[Samba] User idmap lost

Paul R. Ganci ganci at nurdog.com
Fri Apr 6 02:29:46 UTC 2018

Back on February 28, 2018, I started a thread "User permissions of 
profile/home directory lost" describing a problem occurring with my 
wife's user account. Since that time the random problem has persisted so 
I turned on some debugging. I have been able to determine that somehow 
her account idmap is broken. Here is the entry for my wife's SID as 
found in the idmap.ldb file (all subsequent data has been sanitized):

root at nikita> wbinfo -n mywife
S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1)

# record 27
dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143
cn: S-1-5-21-729452656-3029571206-2736118167-1143
objectClass: sidMap
objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
xidNumber: 3000062
distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143

Please note that the xidNumber is 3000062.

Here is the entry for my wife's user account in the sam.ldb file:

# record 277
dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com
sn: Wife
c: US
l: Somewhere
st: A State
givenName: Sharon
instanceType: 4
whenCreated: 20141220195750.0Z
uSNCreated: 5115
co: United States
company: MyHome!
objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564
badPwdCount: 0
codePage: 0
countryCode: 840
homeDirectory: \\mydom\home\mywife
homeDrive: H:
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
accountExpires: 9223372036854775807
sAMAccountName: mywife
sAMAccountType: 805306368
userPrincipalName: mywife at mydom.mydc.com
userAccountControl: 66048
memberOf: CN=Roaming Profiles and Folder Redirection 
cn: My Wife
name: My Wife
streetAddress: 999 Street
displayName: My Wife
gidNumber: 3000513
lockoutTime: 0
loginShell: /bin/bash
mail: mywife at mydc.com
msDS-SupportedEncryptionTypes: 0
title: The Bigger Boss
uidNumber: 3001108
unixHomeDirectory: /home/mywife
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydom,DC=mydc,DC=co
profilePath: \\mydom\home\Profiles\sln-11868bg
pwdLastSet: 131111097150000000
msSFU30NisDomain: mydom
msSFU30Name: mywife
unixUserPassword: ABCD!efgh12345$67890
uid: mywife
lastLogonTimestamp: 131672869851028400
whenChanged: 20180404034305.0Z
uSNChanged: 7165
lastLogon: 131674502053144830
logonCount: 134145
distinguishedName: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com

Note that the uidNumber is 3001108. Intermittently the Samba AD loses 
the uidNumber somehow. Instead of this:

 >getent passwd mywife

MYDOM\mywife:*:3001108::3000513:My Wife:/home/mywife:/bin/bash

I get this:

 >getent passwd mywife

MYDOM\mywife:*:3000062::3000513:My Wife:/home/mywife:/bin/bash

At this point all my wife's files are no longer owned by her. Note that 
the "incorrect" uidNumber corresponds to the xidNumber in the idmap.ldb 

I had turned on some logging and the winbindd.log shows these messages 
(I snipped lots of repeating stuff)

[2018/04/05 07:29:03.938389,  3] 
   getpwuid 3001108
[2018/04/05 07:29:03.945379,  3] 
   [ 1212]: request interface version (version = 29)
[2018/04/05 07:29:03.945435,  3] 
   [ 1212]: request location of privileged pipe
[2018/04/05 07:29:03.945532,  3] 
   getpwnam MYDOM\mywife

<snipping stuff>

<see lots of this next one>

[2018/04/05 07:37:13.307216,  5] 
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

<snipping stuff>

2018/04/05 07:41:11.697582,  3] 
   getpwuid 3000062
[2018/04/05 07:41:11.701723,  3] 
   getgrgid 3000513
[2018/04/05 07:41:11.705707,  3] 
   getpwuid 3000062
[2018/04/05 07:41:11.709763,  3] 
   getgrgid 3000513
[2018/04/05 07:41:11.873940,  3] 
   getpwnam mywife
[2018/04/05 07:41:11.883785,  3] 
   [ 5905]: request interface version (version = 29)
[2018/04/05 07:41:11.883841,  3] 
   [ 5905]: request location of privileged pipe
[2018/04/05 07:41:11.883930,  3] 
   getgroups MYDOM\mywife

<snipping stuff>

[2018/04/05 18:52:03.772521,  3] 
   getpwnam mywife
[2018/04/05 18:52:06.562820,  3] 
   [27682]: request interface version (version = 29)
[2018/04/05 18:52:06.562899,  3] 
   [27682]: request location of privileged pipe
[2018/04/05 18:52:06.562997,  3] 
   getpwuid 3001108
[2018/04/05 18:52:06.567294,  5] 
   Could not convert sid S-1-22-1-3001108: STATUS_SOME_UNMAPPED

Here is the AD smb.conf

# Global parameters
         server string = Nurdog Active Directory Server
         workgroup = MYDOM
         realm = MYDOM.MYDC.COM
         server role = active directory domain controller
         server services = -dns
         bind interfaces only = yes
         interfaces = br0 lo
         kerberos method = secrets and keytab
         winbind use default domain = yes
         winbind offline logon = false
         winbind enum groups = yes
         winbind enum users = yes
         winbind nss info = rfc2307
         template homedir = /home/%U
         template shell = /bin/bash
         log file = /var/log/samba/%m.log
         max log size = 10000
         log level = 3 auth:5 winbind:5

         path = /var/lib/samba/sysvol/myhome.nurdog.com/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

         path = /home/Profiles/
         read only = No

         path = /home
         read only = No

Some more useful data. The problem seems correlated to when my wife logs 
into her user account on a Windows 10 box. That happened around 7:38AM 
this morning and at approximately 7:41AM her identity problems began. If 
I go and chown on her files everything will reset to her uid 3001108. As 
long as she is logged in when I do this everything will be okay until 
she logs out and back in and then it will occur again.

Can somebody point me in a direction to debug this issue? What on the 
windows 10 client could possibly cause the AD to change my wife's 
account  from the uidNumber 3001108 in the AD database to the idmap 
xidNumber 3000062? Why would there be a sid S-1-22-1-3001108 which 
supiciously has the uidNumber 3001108? And should I worry about the sid 
S-0-0 that cannot be mapped?

I am wondering if the latest version of Samba 4.7.6 is now confused by 
my use of the xidNumbers as uidNumbers. I never saw this problem with 
4.7.5 or lower versions. Although it is very strange that only my wife's 
account has this problem when she logs in. My account is fine... no 
issues at all.

Finally should I just bite the bullet and delete my wife's account, 
remove any remnants to it in the databases, and then recreate it? I 
would use a more reasonable uidNumber range of say 10000 to 20000 and 
then just chown all of our files.

I need to fix this problem as my wife's email starts to bounce when this 
occurs since dovecot cannot write to her files since they are owned by 
3001108 and the system thinks her uid is 3000062. She is not very 
pleased at the moment.

Thanks for any help/advice.

Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list