[Samba] User idmap lost
Paul R. Ganci
ganci at nurdog.com
Fri Apr 6 03:02:18 UTC 2018
On 04/05/2018 08:29 PM, Paul R. Ganci via samba wrote:
> Back on February 28, 2018, I started a thread "User permissions of
> profile/home directory lost" describing a problem occurring with my
> wife's user account. Since that time the random problem has persisted
> so I turned on some debugging. I have been able to determine that
> somehow her account idmap is broken. Here is the entry for my wife's
> SID as found in the idmap.ldb file (all subsequent data has been
> sanitized):
>
> root at nikita> wbinfo -n mywife
> S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1)
>
> # record 27
> dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143
> cn: S-1-5-21-729452656-3029571206-2736118167-1143
> objectClass: sidMap
> objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
> type: ID_TYPE_BOTH
> xidNumber: 3000062
> distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143
>
> Please note that the xidNumber is 3000062.
>
> Here is the entry for my wife's user account in the sam.ldb file:
>
> # record 277
> dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com
> sn: Wife
> c: US
> l: Somewhere
> st: A State
> postalCode:
> givenName: Sharon
> instanceType: 4
> whenCreated: 20141220195750.0Z
> uSNCreated: 5115
> co: United States
> company: MyHome!
> objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564
> badPwdCount: 0
> codePage: 0
> countryCode: 840
> homeDirectory: \\mydom\home\mywife
> homeDrive: H:
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
> accountExpires: 9223372036854775807
> sAMAccountName: mywife
> sAMAccountType: 805306368
> userPrincipalName: mywife at mydom.mydc.com
> userAccountControl: 66048
> memberOf: CN=Roaming Profiles and Folder Redirection
> Users,OU=MyDomOU,DC=mydo
> m,DC=mydc,DC=com
> cn: My Wife
> name: My Wife
> streetAddress: 999 Street
> initials:
> displayName: My Wife
> gidNumber: 3000513
> lockoutTime: 0
> loginShell: /bin/bash
> mail: mywife at mydc.com
> mobile:
> msDS-SupportedEncryptionTypes: 0
> telephoneNumber:
> title: The Bigger Boss
> uidNumber: 3001108
> unixHomeDirectory: /home/mywife
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=mydom,DC=mydc,DC=co
> m
> profilePath: \\mydom\home\Profiles\sln-11868bg
> pwdLastSet: 131111097150000000
> msSFU30NisDomain: mydom
> msSFU30Name: mywife
> unixUserPassword: ABCD!efgh12345$67890
> uid: mywife
> lastLogonTimestamp: 131672869851028400
> whenChanged: 20180404034305.0Z
> uSNChanged: 7165
> lastLogon: 131674502053144830
> logonCount: 134145
> distinguishedName: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com
>
> Note that the uidNumber is 3001108. Intermittently the Samba AD loses
> the uidNumber somehow. Instead of this:
>
> >getent passwd mywife
>
> MYDOM\mywife:*:3001108::3000513:My Wife:/home/mywife:/bin/bash
>
> I get this:
>
> >getent passwd mywife
>
> MYDOM\mywife:*:3000062::3000513:My Wife:/home/mywife:/bin/bash
>
> At this point all my wife's files are no longer owned by her. Note
> that the "incorrect" uidNumber corresponds to the xidNumber in the
> idmap.ldb database.
