[Samba] User idmap lost
Paul R. Ganci
ganci at nurdog.com
Fri Apr 6 02:29:46 UTC 2018
Back on February 28, 2018, I started a thread "User permissions of
profile/home directory lost" describing a problem occurring with my
wife's user account. Since that time the random problem has persisted so
I turned on some debugging. I have been able to determine that somehow
her account idmap is broken. Here is the entry for my wife's SID as
found in the idmap.ldb file (all subsequent data has been sanitized):
root at nikita> wbinfo -n mywife
S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1)
# record 27
dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143
cn: S-1-5-21-729452656-3029571206-2736118167-1143
objectClass: sidMap
objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
type: ID_TYPE_BOTH
xidNumber: 3000062
distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143
Please note that the xidNumber is 3000062.
Here is the entry for my wife's user account in the sam.ldb file:
# record 277
dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com
sn: Wife
c: US
l: Somewhere
st: A State
postalCode:
givenName: Sharon
instanceType: 4
whenCreated: 20141220195750.0Z
uSNCreated: 5115
co: United States
company: MyHome!
objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564
badPwdCount: 0
codePage: 0
countryCode: 840
homeDirectory: \\mydom\home\mywife
homeDrive: H:
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
accountExpires: 9223372036854775807
sAMAccountName: mywife
sAMAccountType: 805306368
userPrincipalName: mywife at mydom.mydc.com
userAccountControl: 66048
memberOf: CN=Roaming Profiles and Folder Redirection
Users,OU=MyDomOU,DC=mydo
m,DC=mydc,DC=com
cn: My Wife
name: My Wife
streetAddress: 999 Street
initials:
displayName: My Wife
gidNumber: 3000513
lockoutTime: 0
loginShell: /bin/bash
mail: mywife at mydc.com
mobile:
msDS-SupportedEncryptionTypes: 0
telephoneNumber:
title: The Bigger Boss
uidNumber: 3001108
unixHomeDirectory: /home/mywife
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydom,DC=mydc,DC=co
m
profilePath: \\mydom\home\Profiles\sln-11868bg
pwdLastSet: 131111097150000000
msSFU30NisDomain: mydom
msSFU30Name: mywife
unixUserPassword: ABCD!efgh12345$67890
uid: mywife
lastLogonTimestamp: 131672869851028400
whenChanged: 20180404034305.0Z
uSNChanged: 7165
lastLogon: 131674502053144830
logonCount: 134145
distinguishedName: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com
Note that the uidNumber is 3001108. Intermittently the Samba AD loses
the uidNumber somehow. Instead of this:
>getent passwd mywife
MYDOM\mywife:*:3001108::3000513:My Wife:/home/mywife:/bin/bash
I get this:
>getent passwd mywife
MYDOM\mywife:*:3000062::3000513:My Wife:/home/mywife:/bin/bash
At this point all my wife's files are no longer owned by her. Note that
the "incorrect" uidNumber corresponds to the xidNumber in the idmap.ldb
database.
I had turned on some logging and the winbindd.log shows these messages
(I snipped lots of repeating stuff)
[2018/04/05 07:29:03.938389, 3]
../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
getpwuid 3001108
[2018/04/05 07:29:03.945379, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[ 1212]: request interface version (version = 29)
[2018/04/05 07:29:03.945435, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[ 1212]: request location of privileged pipe
[2018/04/05 07:29:03.945532, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam MYDOM\mywife
<snipping stuff>
<see lots of this next one>
[2018/04/05 07:37:13.307216, 5]
../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
<snipping stuff>
2018/04/05 07:41:11.697582, 3]
../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
getpwuid 3000062
[2018/04/05 07:41:11.701723, 3]
../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send)
getgrgid 3000513
[2018/04/05 07:41:11.705707, 3]
../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
getpwuid 3000062
[2018/04/05 07:41:11.709763, 3]
../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send)
getgrgid 3000513
[2018/04/05 07:41:11.873940, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam mywife
[2018/04/05 07:41:11.883785, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[ 5905]: request interface version (version = 29)
[2018/04/05 07:41:11.883841, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[ 5905]: request location of privileged pipe
[2018/04/05 07:41:11.883930, 3]
../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
getgroups MYDOM\mywife
<snipping stuff>
[2018/04/05 18:52:03.772521, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam mywife
[2018/04/05 18:52:06.562820, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[27682]: request interface version (version = 29)
[2018/04/05 18:52:06.562899, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[27682]: request location of privileged pipe
[2018/04/05 18:52:06.562997, 3]
../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
getpwuid 3001108
[2018/04/05 18:52:06.567294, 5]
../source3/winbindd/winbindd_getpwuid.c:111(winbindd_getpwuid_recv)
Could not convert sid S-1-22-1-3001108: STATUS_SOME_UNMAPPED
Here is the AD smb.conf
# Global parameters
[global]
server string = Nurdog Active Directory Server
workgroup = MYDOM
realm = MYDOM.MYDC.COM
server role = active directory domain controller
server services = -dns
bind interfaces only = yes
interfaces = br0 lo
kerberos method = secrets and keytab
winbind use default domain = yes
winbind offline logon = false
winbind enum groups = yes
winbind enum users = yes
winbind nss info = rfc2307
template homedir = /home/%U
template shell = /bin/bash
log file = /var/log/samba/%m.log
max log size = 10000
log level = 3 auth:5 winbind:5
[netlogon]
path = /var/lib/samba/sysvol/myhome.nurdog.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Profiles]
path = /home/Profiles/
read only = No
[home]
path = /home
read only = No
Some more useful data. The problem seems correlated to when my wife logs
into her user account on a Windows 10 box. That happened around 7:38AM
this morning and at approximately 7:41AM her identity problems began. If
I go and chown on her files everything will reset to her uid 3001108. As
long as she is logged in when I do this everything will be okay until
she logs out and back in and then it will occur again.
Can somebody point me in a direction to debug this issue? What on the
windows 10 client could possibly cause the AD to change my wife's
account from the uidNumber 3001108 in the AD database to the idmap
xidNumber 3000062? Why would there be a sid S-1-22-1-3001108 which
supiciously has the uidNumber 3001108? And should I worry about the sid
S-0-0 that cannot be mapped?
I am wondering if the latest version of Samba 4.7.6 is now confused by
my use of the xidNumbers as uidNumbers. I never saw this problem with
4.7.5 or lower versions. Although it is very strange that only my wife's
account has this problem when she logs in. My account is fine... no
issues at all.
Finally should I just bite the bullet and delete my wife's account,
remove any remnants to it in the databases, and then recreate it? I
would use a more reasonable uidNumber range of say 10000 to 20000 and
then just chown all of our files.
I need to fix this problem as my wife's email starts to bounce when this
occurs since dovecot cannot write to her files since they are owned by
3001108 and the system thinks her uid is 3000062. She is not very
pleased at the moment.
Thanks for any help/advice.
--
Paul (ganci at nurdog.com)
Cell: (303)257-5208
More information about the samba
mailing list