[Samba] getent problems with new Samba version
Mark Foley
mfoley at ohprs.org
Thu Jan 26 07:35:43 UTC 2017
on Wed, 25 Jan 2017 20:15:49 -0500 Gaiseric Vandal wrote:
> Would "testparm -v" show you the path of all the files used ? Are there any idmap settings?
Gaiseric, thanks for your response. the `testparm -v` gave me:
private dir = /var/lib/samba/private
So, I guess that means the sam.ldb in that directory is the one being used, not the one in
/etc/samba/private. That helps. Thanks for that tip. The newer Samba 4.4.8 must have somehow
been smart enough to find the 4.2.12 sam.ldb in /etc/samba/private and copy it over to the new
location because there was no /var/lib/samba/private with my 4.2.12, and the contents of both
sam.ldb's is the same including changes I made.
> It looks like the newer version is using winbind to allocate uid's (based on the high ID
> numbers.) Maybe because it does not see uid's already allocated.
/var/lib/samba/private/sam.ldb, /etc/samba/private/sam.ldb and RSAT/ADUC all show the "correct"
UID:GIDs for users, for example 10001:10000.
So, if Samba 4.4.8 "is using winbind to allocate uid's", how can I make it stop that and use
the ids actually configured in sam.ldb? That's the question, basically: why is windbind (or
whatever) arbitrarily generating UID:GIDs instead of using the configured ids? You are likely
right on this too. As Rowland Penny wrote on 10/11/2015 17:15, "wbinfo goes straight to
winbind, which goes to where you have told it to. getent goes via nssswitch, ...". and wbinfo
still returns:
$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash
Rowland said, "winbind ... goes to where you have told it to". Where would that be? Apparently
not sam.ldb.
One possible clue here might be that the 30000xx:100 range were the defaults that Samba4
initially used by default when I provisioned my domain in 2014. I changed these to facilitate
single-sign-on on other Linux domain members per Rowland Penny's suggestion:
On Sun, 11 Oct 2015 18:01:05 +0100 Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> I would not use 300099, if you have already got users with uidNumbers, I
> would change them and start the numbers from '10000' (yes, you can have
> a user and a group with the same number), but this is what I would do.
> You can, if you so wish, use '3000099' , but there is no reason to do
> so, if the user or a group has a uid/gidNumber, the DC will use these
> numbers instead of the '3000000' numbers.
> :
> I am glad you are changing the uidNumber numbers, if you hadn't, you
> would have needed this in smb.conf on a domain member:
> idmap config DOMAIN: 100-4000000
> Something you definitely didn't really want to have.
He wrote elsewhere how to make that change using ldbedit, which I did, and it all worked
perfectly then. Now, the current version seems to have reverted to default UID:GID and is
ignoring sam.ldb settings.
So, any ideas on why and how I can fix it?
> The domain member may be showing correct id's because of caching.
You may be right on this. To test, I changed the /etc/passwd UID for user mark, then did the
`getent` on the domain member and it still shows the correct UID:GID 10001:10000.
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Mark Foley via samba
> Sent: Wednesday, January 25, 2017 10:00 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] getent problems with new Samba version
>
> Sorry for the serial posting, but ... anxious ...
>
> I think there must be a bug in Samba 4.4.8, this all worked with 4.2.14.
>
> To summarize (details in attached messages), since upgrading from Samba 4.2.14 to 4.4.8, getent returns the wrong UID:GID. This is causing permission errors in programs like dovecot who try to read/write to Maildir files having the correct UID:GID.
>
> With 4.4.8 I now have sam.ldb in /etc/samba/private (same with 4.2.14) and also in /var/lib/samba/private. Details in preceding message. Not sure which is the one being used.
>
> With 4.2.14 on AD/DC (CORRECT):
> $ getent passwd mark
> HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
>
> With 4.4.8 on AD/DC:
> $ getent passwd mark
> HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash
>
> With 4.4.5 on domain member labrat (CORRECT):
> $ getent passwd mark
> mark:*:10001:10000::/home/HPRS/mark:/bin/bash
>
> Meanwhile, pending feedback from this list, I've added user 'mark' to /etc/passwd:
>
> mark:x:10001:10000::/home/HPRS/mark:/bin/bash
>
> and now getent on the 4.4.8 AD/DC is back to normal:
>
> $ getent passwd mark
> mark:x:10001:10000::/home/HPRS/mark:/bin/bash
>
> Permissions are now working with email MTA, etc.
>
> While I'm at it, I did find the newly bad UID 3000026 in /etc/samba/private/idmap.ldb.
> The entry therein:
>
> # record 44
> dn: CN=S-1-5-21-1052267278-1962196458-4119365663-1111
> cn: S-1-5-21-1052267278-1962196458-4119365663-1111
> objectClass: sidMap
> objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
> type: ID_TYPE_BOTH
> xidNumber: 3000026
> distinguishedName: CN=S-1-5-21-1052267278-1962196458-4119365663-1111
>
> Not sure that is meaningful.
>
> Any help on this would be GREATLY appreciated.
>
> --Mark
>
> -----Original Message-----
> Date: Tue, 24 Jan 2017 23:25:35 -0500
> To: samba at lists.samba.org
> Subject: Re: [Samba] getent problems with new Samba version
> From: Mark Foley via samba <samba at lists.samba.org>
>
> More information (possibly too much).
