[Samba] getent problems with new Samba version

Mark Foley mfoley at ohprs.org
Wed Jan 25 14:59:49 UTC 2017 

Sorry for the serial posting, but ... anxious ...

I think there must be a bug in Samba 4.4.8, this all worked with 4.2.14.

To summarize (details in attached messages), since upgrading from Samba 4.2.14 to 4.4.8, getent
returns the wrong UID:GID. This is causing permission errors in programs like dovecot who try
to read/write to Maildir files having the correct UID:GID.

With 4.4.8 I now have sam.ldb in /etc/samba/private (same with 4.2.14) and also in
/var/lib/samba/private. Details in preceding message. Not sure which is the one being used.

With 4.2.14 on AD/DC (CORRECT):
$ getent passwd mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

With 4.4.8 on AD/DC:
$ getent passwd mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

With 4.4.5 on domain member labrat (CORRECT):
$ getent passwd mark
mark:*:10001:10000::/home/HPRS/mark:/bin/bash

Meanwhile, pending feedback from this list, I've added user 'mark' to /etc/passwd:

mark:x:10001:10000::/home/HPRS/mark:/bin/bash

and now getent on the 4.4.8 AD/DC is back to normal:

$ getent passwd mark
mark:x:10001:10000::/home/HPRS/mark:/bin/bash

Permissions are now working with email MTA, etc.

While I'm at it, I did find the newly bad UID 3000026 in /etc/samba/private/idmap.ldb.  
The entry therein:

# record 44
dn: CN=S-1-5-21-1052267278-1962196458-4119365663-1111
cn: S-1-5-21-1052267278-1962196458-4119365663-1111
objectClass: sidMap
objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
type: ID_TYPE_BOTH
xidNumber: 3000026
distinguishedName: CN=S-1-5-21-1052267278-1962196458-4119365663-1111

Not sure that is meaningful.

Any help on this would be GREATLY appreciated.

--Mark

-----Original Message-----
Date: Tue, 24 Jan 2017 23:25:35 -0500
To: samba at lists.samba.org
Subject: Re: [Samba] getent problems with new Samba version
From: Mark Foley via samba <samba at lists.samba.org>

More information (possibly too much).

Since "things" are defined in sam.ldb, I compared before and after the Samba 4.2.14 to 4.4.8
update. Here are the sam.ldb related files from the old 4.2.14 version:

-rw------- root/root      4247552 2014-10-20 23:54 etc/samba/private/sam.ldb
-rw------- root/root      4689920 2017-01-14 11:09 etc/samba/private/sam.ldb.bak

drwx------ root/root            0 2017-01-14 11:09 etc/samba/private/sam.ldb.d/
-rw------- root/root      4247552 2017-01-14 13:24 etc/samba/private/sam.ldb.d/DC=HPRS,DC=LOCAL.ldb
-rw------- root/root     14610432 2017-01-14 11:09 etc/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb.bak
-rw------- root/root     20475904 2014-10-20 23:54 etc/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb
-rw------- root/root      2371584 2017-01-14 11:09 etc/samba/private/sam.ldb.d/DC=HPRS,DC=LOCAL.ldb.bak
-rw-r----- root/root         8192 2017-01-14 11:09 etc/samba/private/sam.ldb.d/metadata.tdb.bak
-rw-r----- root/root       421888 2017-01-14 11:50 etc/samba/private/sam.ldb.d/metadata.tdb
-rw------- root/root     14307328 2015-08-13 21:03 etc/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb
-rw------- root/root      8802304 2017-01-14 11:09 etc/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb.bak

and the new 4.4.8 version:

-rw------- 1 root root 4247552 Oct 20  2014 /etc/samba/private/sam.ldb
-rw------- 1 root root 4689920 Jan 24 00:10 /etc/samba/private/sam.ldb.bak
-rw------- 1 root root 4247552 Oct 20  2014 /var/lib/samba/private/sam.ldb
-rw------- 1 root root 4689920 Jan 24 00:11 /var/lib/samba/private/sam.ldb.bak

> ls -l /etc/samba/private/sam.ldb.d
total 63716
-rw------- 1 root root 14307328 Aug 13  2015 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root  8802304 Jan 24 00:11 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
-rw------- 1 root root 20475904 Oct 20  2014 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root 14610432 Jan 24 00:11 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
-rw------- 1 root root  4247552 Jan 14 13:24 DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root  2371584 Jan 24 00:10 DC\=HPRS,DC\=LOCAL.ldb.bak
-rw-r----- 1 root root   421888 Jan 14 11:50 metadata.tdb
-rw-r----- 1 root root     8192 Jan 16 00:11 metadata.tdb.bak

> ls -l /var/lib/samba/private/sam.ldb.d
total 63996
-rw------- 1 root root 14307328 Aug 13  2015 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root  8802304 Jan 24 00:11 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
-rw------- 1 root root 20475904 Oct 20  2014 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root 14610432 Jan 24 00:11 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
-rw------- 1 root root  4247552 Jan 24 22:57 DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root  2658304 Jan 24 00:11 DC\=HPRS,DC\=LOCAL.ldb.bak
-rw-r----- 1 root root   421888 Jan 24 20:53 metadata.tdb
-rw-r----- 1 root root     8192 Jan 24 00:11 metadata.tdb.bak

One thing noticable to me right off is that, while both versions have ldb files in
/etc/samba/private, with 4.4.8 there is an additional set in /var/lib/samba/private. Why? Did
4.4.8 change the location of these files?

But, it's not like 4.4.8 is using /var/lib/samba/private instead of /etc/samba/private. You
will notice that the sam.ldb* are updated in both places with 4.4.8.

I stop Samba just after midnight to do a backup, which is probably why all the .bak timestamps
at 00:1[01]. But why are the actual sam.ldb files still dated for October 20, 2014 (when I
first installed Samba4)? I know I've made changes since then, such as msSFU30MaxGidNumber and
msSFU30MaxGidNumber, and the uidNumber and gidNumber for some users.

Also, when I do `ldedit -H /etc/samba/private/sam.ldb` (and /var/lib/samba/private/sam.ldb),
user 'mark' is correctly set to:

uidNumber: 10001
gidNumber: 10000

in both cases. So where is UID:GID 3000026:100 coming from when I do getent?

Confused, --Mark

-----Original Message-----
Date: Tue, 24 Jan 2017 21:35:09 -0500
To: samba at lists.samba.org
Subject: [Samba] getent problems with new Samba version
From: Mark Foley via samba <samba at lists.samba.org>

I have been running Samba4 as AD/DC for a mixed Windows/Linux office domain for a little over 2
1/2 years now.  I've needed a few tweaks from Roland, but basically it has run flawless during
that time. 

10 days ago, I upgrade to Slackware 14.2 from 14.1.  Samba was likewise upgraded from version
4.2.14 to 4.4.8.  I'm having a serious problem ... 

before the upgrade getent gave me:

$ getent passwd mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

which is correct. After the upgrade I get:

$ getent passwd mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

In RSAT > Active Directory Users and Computers > [user] properties > UNIX Attributes, this
user's UID is shown as 10001 and Primary group is "Domain Users" which is 10000. So, correct in
RSAT.

smb.conf is unchanged. 

These UID/GID settings are similar to the defaults from when I installed samba4 back in 2015!
Why did these change? Why are they not reflecting what is shown in RSAT?

This is a production office server and this issue is causing me a lot of headaches with
existing files owned by the user as UID/GID 10001:10000, but now systems are trying to rw these
files as 3000026:100. I'm getting permission denied errors, esp. in IMAP folders.

How can I fix this? Help! Urgent!

THX --Mark

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list