[Samba] suddenly change: idmap uid + gid

[Andrew Bartlett]

On Sun, 2019-11-03 at 08:39 +0000, Rowland penny via samba wrote:
> On 02/11/2019 23:18, Hilberg via samba wrote:
> > Hi
> > 
> > The server suddenly changed the uid + gid. this happened to times, 
> > yesterday and the week after. The default group at example
> > The samba is a AD member where we have many users (>20 000) and we
> > use 
> > autorid in that way
> > [global]
> >   security = ads
> >   workgroup = CUSTOMER
> >   realm = CUSTOMER.COM
> >   winbind use default domain = yes
> >   winbind enum users = yes
> >   winbind enum group = yes
> >   idmap config * : backend = autorid
> >   idmap config * : range = 1000000-8999999999
> > 
> > OS debian 10
> > DC Microsoft
> > 
> > At the moment I have two questions:
> > Why this happened and is there a way to stop the disaster?
> > Is there a quick way to repair the disaster? I infects the profile 
> > directory used with acl.
> > 
> > thank you
> > 
> 
> Please do not post things like this to the samba-technical list.
> 
> As I said, you cannot use 'winbind use default domain = yes' with 
> 'autorid', it makes all users and groups members of the same domain, 
> this is probably what has happened here.

G'Day Rowland, 

Are you really sure that is the case?  

The "winbind use default domain" code, which I authored, certainly
isn't intended to do that.  It changes the formatting at the nss
interface to strip the domain\ prefix, allowing local logins with pam
etc to avoid typing the domain. 

Specifically, in source3/winbindd/winbindd_util.c:assume_domain() in It
changes the domain member to act more like an old-style DC.

The impact of this is deliberatly on fill_domain_username_talloc() and
parse_domain_user().  (There are a few other references, essentially to
mirror this in smbd). 

> Remove the line, this should stop it happening again
> 
> If you have only one domain, then you shouldn't be using autorid,
> you 
> should be using rid instead, unfortunately it is probably too late
> now.

We do need to work out why the RID base here isn't stable.  

The most likley reason is that the TDB it is stored in is being deleted
for some reason, or less likly that is is somehow corrupt.

The file is autorid.tdb in "state dir".

Why shouldn't autorid be available on one domain?

> As to how you fix your permissions, I fear this will have to be done 
> manually, you will have to identify which folder or file belongs to 
> which user/group.

If we take the theory that the RID base is becoming randomised, then as
long as the old RID base can be determined by inspection of the
filesystem, then it might be possible to fix a RID base for idmap_rid. 

Looking at the code it would be "idmap config CUSTOMER : base_rid =
$BASE_RID" so so. 

The default range size is 100,000 so these should be contiguous RIDs.

> Samba does not create Unix IDs on Unix domain members, it either
> uses 
> rfc2307 attributes stored in AD (if using the winbind 'ad' backend)
> or 
> it calculates the ID from the AD objects SID
> 
> Rowland

Hilberg,

This all sounds pretty stressful.  I'm not sure if you saw Rowland's
reply as he moved the CC to the samba@ list but you might be be
subscribed there.

I wish you all the best fixing this back up.  Do consider reaching out
for commercial support if this gets overwealming, but I think I've
plotted a practical way forward.

Once it is settled down, and if this is just a profile server where
each directory is per-user then I would look into resetting the file
ownerships from the unix side and then ACLs from the windows side just
to be sure.  There may be gremlins if new files were created while the
wrong idmappings are in effect.

Finally, do try to work out how the autorid.tdb was damaged.  We
certainly don't want this happening ever again!

All the best,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba