[Samba] User idmap lost

Paul R. Ganci ganci at nurdog.com
Fri Apr 6 03:02:18 UTC 2018 


On 04/05/2018 08:29 PM, Paul R. Ganci via samba wrote:
> Back on February 28, 2018, I started a thread "User permissions of 
> profile/home directory lost" describing a problem occurring with my 
> wife's user account. Since that time the random problem has persisted 
> so I turned on some debugging. I have been able to determine that 
> somehow her account idmap is broken. Here is the entry for my wife's 
> SID as found in the idmap.ldb file (all subsequent data has been 
> sanitized):
>
> root at nikita> wbinfo -n mywife
> S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1)
>
> # record 27
> dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143
> cn: S-1-5-21-729452656-3029571206-2736118167-1143
> objectClass: sidMap
> objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
> type: ID_TYPE_BOTH
> xidNumber: 3000062
> distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143
>
> Please note that the xidNumber is 3000062.
>
> Here is the entry for my wife's user account in the sam.ldb file:
>
> # record 277
> dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com
> sn: Wife
> c: US
> l: Somewhere
> st: A State
> postalCode:
> givenName: Sharon
> instanceType: 4
> whenCreated: 20141220195750.0Z
> uSNCreated: 5115
> co: United States
> company: MyHome!
> objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564
> badPwdCount: 0
> codePage: 0
> countryCode: 840
> homeDirectory: \\mydom\home\mywife
> homeDrive: H:
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
> accountExpires: 9223372036854775807
> sAMAccountName: mywife
> sAMAccountType: 805306368
> userPrincipalName: mywife at mydom.mydc.com
> userAccountControl: 66048
> memberOf: CN=Roaming Profiles and Folder Redirection 
> Users,OU=MyDomOU,DC=mydo
>  m,DC=mydc,DC=com
> cn: My Wife
> name: My Wife
> streetAddress: 999 Street
> initials:
> displayName: My Wife
> gidNumber: 3000513
> lockoutTime: 0
> loginShell: /bin/bash
> mail: mywife at mydc.com
> mobile:
> msDS-SupportedEncryptionTypes: 0
> telephoneNumber:
> title: The Bigger Boss
> uidNumber: 3001108
> unixHomeDirectory: /home/mywife
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=mydom,DC=mydc,DC=co
>  m
> profilePath: \\mydom\home\Profiles\sln-11868bg
> pwdLastSet: 131111097150000000
> msSFU30NisDomain: mydom
> msSFU30Name: mywife
> unixUserPassword: ABCD!efgh12345$67890
> uid: mywife
> lastLogonTimestamp: 131672869851028400
> whenChanged: 20180404034305.0Z
> uSNChanged: 7165
> lastLogon: 131674502053144830
> logonCount: 134145
> distinguishedName: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com
>
> Note that the uidNumber is 3001108. Intermittently the Samba AD loses 
> the uidNumber somehow. Instead of this:
>
> >getent passwd mywife
>
> MYDOM\mywife:*:3001108::3000513:My Wife:/home/mywife:/bin/bash
>
> I get this:
>
> >getent passwd mywife
>
> MYDOM\mywife:*:3000062::3000513:My Wife:/home/mywife:/bin/bash
>
> At this point all my wife's files are no longer owned by her. Note 
> that the "incorrect" uidNumber corresponds to the xidNumber in the 
> idmap.ldb database.
>
> I had turned on some logging and the winbindd.log shows these messages 
> (I snipped lots of repeating stuff)
>
> [2018/04/05 07:29:03.938389,  3] 
> ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
>   getpwuid 3001108
> [2018/04/05 07:29:03.945379,  3] 
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
>   [ 1212]: request interface version (version = 29)
> [2018/04/05 07:29:03.945435,  3] 
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
>   [ 1212]: request location of privileged pipe
> [2018/04/05 07:29:03.945532,  3] 
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam MYDOM\mywife
>
> <snipping stuff>
>
> <see lots of this next one>
>
> [2018/04/05 07:37:13.307216,  5] 
> ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>
> <snipping stuff>
>
> 2018/04/05 07:41:11.697582,  3] 
> ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
>   getpwuid 3000062
> [2018/04/05 07:41:11.701723,  3] 
> ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send)
>   getgrgid 3000513
> [2018/04/05 07:41:11.705707,  3] 
> ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
>   getpwuid 3000062
> [2018/04/05 07:41:11.709763,  3] 
> ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send)
>   getgrgid 3000513
> [2018/04/05 07:41:11.873940,  3] 
