[Samba] Resolving inconsistant on DC with AD backend. GID 100 and 10000

Tue Sep 26 13:57:03 UTC 2017

Small update. 

And changed the subject, was : [Samba] Domain member server: user access . 

My last test was done with 4.6.7.
Now upgraded a DC to 4.6.8 ( and last result in 4.6.7 was 10000 ) 

root at rtd-dc1:~# wbinfo -G 100
S-1-5-21-2934682428-2610421433-476865461-513

root at rtd-dc1:~# wbinfo -G 10000
S-1-5-21-2934682428-2610421433-476865461-513

root at rtd-dc1:~# wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

net cache flush
NTDOM\domain users:x:10000

Repeat above step. 
wbinfo -G 100
S-1-5-21-2934682428-2610421433-476865461-513
 wbinfo -G 10000
S-1-5-21-2934682428-2610421433-476865461-513

 wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

And wrong again..

net cache flush
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000

Lets repeat it again. 
Well, you can repeat this endless..  

Now what i found here is. 
If you run : 
1) wbinfo -G 100 
Results in 

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

2) wbinfo -G 10000
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

After 1 and 2 you must use net cache flush. 

3) I you dont run : wbinfo -G 100 
( and start with net cache flush ) 
The wbinfo -G 10000 and wbinfo --group-info="Domain Users" stay the same and correct. 

If you run once : wbinfo -G 100 
Its incorrect again and you need net cache flush again. 

So 4.6.7 and 4.6.8 show same results and reproducable. 

If this is not by design, then its a bug and we should report it. 
Thoughts? 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: dinsdag 26 september 2017 15:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member server: user access
> 
> Hai, 
> > 
> 
> > I think you are misunderstanding what I wrote ;-)
> Thats possible yes..  Lucky you better in explaining then me 
> in english.  ;-) 
> 
> > 
> > If you open 'idmap.ldb' and search for 513 (Domain Users RID), you 
> > will
> > find:
> > 
> > dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> > cn: S-1-5-21-1768301897-3342589593-1064908849-513
> > objectClass: sidMap
> > objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
> > type: ID_TYPE_GID
> > xidNumber: 100
> > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> >  
> > As you can see 'Domain Users' is mapped to the Unix group 
> '100' and if 
> > you look in /etc/group and search for '100', you will find this:
> > 
> > users:x:100:
> > 
> > This means that the Windows group is mapped to the Unix 
> group 'users'
> > on a DC, up until you give Domain Users a gidNumber, then 
> the ID will 
> > change to the one you placed in the gidNumber attribute in Domain 
> > Users.
> 
> Aahhh.. Ok, it changes after you set gid.. Thats a good one 
> to remember. 
> 
> > 
> > > Ok, i did read somewhere that
> > > Samba uses S-1-22-1 for users and S1-22-2 for groups. 
> > 
> > Any idea where ?
> Yes,
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/Ch
> angeNotes.html
> (Unmapped users are now assigned a SID in the S-1-22-1 domain 
> and unmapped groups are assigned a SID in the S-1-22-2 
> domain) https://www.samba.org/samba/history/samba-3.0.23c.html
> 
> This was one that lead me to the 2 above links. 
> https://stackoverflow.com/questions/31109871/mapping-sambas-s-
> 1-22-12-sid-into-names
> 
> > 
> > > 
> > > wbinfo -G 100
> > > S-1-5-21-3821322978-3959480180-962995944-513
> > > 
> > > wbinfo -G 10000
> > > S-1-22-2-10000
> > > 
> > > S1-22-2-10000 Is the unix group with uid 10000 ( with is 
> also in my 
> > > case "Domain Users" ) But how this maps again in samba,
> > that i really
> > > dont know.
> > > 
> > > Arg, very confusion all.. 
> > 
> > Even more confusion:
> > 
> > On my DC:
> > 
> > wbinfo -G 100
> > S-1-5-21-1768301897-3342589593-1064908849-513
> > 
> > wbinfo -G 10000
> > S-1-5-21-1768301897-3342589593-1064908849-513
> > 
> > I have also compiled 4.7.0 and set it up as a test and I cannot see 
> > any difference between the way 4.6.7 and 4.7.0 works on a DC i.e. 
> > '100'
> > becomes '10000' after I run 'net cache flush'
> > 
> > Rowland
> > 
> 
> And... To make it even more confusion.. 
> 
> Now.. I have the same results again. 
> So,.. Domain users is mapped to GID 100, if you set GID 
> yourself (my setup backend AD), and it uses the default 10000 
> from start of my setup. ( about 2-3 years ago ) 
> 
> wbinfo -G 100
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> So why am i seeing 100 here and not 10000.
> I know for 100% sure this was 10000
> So i did run : net cache flush again. 
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000
> 
> And its back to normal again. Wowhoo. 
> 
> Maybe its wize to always run : net cache flush After a samba 
> upgrade, Thoughts ? 
> 
> ... Ok, now i ssh just to my DC2. 
> To make it even strangere, on exact same server as DC1. 
> 
> And the commands run. ( exactly ) 
> 
> ssh dc2
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> So looks good...  ( you think ) 
> 
> wbinfo -G 100  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> Now the wbinfo again ....  
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> And HUH... 100 ??  But it was 10000. 
> Now, if this isnt a bug i dont know. 
> 
> And now : 
> net cache flush
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> And its bad to normal, but im questioning ... For how long....  
> 
> So IMHO, very inconistant results. 
> 
> So any more thoughts about this? 
> 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 