[Samba] Duplicate xidNumbers

Bob Thomas bthomas at cybernetics.com
Fri Jan 13 22:52:23 UTC 2017 


On 1/13/2017 5:35 PM, Rowland Penny via samba wrote:
> On Fri, 13 Jan 2017 17:22:15 -0500
> Bob Thomas <bthomas at cybernetics.com> wrote:
>
>>
>> On 1/13/2017 4:58 PM, Rowland Penny via samba wrote:
>>> On Fri, 13 Jan 2017 16:43:39 -0500
>>> Bob Thomas via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 1/13/2017 3:30 PM, Rowland Penny wrote:
>>>>
>>>>> On Fri, 13 Jan 2017 15:20:52 -0500
>>>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>>>
>>>>>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
>>>>>>> On Fri, 13 Jan 2017 13:30:14 -0500
>>>>>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>>>>>
>>>>>>>> Rowland,
>>>>>>>>>> Thank you for the quick response.
>>>>>>>>>>
>>>>>>>>>> I have just run net cache flush no change in problem.  I have
>>>>>>>>>> dumped the idmap.ldp using ldbsearch
>>>>>>>>>> -H /var/lib/samba/private/idmap.ldb > idmap.txt and did some
>>>>>>>>>> sorting, that is how I found the duplicates.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba wrote:
>>>>>>>>>>> samba-tool ntacl
>>>>>>>>>>>> sysvolreset
>>>>>>>>> OK, idmap.ldb contains records like this:
>>>>>>>>>
>>>>>>>>> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>>> objectClass: sidMap
>>>>>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>>> type: ID_TYPE_BOTH
>>>>>>>>> xidNumber: 3000045
>>>>>>>>> distinguishedName:
>>>>>>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>>>
>>>>>>>>> As you can see, it maps a user/groups SID to an xidNumber. So
>>>>>>>>> I see no problem with just using the xidNumber for another SID
>>>>>>>>> when you have duplicates, but I would try this instead. Stop
>>>>>>>>> Samba, backup idmap.ldb and then delete both duplicates and
>>>>>>>>> any other records that don't match the above sample, then
>>>>>>>>> restart Samba, this should recreate the records, but with new
>>>>>>>>> xidNumbers.
>>>>>>>>>
>>>>>>>>> Run 'net cache flush' and sysvolreset again.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> I tried two ways but it didn't seem to help,
>>>>>>>>
>>>>>>>> First stopped Samba, backed up idmap.ldp and ldpedit deleted
>>>>>>>> the duplicates.   Started Samba and it did recreate the
>>>>>>>> records so I did net cache flush but wbinfo --gid-info  failed
>>>>>>>> for the new xids: failed to call wbcGetgrgid:
>>>>>>>> WBC_ERR_DOMAIN_NOT_FOUND No change in sysvolreset also.
>>>>>>>>
>>>>>>>> Second, I stopped samba, restored backup idmap.ldp and just
>>>>>>>> edited: 3000002  dn:
>>>>>>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to 3000011
>>>>>>>> 3000003  dn: CN=S-1-5-21-976934076-1976663741-3168181429-514 to
>>>>>>>> 3000012
>>>>>>>>
>>>>>>>> Note all other idmap records are in the correct format,
>>>>>>>> complete and no SIDs are duplicated
>>>>>>>>
>>>>>>>> result wbinfo --gid-info was correct for 3000011 & 3000012 but
>>>>>>>> still fails for 3000002 & 3000003
>>>>>>>> however wbinfo --sid-to-gid results are good
>>>>>>>>
>>>>>>>> sysvolreset still shows repeated: idmap range not specified for
>>>>>>>> domain '*'
>>>>>>>>
>>>>>>>> Bob
>>>>>>>>
>>>>>>> Try restarting Samba, perhaps this will help
>>>>>>> Have you given any AD group other than Domain Users a
>>>>>>> gidNumber ?
>>>>>>>
>>>>>>> Rowland
>>>>>> I have assigned gidNumbers to all the groups I created and to
>>>>>> Domain Admins, Domain Computers, Enterprise Admins and DNS
>>>>>> Admins.
>>>>>>
>>>>>> Restarting Samba has no effect.
>>>>> Assigning gidNumbers to groups you have created should not be a
>>>>> problem, but the only AD group I would add a gidNumber to, is
>>>>> Domain Users and I only add that because the winbind 'ad' backend
>>>>> will not work on a domain member unless the group has one. I
>>>>> would remove the gidNumber attributes from the others and see if
>>>>> that helps.
>>>>>
>>>>> Rowland
>>>> Rowland,
>>>>
>>>> At least the two duplicate xidNumbers are gone and things seem to
>>>> be working.
>>>>
>>>> I removed the gidNumber from all but my groups and domain users.
>>>>
>>>> restarted the server - still no change with sysvolreset, a forever
>>>> list of:
>>>>
>>>> idmap range not specified for domain '*'
>>>> idmap range not specified for domain '*'
>>>> idmap range not specified for domain '*'
>>>> idmap range not specified for domain '*'
>>> Where is this message being printed ?
>>> I have checked the logs on one of my DCs and I do not have it
>>> anywhere, but I have found this Univention bug report:
>>>
>>> https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
>>>    
>>> Which seems to describe your problem.
>>>
>>> Rowland
>>>
>> It is not in a log is shows when running sysvolreset and continues
>> for about 3 minutes short example below:
>>
>>   From how I read the bug report it was an for 4.1rc, I am running
>> version 4.5.1.   I think at version 4.4.? is when it was not good
>> for smb.conf to have:
>>
>> 	idmap config *:backend = tdb
>>          	idmap config *:range = 2000-9999
>>
>> If I insert them back in smb.conf, restart samba then sysvolreset
>> runs clean
> Before 4.5.0, you could add the lines to a DC smb.conf, they wouldn't
> have any effect, but you could add them. From 4.5.0, they do have an
> effect, but not the effect you want, code changes now mean they cause
> errors and so they definitely shouldn't be added. I think from 4.6.0,
> Samba will not start if they are in smb.conf.
>
>>
>> root at CY-PRO-DC:/var/log/samba# samba-tool ntacl sysvolreset
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>>
> Yes I have now seen something similar and tracked it down in the source
> code. I think it is coming from
> samba-master/source3/winbindd/idmap.c:401
>
> 	if (range == NULL) {
> 		if (check_range) {
> 			DEBUG(1, ("idmap range not specified for domain %s\n",
> 				  result->name));
> 			goto fail;
> 		}
>
> Which is all very well on a domain member, but what about a DC ??
>
> I could be wrong, but that is the way I see it.
>
> Rowland
>
OK, I set log level = 0 and it is gone?
Not solved but at least hidden:)
Maybe the code needs  "if server not equal to DC - and ....... " statement

Duplicate xidNumbers are fixed and everything seems to be running as 
designed.

Thank you Rowland again for your help -  Rowland and the rest of the 
Samba Team are "The Best"

Bob

More information about the samba mailing list