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam mywife
> [2018/04/05 07:41:11.883785,  3] 
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
>   [ 5905]: request interface version (version = 29)
> [2018/04/05 07:41:11.883841,  3] 
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
>   [ 5905]: request location of privileged pipe
> [2018/04/05 07:41:11.883930,  3] 
> ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
>   getgroups MYDOM\mywife
>
> <snipping stuff>
>
> [2018/04/05 18:52:03.772521,  3] 
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam mywife
> [2018/04/05 18:52:06.562820,  3] 
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
>   [27682]: request interface version (version = 29)
> [2018/04/05 18:52:06.562899,  3] 
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
>   [27682]: request location of privileged pipe
> [2018/04/05 18:52:06.562997,  3] 
> ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
>   getpwuid 3001108
> [2018/04/05 18:52:06.567294,  5] 
> ../source3/winbindd/winbindd_getpwuid.c:111(winbindd_getpwuid_recv)
>   Could not convert sid S-1-22-1-3001108: STATUS_SOME_UNMAPPED
>
> Here is the AD smb.conf
>
> # Global parameters
> [global]
>         server string = Nurdog Active Directory Server
>         workgroup = MYDOM
>         realm = MYDOM.MYDC.COM
>         server role = active directory domain controller
>         server services = -dns
>         bind interfaces only = yes
>         interfaces = br0 lo
>         kerberos method = secrets and keytab
>         winbind use default domain = yes
>         winbind offline logon = false
>         winbind enum groups = yes
>         winbind enum users = yes
>         winbind nss info = rfc2307
>         template homedir = /home/%U
>         template shell = /bin/bash
>         log file = /var/log/samba/%m.log
>         max log size = 10000
>         log level = 3 auth:5 winbind:5
>
> [netlogon]
>         path = /var/lib/samba/sysvol/myhome.nurdog.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> [Profiles]
>         path = /home/Profiles/
>         read only = No
>
> [home]
>         path = /home
>         read only = No
>
> Some more useful data. The problem seems correlated to when my wife 
> logs into her user account on a Windows 10 box. That happened around 
> 7:38AM this morning and at approximately 7:41AM her identity problems 
> began. If I go and chown on her files everything will reset to her uid 
> 3001108. As long as she is logged in when I do this everything will be 
> okay until she logs out and back in and then it will occur again.
>
> Can somebody point me in a direction to debug this issue? What on the 
> windows 10 client could possibly cause the AD to change my wife's 
> account  from the uidNumber 3001108 in the AD database to the idmap 
> xidNumber 3000062? Why would there be a sid S-1-22-1-3001108 which 
> supiciously has the uidNumber 3001108? And should I worry about the 
> sid S-0-0 that cannot be mapped?
>
> I am wondering if the latest version of Samba 4.7.6 is now confused by 
> my use of the xidNumbers as uidNumbers. I never saw this problem with 
> 4.7.5 or lower versions. Although it is very strange that only my 
> wife's account has this problem when she logs in. My account is 
> fine... no issues at all.
>
> Finally should I just bite the bullet and delete my wife's account, 
> remove any remnants to it in the databases, and then recreate it? I 
> would use a more reasonable uidNumber range of say 10000 to 20000 and 
> then just chown all of our files.
>
> I need to fix this problem as my wife's email starts to bounce when 
> this occurs since dovecot cannot write to her files since they are 
> owned by 3001108 and the system thinks her uid is 3000062. She is not 
> very pleased at the moment.
>
> Thanks for any help/advice.
>

Some more information. RSAT on the windows 10 client shows all the 
proper UNIX attributes. The uidNumber is the correct 3001108. So I 
removed the idmap.ldb entry for my wife's sid and restarted the AD. The 
new idmap entry was created and I noticed that getent returned the 
xidNumber from the new entry. It appears that the AD is ignoring the 
UNIX attributes altogether for my wife's account. I honestly do not know 
what is special about her account as my account is setup in exactly the 
same manner.

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list