>
> I had turned on some logging and the winbindd.log shows these messages
> (I snipped lots of repeating stuff)
>
> [2018/04/05 07:29:03.938389, 3]
> ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
> getpwuid 3001108
> [2018/04/05 07:29:03.945379, 3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
> [ 1212]: request interface version (version = 29)
> [2018/04/05 07:29:03.945435, 3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
> [ 1212]: request location of privileged pipe
> [2018/04/05 07:29:03.945532, 3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam MYDOM\mywife
>
> <snipping stuff>
>
> <see lots of this next one>
>
> [2018/04/05 07:37:13.307216, 5]
> ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>
> <snipping stuff>
>
> 2018/04/05 07:41:11.697582, 3]
> ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
> getpwuid 3000062
> [2018/04/05 07:41:11.701723, 3]
> ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send)
> getgrgid 3000513
> [2018/04/05 07:41:11.705707, 3]
> ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
> getpwuid 3000062
> [2018/04/05 07:41:11.709763, 3]
> ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send)
> getgrgid 3000513
> [2018/04/05 07:41:11.873940, 3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam mywife
> [2018/04/05 07:41:11.883785, 3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
> [ 5905]: request interface version (version = 29)
> [2018/04/05 07:41:11.883841, 3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
> [ 5905]: request location of privileged pipe
> [2018/04/05 07:41:11.883930, 3]
> ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
> getgroups MYDOM\mywife
>
> <snipping stuff>
>
> [2018/04/05 18:52:03.772521, 3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam mywife
> [2018/04/05 18:52:06.562820, 3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
> [27682]: request interface version (version = 29)
> [2018/04/05 18:52:06.562899, 3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
> [27682]: request location of privileged pipe
> [2018/04/05 18:52:06.562997, 3]
> ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
> getpwuid 3001108
> [2018/04/05 18:52:06.567294, 5]
> ../source3/winbindd/winbindd_getpwuid.c:111(winbindd_getpwuid_recv)
> Could not convert sid S-1-22-1-3001108: STATUS_SOME_UNMAPPED
>
> Here is the AD smb.conf
>
> # Global parameters
> [global]
> server string = Nurdog Active Directory Server
> workgroup = MYDOM
> realm = MYDOM.MYDC.COM
> server role = active directory domain controller
> server services = -dns
> bind interfaces only = yes
> interfaces = br0 lo
> kerberos method = secrets and keytab
> winbind use default domain = yes
> winbind offline logon = false
> winbind enum groups = yes
> winbind enum users = yes
> winbind nss info = rfc2307
> template homedir = /home/%U
> template shell = /bin/bash
> log file = /var/log/samba/%m.log
> max log size = 10000
> log level = 3 auth:5 winbind:5
>
> [netlogon]
> path = /var/lib/samba/sysvol/myhome.nurdog.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [Profiles]
> path = /home/Profiles/
> read only = No
>
> [home]
> path = /home
> read only = No
>
> Some more useful data. The problem seems correlated to when my wife
> logs into her user account on a Windows 10 box. That happened around
> 7:38AM this morning and at approximately 7:41AM her identity problems
> began. If I go and chown on her files everything will reset to her uid
> 3001108. As long as she is logged in when I do this everything will be
> okay until she logs out and back in and then it will occur again.
>
> Can somebody point me in a direction to debug this issue? What on the
> windows 10 client could possibly cause the AD to change my wife's
> account from the uidNumber 3001108 in the AD database to the idmap
> xidNumber 3000062? Why would there be a sid S-1-22-1-3001108 which
> supiciously has the uidNumber 3001108? And should I worry about the
> sid S-0-0 that cannot be mapped?
>
> I am wondering if the latest version of Samba 4.7.6 is now confused by
> my use of the xidNumbers as uidNumbers. I never saw this problem with
> 4.7.5 or lower versions. Although it is very strange that only my
> wife's account has this problem when she logs in. My account is
> fine... no issues at all.
>
> Finally should I just bite the bullet and delete my wife's account,
> remove any remnants to it in the databases, and then recreate it? I
> would use a more reasonable uidNumber range of say 10000 to 20000 and
> then just chown all of our files.
>
> I need to fix this problem as my wife's email starts to bounce when
> this occurs since dovecot cannot write to her files since they are
> owned by 3001108 and the system thinks her uid is 3000062. She is not
> very pleased at the moment.
>
> Thanks for any help/advice.
>
Some more information. RSAT on the windows 10 client shows all the
proper UNIX attributes. The uidNumber is the correct 3001108. So I
removed the idmap.ldb entry for my wife's sid and restarted the AD. The
new idmap entry was created and I noticed that getent returned the
xidNumber from the new entry. It appears that the AD is ignoring the
UNIX attributes altogether for my wife's account. I honestly do not know
what is special about her account as my account is setup in exactly the
same manner.
--
Paul (ganci at nurdog.com)
Cell: (303)257-5208
More information about the samba
mailing list