[Samba] getent problems with new Samba version

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Jan 26 01:15:49 UTC 2017 

Would "testparm -v" show you the path of all the files used ?  Are there any idmap settings? 

It looks like the newer version is using winbind to allocate uid's (based on the high ID numbers.)      Maybe because it does not see uid's already allocated.

The domain member may be showing correct id's because of caching.  

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Mark Foley via samba
Sent: Wednesday, January 25, 2017 10:00 AM
To: samba at lists.samba.org
Subject: Re: [Samba] getent problems with new Samba version

Sorry for the serial posting, but ... anxious ...

I think there must be a bug in Samba 4.4.8, this all worked with 4.2.14.

To summarize (details in attached messages), since upgrading from Samba 4.2.14 to 4.4.8, getent returns the wrong UID:GID. This is causing permission errors in programs like dovecot who try to read/write to Maildir files having the correct UID:GID.

With 4.4.8 I now have sam.ldb in /etc/samba/private (same with 4.2.14) and also in /var/lib/samba/private. Details in preceding message. Not sure which is the one being used.

With 4.2.14 on AD/DC (CORRECT):
$ getent passwd mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

With 4.4.8 on AD/DC:
$ getent passwd mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

With 4.4.5 on domain member labrat (CORRECT):
$ getent passwd mark
mark:*:10001:10000::/home/HPRS/mark:/bin/bash

Meanwhile, pending feedback from this list, I've added user 'mark' to /etc/passwd:

mark:x:10001:10000::/home/HPRS/mark:/bin/bash

and now getent on the 4.4.8 AD/DC is back to normal:

$ getent passwd mark
mark:x:10001:10000::/home/HPRS/mark:/bin/bash

Permissions are now working with email MTA, etc.

While I'm at it, I did find the newly bad UID 3000026 in /etc/samba/private/idmap.ldb.  
The entry therein:

# record 44
dn: CN=S-1-5-21-1052267278-1962196458-4119365663-1111
cn: S-1-5-21-1052267278-1962196458-4119365663-1111
objectClass: sidMap
objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
type: ID_TYPE_BOTH
xidNumber: 3000026
distinguishedName: CN=S-1-5-21-1052267278-1962196458-4119365663-1111

Not sure that is meaningful.

Any help on this would be GREATLY appreciated.

--Mark

-----Original Message-----
Date: Tue, 24 Jan 2017 23:25:35 -0500
To: samba at lists.samba.org
Subject: Re: [Samba] getent problems with new Samba version
From: Mark Foley via samba <samba at lists.samba.org>

More information (possibly too much).

Since "things" are defined in sam.ldb, I compared before and after the Samba 4.2.14 to 4.4.8 update. Here are the sam.ldb related files from the old 4.2.14 version:

-rw------- root/root      4247552 2014-10-20 23:54 etc/samba/private/sam.ldb
-rw------- root/root      4689920 2017-01-14 11:09 etc/samba/private/sam.ldb.bak

drwx------ root/root            0 2017-01-14 11:09 etc/samba/private/sam.ldb.d/
-rw------- root/root      4247552 2017-01-14 13:24 etc/samba/private/sam.ldb.d/DC=HPRS,DC=LOCAL.ldb
-rw------- root/root     14610432 2017-01-14 11:09 etc/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb.bak
-rw------- root/root     20475904 2014-10-20 23:54 etc/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb
-rw------- root/root      2371584 2017-01-14 11:09 etc/samba/private/sam.ldb.d/DC=HPRS,DC=LOCAL.ldb.bak
-rw-r----- root/root         8192 2017-01-14 11:09 etc/samba/private/sam.ldb.d/metadata.tdb.bak
-rw-r----- root/root       421888 2017-01-14 11:50 etc/samba/private/sam.ldb.d/metadata.tdb
-rw------- root/root     14307328 2015-08-13 21:03 etc/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb
-rw------- root/root      8802304 2017-01-14 11:09 etc/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb.bak

and the new 4.4.8 version:

-rw------- 1 root root 4247552 Oct 20  2014 /etc/samba/private/sam.ldb
-rw------- 1 root root 4689920 Jan 24 00:10 /etc/samba/private/sam.ldb.bak
-rw------- 1 root root 4247552 Oct 20  2014 /var/lib/samba/private/sam.ldb
-rw------- 1 root root 4689920 Jan 24 00:11 /var/lib/samba/private/sam.ldb.bak

> ls -l /etc/samba/private/sam.ldb.d
total 63716
-rw------- 1 root root 14307328 Aug 13  2015 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root  8802304 Jan 24 00:11 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
-rw------- 1 root root 20475904 Oct 20  2014 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root 14610432 Jan 24 00:11 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
-rw------- 1 root root  4247552 Jan 14 13:24 DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root  2371584 Jan 24 00:10 DC\=HPRS,DC\=LOCAL.ldb.bak
-rw-r----- 1 root root   421888 Jan 14 11:50 metadata.tdb
-rw-r----- 1 root root     8192 Jan 16 00:11 metadata.tdb.bak

> ls -l /var/lib/samba/private/sam.ldb.d
total 63996
-rw------- 1 root root 14307328 Aug 13  2015 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root  8802304 Jan 24 00:11 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
-rw------- 1 root root 20475904 Oct 20  2014 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root 14610432 Jan 24 00:11 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
-rw------- 1 root root  4247552 Jan 24 22:57 DC\=HPRS,DC\=LOCAL.ldb
-rw------- 1 root root  2658304 Jan 24 00:11 DC\=HPRS,DC\=LOCAL.ldb.bak
-rw-r----- 1 root root   421888 Jan 24 20:53 metadata.tdb
-rw-r----- 1 root root     8192 Jan 24 00:11 metadata.tdb.bak

One thing noticable to me right off is that, while both versions have ldb files in /etc/samba/private, with 4.4.8 there is an additional set in /var/lib/samba/private. Why? Did
4.4.8 change the location of these files?

But, it's not like 4.4.8 is using /var/lib/samba/private instead of /etc/samba/private. You will notice that the sam.ldb* are updated in both places with 4.4.8.

I stop Samba just after midnight to do a backup, which is probably why all the .bak timestamps at 00:1[01]. But why are the actual sam.ldb files still dated for October 20, 2014 (when I first installed Samba4)? I know I've made changes since then, such as msSFU30MaxGidNumber and msSFU30MaxGidNumber, and the uidNumber and gidNumber for some users.

Also, when I do `ldedit -H /etc/samba/private/sam.ldb` (and /var/lib/samba/private/sam.ldb), user 'mark' is correctly set to:

uidNumber: 10001
gidNumber: 10000

in both cases. So where is UID:GID 3000026:100 coming from when I do getent?

Confused, --Mark

-----Original Message-----
Date: Tue, 24 Jan 2017 21:35:09 -0500
To: samba at lists.samba.org
Subject: [Samba] getent problems with new Samba version
From: Mark Foley via samba <samba at lists.samba.org>

I have been running Samba4 as AD/DC for a mixed Windows/Linux office domain for a little over 2
1/2 years now.  I've needed a few tweaks from Roland, but basically it has run flawless during that time. 

10 days ago, I upgrade to Slackware 14.2 from 14.1.  Samba was likewise upgraded from version
4.2.14 to 4.4.8.  I'm having a serious problem ... 

before the upgrade getent gave me:

$ getent passwd mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

which is correct. After the upgrade I get:

$ getent passwd mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

In RSAT > Active Directory Users and Computers > [user] properties > UNIX Attributes, this user's UID is shown as 10001 and Primary group is "Domain Users" which is 10000. So, correct in RSAT.

smb.conf is unchanged. 

These UID/GID settings are similar to the defaults from when I installed samba4 back in 2015!
Why did these change? Why are they not reflecting what is shown in RSAT?

This is a production office server and this issue is causing me a lot of headaches with existing files owned by the user as UID/GID 10001:10000, but now systems are trying to rw these files as 3000026:100. I'm getting permission denied errors, esp. in IMAP folders.

How can I fix this? Help! Urgent!

THX --Mark

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list