[Samba] getent problems with new Samba version

Rowland Penny rpenny at samba.org
Fri Jan 27 09:36:24 UTC 2017 

On Fri, 27 Jan 2017 02:20:34 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> More experimentation ...
> 
> I stopped Samaba, ldbedit'ed the /var/lib/samba/private/idmap.ldb and
> changed the line
> 
> xidNumber: 3000026
> 
> to 
> 
> xidNumber: 10001
> 
> killed the cache and restarted Samba. As I hoped, the wbinfo now
> showed
> 
> $ wbinfo -i mark
> HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> 
> which was NOT the case in my message below after killing the cache.
> In that previous test I had to start winbindd at the command line to
> get the 10001 UID in there.  I supposed it worked when I started
> winbindd at the command line because I used the -n (disable caching)
> switch, thus apparently, it did not use the cached 3000026 UID.
> 
> A bit disconcerting was that the GID in the recent test was still
> 10000 instead of reverting to 100 (which is defined in idmap.ldb).
> Not sure why that didn't revert with no cache. 
> 
> My theory: when slackpkg installed Samba 4.4.8, it did all that
> directory moving as we've already discussed, but also probably DID
> NOT MOVE the /var/lib/samba/winbindd_cache.tdb file (a guess). With
> no cache, winbindd authenticated using idmap.ldb, which in the case
> of user 'mark' returned UID:GID 200026:100. 
> 
> User 'shay' was not in idmap.ldb and with no cache I have to assume
> winbindd got her information from sam.ldb, which was correct.
> 
> Back when I changed all domain users from the 3000xx range to the
> 100xx range in sam.ldb, I probably should have also changed their
> corresponding settings in idmap.ldb based on objectSid, including
> changing the 'domain users' GID from 100 to 10000 -- do you agree?
> 
> Some unanswered questions, perhaps you know the answer to ...
> 
> How did my domain users get in idmap.ldb in the first place? If ADUC
> put them there when I created the account, why did ADUC not put user
> 'shay' in there?
> 
> Given the above, is idmap.ldb necessary? Seems redundant with the
> information in sam.ldb and apparently overrides sam.ldb when settings
> conflict.
> 
> In the meantime, I think my problem might be solved given the results
> of this last experiment to change user 'mark's xidNumber in imap.ldb.
> 
> What think ye?
> 
> --Mark
> 
> -----Original Message-----
> Date: Fri, 27 Jan 2017 01:18:28 -0500
> To: samba at lists.samba.org
> Subject: Re: [Samba] getent problems with new Samba version
> From: Mark Foley via samba <samba at lists.samba.org>
> 
> Here's an interesting phenomenon. In order to get debug output from
> winbindd, I killed the one started by samba and ran it by hand as
> follows:
> 
> $ /usr/sbin/winbindd -i -n --option='server role check:inhibit=yes'
> --debuglevel=5
> 
> I got the --option parameters from `ps ax`, i.e from the winbindd
> started by Samba.  When I ran this way and then did `wbinfo -i mark`
> guess what?
> 
> $ wbinfo -i mark
> HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> 
> I got the right UID:GID.  I then restarted samba and also got the
> correct UID:GID with wbinfo. Likewise with getent.  I then stopped
> samba, killed off the cache:
> 
> $ net cache flush
> $ rm /var/lib/samba/winbindd_cache.tdb
> 
> and restarted samba, and the UID:GID were back to the bad ones:
> 
> $ wbinfo -i mark
> HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash
> 
> Once again, killing the samba-started winbindd and running by hand
> began giving the correct UID:GID, and continued to do so after
> restarting Samba (probably because that UID:GID is now in cache). 
> 
> Do you have any explanation for this? 
> 
> Any idea where to look to make Samba start [whatever] correctly?
> 
> Any idea where it is getting the 3000026:100 info in the first place
> (if I could change it there it might never be wrong)?
> 
> To this latter question, there is a
> file, /var/lib/samba/private/idmap.ldb, that has:
> 
> objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
> xidNumber: 3000026
> 
> and this SID corresponds to the objectSid
> in /var/lib/samba/private/sam.ldb for the 'mark' user. What if I
> changed all the xidNumber's in idmap.ldb to the correct ones for the
> domain users? 
> 
> I'm thinking as I type ...
> 
> The domain user that did continue working correctly after the upgrade
> was:
> 
> $ wbinfo -i shay
> HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
> 
> This user was added within the past year with ADUC. This user exists
> in sam.ldb, but not in idmap.ldb. why? Is idmap.ldb not really
> necessary? Why are the other users in ldmap.ldb? I added them with
> ADUC as well.
> 
> So, back in October 2015 when you advised me to renumber users from
> 30000xx to 100xx in sam.ldb, should I have also changed the
> xidNumber's in idmap.ldb?
> 
> Too many questions for on email?
> 
> --Mark
> 
> -----Original Message-----
> Date: Thu, 26 Jan 2017 18:54:26 -0500
> To: samba at lists.samba.org
> From: Mark Foley via samba <samba at lists.samba.org>
> Subject: Re: [Samba] getent problems with new Samba version
> 
> On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> 
> > On Thu, 26 Jan 2017 16:26:02 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote:
> > > > > > Have you tried checking in AD with ldbsearch or ldbedit for
> > > > > > the actual records ?
> > > > > 
> > > > > Yes, I've done `ldbedit -H /var/lib/samba/private/sam.ldb`
> > > > > (and ldbsearch) and among other settings for user 'mark' I
> > > > > have:
> > > > > 
> > > > > uidNumber: 10001
> > > > > gidNumber: 10000
> > > >
> > > > Does 'Domain Users' have a gidNumber ?
> > > 
> > > Yes, here is the entire section on that from ldbsearch. You can
> > > see the gidNumber is 10000:
> > > 
> [deleted]
> > > 
> > > The question remains, why is winbind not getting this info from
> > > sam.ldb? Everything appears to be in the right place.
> > > 
> > > Can I turn on some debugging for winbind? Where is it started?
> > > 
> > > --Mark
> > > 
> >
> > add 'log level 3 winbind:10' to smb.conf
> >
> 
> That doesn't seem to help. in smb.conf I've put
> 
> log level = 3 winbind:10
> 
> All I see winbind related in the log.samba file is:
> 
>   AUTH backend 'winbind' registered
>   AUTH backend 'winbind_wbclient' registered
>   AUTH backend 'winbind' registered
>   AUTH backend 'winbind_wbclient' registered
>   AUTH backend 'winbind' registered
>   AUTH backend 'winbind_wbclient' registered
> 
> When I try `wbinfo -1 mark`, nothing new appears in the log
> 
> --Mark
> 
> 

Can you post the script that slackware is using to start Samba and can
you also check if you have more than one 'samba' binary.

I have downloaded the slackware 14.2 DVD and I cannot find the
'doinst.sh' script, but mind you, I cannot find samba either. I think
you must have upgraded Samba via the slackware package manager. 

Rowland

More information about the samba mailing list