[Samba] getent problems with new Samba version

[Mark Foley]

Here's an interesting phenomenon. In order to get debug output from winbindd, I killed the one
started by samba and ran it by hand as follows:

$ /usr/sbin/winbindd -i -n --option='server role check:inhibit=yes' --debuglevel=5

I got the --option parameters from `ps ax`, i.e from the winbindd started by Samba.  When I ran
this way and then did `wbinfo -i mark` guess what?

$ wbinfo -i mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

I got the right UID:GID.  I then restarted samba and also got the correct UID:GID with wbinfo.
Likewise with getent.  I then stopped samba, killed off the cache:

$ net cache flush
$ rm /var/lib/samba/winbindd_cache.tdb

and restarted samba, and the UID:GID were back to the bad ones:

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

Once again, killing the samba-started winbindd and running by hand began giving the correct
UID:GID, and continued to do so after restarting Samba (probably because that UID:GID is now in
cache). 

Do you have any explanation for this? 

Any idea where to look to make Samba start [whatever] correctly?

Any idea where it is getting the 3000026:100 info in the first place (if I could change it
there it might never be wrong)?

To this latter question, there is a file, /var/lib/samba/private/idmap.ldb, that has:

objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
xidNumber: 3000026

and this SID corresponds to the objectSid in /var/lib/samba/private/sam.ldb for the 'mark'
user. What if I changed all the xidNumber's in idmap.ldb to the correct ones for the domain
users? 

I'm thinking as I type ...

The domain user that did continue working correctly after the upgrade was:

$ wbinfo -i shay
HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash

This user was added within the past year with ADUC. This user exists in sam.ldb, but not in
idmap.ldb. why? Is idmap.ldb not really necessary? Why are the other users in ldmap.ldb? I
added them with ADUC as well.

So, back in October 2015 when you advised me to renumber users from 30000xx to 100xx in
sam.ldb, should I have also changed the xidNumber's in idmap.ldb?

Too many questions for on email?

--Mark

-----Original Message-----
Date: Thu, 26 Jan 2017 18:54:26 -0500
To: samba at lists.samba.org
From: Mark Foley via samba <samba at lists.samba.org>
Subject: Re: [Samba] getent problems with new Samba version

On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Thu, 26 Jan 2017 16:26:02 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote:
> > > > > Have you tried checking in AD with ldbsearch or ldbedit for the
> > > > > actual records ?
> > > > 
> > > > Yes, I've done `ldbedit -H /var/lib/samba/private/sam.ldb` (and
> > > > ldbsearch) and among other settings for user 'mark' I have:
> > > > 
> > > > uidNumber: 10001
> > > > gidNumber: 10000
> > >
> > > Does 'Domain Users' have a gidNumber ?
> > 
> > Yes, here is the entire section on that from ldbsearch. You can see
> > the gidNumber is 10000:
> > 
[deleted]
> > 
> > The question remains, why is winbind not getting this info from
> > sam.ldb? Everything appears to be in the right place.
> > 
> > Can I turn on some debugging for winbind? Where is it started?
> > 
> > --Mark
> > 
>
> add 'log level 3 winbind:10' to smb.conf
>

That doesn't seem to help. in smb.conf I've put

log level = 3 winbind:10

All I see winbind related in the log.samba file is:

  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered

When I try `wbinfo -1 mark`, nothing new appears in the log

--Mark


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba