[Samba] getent problems with new Samba version

Mark Foley mfoley at ohprs.org
Fri Jan 27 07:20:34 UTC 2017 

More experimentation ...

I stopped Samaba, ldbedit'ed the /var/lib/samba/private/idmap.ldb and changed the line

xidNumber: 3000026

to 

xidNumber: 10001

killed the cache and restarted Samba. As I hoped, the wbinfo now showed

$ wbinfo -i mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

which was NOT the case in my message below after killing the cache.  In that previous test I
had to start winbindd at the command line to get the 10001 UID in there.  I supposed it worked when I
started winbindd at the command line because I used the -n (disable caching) switch, thus
apparently, it did not use the cached 3000026 UID.

A bit disconcerting was that the GID in the recent test was still 10000 instead of reverting to
100 (which is defined in idmap.ldb).  Not sure why that didn't revert with no cache. 

My theory: when slackpkg installed Samba 4.4.8, it did all that directory moving as we've
already discussed, but also probably DID NOT MOVE the /var/lib/samba/winbindd_cache.tdb file (a
guess). With no cache, winbindd authenticated using idmap.ldb, which in the case of user 'mark'
returned UID:GID 200026:100. 

User 'shay' was not in idmap.ldb and with no cache I have to assume winbindd got her
information from sam.ldb, which was correct.

Back when I changed all domain users from the 3000xx range to the 100xx range in sam.ldb, I
probably should have also changed their corresponding settings in idmap.ldb based on objectSid,
including changing the 'domain users' GID from 100 to 10000 -- do you agree?

Some unanswered questions, perhaps you know the answer to ...

How did my domain users get in idmap.ldb in the first place? If ADUC put them there when I
created the account, why did ADUC not put user 'shay' in there?

Given the above, is idmap.ldb necessary? Seems redundant with the information in sam.ldb and
apparently overrides sam.ldb when settings conflict.

In the meantime, I think my problem might be solved given the results of this last experiment
to change user 'mark's xidNumber in imap.ldb.

What think ye?

--Mark

-----Original Message-----
Date: Fri, 27 Jan 2017 01:18:28 -0500
To: samba at lists.samba.org
Subject: Re: [Samba] getent problems with new Samba version
From: Mark Foley via samba <samba at lists.samba.org>

Here's an interesting phenomenon. In order to get debug output from winbindd, I killed the one
started by samba and ran it by hand as follows:

$ /usr/sbin/winbindd -i -n --option='server role check:inhibit=yes' --debuglevel=5

I got the --option parameters from `ps ax`, i.e from the winbindd started by Samba.  When I ran
this way and then did `wbinfo -i mark` guess what?

$ wbinfo -i mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

I got the right UID:GID.  I then restarted samba and also got the correct UID:GID with wbinfo.
Likewise with getent.  I then stopped samba, killed off the cache:

$ net cache flush
$ rm /var/lib/samba/winbindd_cache.tdb

and restarted samba, and the UID:GID were back to the bad ones:

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

Once again, killing the samba-started winbindd and running by hand began giving the correct
UID:GID, and continued to do so after restarting Samba (probably because that UID:GID is now in
cache). 

Do you have any explanation for this? 

Any idea where to look to make Samba start [whatever] correctly?

Any idea where it is getting the 3000026:100 info in the first place (if I could change it
there it might never be wrong)?

To this latter question, there is a file, /var/lib/samba/private/idmap.ldb, that has:

objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
xidNumber: 3000026

and this SID corresponds to the objectSid in /var/lib/samba/private/sam.ldb for the 'mark'
user. What if I changed all the xidNumber's in idmap.ldb to the correct ones for the domain
users? 

I'm thinking as I type ...

The domain user that did continue working correctly after the upgrade was:

$ wbinfo -i shay
HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash

This user was added within the past year with ADUC. This user exists in sam.ldb, but not in
idmap.ldb. why? Is idmap.ldb not really necessary? Why are the other users in ldmap.ldb? I
added them with ADUC as well.

So, back in October 2015 when you advised me to renumber users from 30000xx to 100xx in
sam.ldb, should I have also changed the xidNumber's in idmap.ldb?

Too many questions for on email?

--Mark

-----Original Message-----
Date: Thu, 26 Jan 2017 18:54:26 -0500
To: samba at lists.samba.org
From: Mark Foley via samba <samba at lists.samba.org>
Subject: Re: [Samba] getent problems with new Samba version

On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Thu, 26 Jan 2017 16:26:02 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote:
> > > > > Have you tried checking in AD with ldbsearch or ldbedit for the
> > > > > actual records ?
> > > > 
> > > > Yes, I've done `ldbedit -H /var/lib/samba/private/sam.ldb` (and
> > > > ldbsearch) and among other settings for user 'mark' I have:
> > > > 
> > > > uidNumber: 10001
> > > > gidNumber: 10000
> > >
> > > Does 'Domain Users' have a gidNumber ?
> > 
> > Yes, here is the entire section on that from ldbsearch. You can see
> > the gidNumber is 10000:
> > 
[deleted]
> > 
> > The question remains, why is winbind not getting this info from
> > sam.ldb? Everything appears to be in the right place.
> > 
> > Can I turn on some debugging for winbind? Where is it started?
> > 
> > --Mark
> > 
>
> add 'log level 3 winbind:10' to smb.conf
>

That doesn't seem to help. in smb.conf I've put

log level = 3 winbind:10

All I see winbind related in the log.samba file is:

  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered

When I try `wbinfo -1 mark`, nothing new appears in the log

--Mark


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list