>
> Since "things" are defined in sam.ldb, I compared before and after the Samba 4.2.14 to 4.4.8 update. Here are the sam.ldb related files from the old 4.2.14 version:
>
> -rw------- root/root 4247552 2014-10-20 23:54 etc/samba/private/sam.ldb
> -rw------- root/root 4689920 2017-01-14 11:09 etc/samba/private/sam.ldb.bak
>
> drwx------ root/root 0 2017-01-14 11:09 etc/samba/private/sam.ldb.d/
> -rw------- root/root 4247552 2017-01-14 13:24 etc/samba/private/sam.ldb.d/DC=HPRS,DC=LOCAL.ldb
> -rw------- root/root 14610432 2017-01-14 11:09 etc/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb.bak
> -rw------- root/root 20475904 2014-10-20 23:54 etc/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb
> -rw------- root/root 2371584 2017-01-14 11:09 etc/samba/private/sam.ldb.d/DC=HPRS,DC=LOCAL.ldb.bak
> -rw-r----- root/root 8192 2017-01-14 11:09 etc/samba/private/sam.ldb.d/metadata.tdb.bak
> -rw-r----- root/root 421888 2017-01-14 11:50 etc/samba/private/sam.ldb.d/metadata.tdb
> -rw------- root/root 14307328 2015-08-13 21:03 etc/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb
> -rw------- root/root 8802304 2017-01-14 11:09 etc/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb.bak
>
> and the new 4.4.8 version:
>
> -rw------- 1 root root 4247552 Oct 20 2014 /etc/samba/private/sam.ldb
> -rw------- 1 root root 4689920 Jan 24 00:10 /etc/samba/private/sam.ldb.bak
> -rw------- 1 root root 4247552 Oct 20 2014 /var/lib/samba/private/sam.ldb
> -rw------- 1 root root 4689920 Jan 24 00:11 /var/lib/samba/private/sam.ldb.bak
>
> > ls -l /etc/samba/private/sam.ldb.d
> total 63716
> -rw------- 1 root root 14307328 Aug 13 2015 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root 8802304 Jan 24 00:11 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw------- 1 root root 20475904 Oct 20 2014 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root 14610432 Jan 24 00:11 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw------- 1 root root 4247552 Jan 14 13:24 DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root 2371584 Jan 24 00:10 DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw-r----- 1 root root 421888 Jan 14 11:50 metadata.tdb
> -rw-r----- 1 root root 8192 Jan 16 00:11 metadata.tdb.bak
>
> > ls -l /var/lib/samba/private/sam.ldb.d
> total 63996
> -rw------- 1 root root 14307328 Aug 13 2015 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root 8802304 Jan 24 00:11 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw------- 1 root root 20475904 Oct 20 2014 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root 14610432 Jan 24 00:11 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw------- 1 root root 4247552 Jan 24 22:57 DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root 2658304 Jan 24 00:11 DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw-r----- 1 root root 421888 Jan 24 20:53 metadata.tdb
> -rw-r----- 1 root root 8192 Jan 24 00:11 metadata.tdb.bak
>
> One thing noticable to me right off is that, while both versions have ldb files in /etc/samba/private, with 4.4.8 there is an additional set in /var/lib/samba/private. Why? Did
> 4.4.8 change the location of these files?
>
> But, it's not like 4.4.8 is using /var/lib/samba/private instead of /etc/samba/private. You will notice that the sam.ldb* are updated in both places with 4.4.8.
>
> I stop Samba just after midnight to do a backup, which is probably why all the .bak timestamps at 00:1[01]. But why are the actual sam.ldb files still dated for October 20, 2014 (when I first installed Samba4)? I know I've made changes since then, such as msSFU30MaxGidNumber and msSFU30MaxGidNumber, and the uidNumber and gidNumber for some users.
>
> Also, when I do `ldedit -H /etc/samba/private/sam.ldb` (and /var/lib/samba/private/sam.ldb), user 'mark' is correctly set to:
>
> uidNumber: 10001
> gidNumber: 10000
>
> in both cases. So where is UID:GID 3000026:100 coming from when I do getent?
>
> Confused, --Mark
>
> -----Original Message-----
> Date: Tue, 24 Jan 2017 21:35:09 -0500
> To: samba at lists.samba.org
> Subject: [Samba] getent problems with new Samba version
> From: Mark Foley via samba <samba at lists.samba.org>
>
> I have been running Samba4 as AD/DC for a mixed Windows/Linux office domain for a little over 2
> 1/2 years now. I've needed a few tweaks from Roland, but basically it has run flawless during that time.
>
> 10 days ago, I upgrade to Slackware 14.2 from 14.1. Samba was likewise upgraded from version
> 4.2.14 to 4.4.8. I'm having a serious problem ...
>
> before the upgrade getent gave me:
>
> $ getent passwd mark
> HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
>
> which is correct. After the upgrade I get:
>
> $ getent passwd mark
> HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash
>
> In RSAT > Active Directory Users and Computers > [user] properties > UNIX Attributes, this user's UID is shown as 10001 and Primary group is "Domain Users" which is 10000. So, correct in RSAT.
>
> smb.conf is unchanged.
>
> These UID/GID settings are similar to the defaults from when I installed samba4 back in 2015!
> Why did these change? Why are they not reflecting what is shown in RSAT?
>
> This is a production office server and this issue is causing me a lot of headaches with existing files owned by the user as UID/GID 10001:10000, but now systems are trying to rw these files as 3000026:100. I'm getting permission denied errors, esp. in IMAP folders.
>
> How can I fix this? Help! Urgent!
>
> THX --Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list