> >>>>>>> xidNumbers.
> >>>>>>>
> >>>>>>> Run 'net cache flush' and sysvolreset again.
> >>>>>>>
> >>>>>>> Rowland
> >>>>>>>
> >>>>>> I tried two ways but it didn't seem to help,
> >>>>>>
> >>>>>> First stopped Samba, backed up idmap.ldp and ldpedit deleted
> >>>>>> the duplicates.   Started Samba and it did recreate the
> >>>>>> records so I did net cache flush but wbinfo --gid-info  failed
> >>>>>> for the new xids: failed to call wbcGetgrgid:
> >>>>>> WBC_ERR_DOMAIN_NOT_FOUND No change in sysvolreset also.
> >>>>>>
> >>>>>> Second, I stopped samba, restored backup idmap.ldp and just
> >>>>>> edited: 3000002  dn:
> >>>>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to 3000011
> >>>>>> 3000003  dn: CN=S-1-5-21-976934076-1976663741-3168181429-514 to
> >>>>>> 3000012
> >>>>>>
> >>>>>> Note all other idmap records are in the correct format,
> >>>>>> complete and no SIDs are duplicated
> >>>>>>
> >>>>>> result wbinfo --gid-info was correct for 3000011 & 3000012 but
> >>>>>> still fails for 3000002 & 3000003
> >>>>>> however wbinfo --sid-to-gid results are good
> >>>>>>
> >>>>>> sysvolreset still shows repeated: idmap range not specified for
> >>>>>> domain '*'
> >>>>>>
> >>>>>> Bob
> >>>>>>
> >>>>> Try restarting Samba, perhaps this will help
> >>>>> Have you given any AD group other than Domain Users a
> >>>>> gidNumber ?
> >>>>>
> >>>>> Rowland
> >>>> I have assigned gidNumbers to all the groups I created and to
> >>>> Domain Admins, Domain Computers, Enterprise Admins and DNS
> >>>> Admins.
> >>>>
> >>>> Restarting Samba has no effect.
> >>> Assigning gidNumbers to groups you have created should not be a
> >>> problem, but the only AD group I would add a gidNumber to, is
> >>> Domain Users and I only add that because the winbind 'ad' backend
> >>> will not work on a domain member unless the group has one. I
> >>> would remove the gidNumber attributes from the others and see if
> >>> that helps.
> >>>
> >>> Rowland
> >> Rowland,
> >>
> >> At least the two duplicate xidNumbers are gone and things seem to
> >> be working.
> >>
> >> I removed the gidNumber from all but my groups and domain users.
> >>
> >> restarted the server - still no change with sysvolreset, a forever
> >> list of:
> >>
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> > Where is this message being printed ?
> > I have checked the logs on one of my DCs and I do not have it
> > anywhere, but I have found this Univention bug report:
> >
> > https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
> >   
> > Which seems to describe your problem.
> >
> > Rowland
> >
> It is not in a log is shows when running sysvolreset and continues
> for about 3 minutes short example below:
> 
>  From how I read the bug report it was an for 4.1rc, I am running 
> version 4.5.1.   I think at version 4.4.? is when it was not good
> for smb.conf to have:
> 
> 	idmap config *:backend = tdb
>         	idmap config *:range = 2000-9999
> 
> If I insert them back in smb.conf, restart samba then sysvolreset
> runs clean

Before 4.5.0, you could add the lines to a DC smb.conf, they wouldn't
have any effect, but you could add them. From 4.5.0, they do have an
effect, but not the effect you want, code changes now mean they cause
errors and so they definitely shouldn't be added. I think from 4.6.0,
Samba will not start if they are in smb.conf.

> 
> 
> root at CY-PRO-DC:/var/log/samba# samba-tool ntacl sysvolreset
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> 

Yes I have now seen something similar and tracked it down in the source
code. I think it is coming from
samba-master/source3/winbindd/idmap.c:401

	if (range == NULL) {
		if (check_range) {
			DEBUG(1, ("idmap range not specified for domain %s\n",
				  result->name));
			goto fail;
		}

Which is all very well on a domain member, but what about a DC ??

I could be wrong, but that is the way I see it.

Rowland

More information about the samba mailing list