[Samba] Different "Domain Users" GIDs created by rid backend

Leszek Szczepanowski twinsen at mspanc.net
Wed Dec 14 12:14:52 UTC 2022 

And actually the fix:

on first node I did "net cache flush" and it helped :)

Now:

[root at fs01 symptoms]# id "XXX\lszczepa"
uid=25360(XXX\lszczepa) gid=10513(XXX\domain users) groups=10513(XXX\domain
users)

So for testing and playing around with clustered Samba, it's good to flush
Winbind cache sometimes :)


Leszek

śr., 14 gru 2022 o 13:07 Leszek Szczepanowski <twinsen at mspanc.net>
napisał(a):

> Hi,
>
> Some more info:
>
> [root at fs01 symptoms]# onnode all 'id "XXX\lszczepa"'
>
> >> NODE: 10.254.94.11 <<
> uid=25360(XXX\lszczepa) gid=100513(XXX\domain users)
> groups=100513(XXX\domain users),25360(XXX\lszczepa) [...]
>
> >> NODE: 10.254.94.12 <<
> uid=25360(XXX\lszczepa) gid=10513(XXX\domain users)
> groups=10513(XXX\domain users),25360(XXX\lszczepa) [...]
>
> >> NODE: 10.254.94.13 <<
> uid=25360(XXX\lszczepa) gid=10513(XXX\domain users)
> groups=10513(XXX\domain users),25360(XXX\lszczepa) [...]
>
> >> NODE: 10.254.94.14 <<
> uid=25360(XXX\lszczepa) gid=10513(XXX\domain users)
> groups=10513(XXX\domain users),25360(XXX\lszczepa) [...]
>
> >> NODE: 10.254.94.15 <<
> uid=25360(XXX\lszczepa) gid=10513(XXX\domain users)
> groups=10513(XXX\domain users),25360(XXX\lszczepa) [...]
>
> >> NODE: 10.254.94.16 <<
> uid=25360(XXX\lszczepa) gid=10513(XXX\domain users)
> groups=10513(XXX\domain users),25360(XXX\lszczepa) [...]
>
> But why just on one node, there is different mapping, if there is the same
> smb.conf for all nodes?
>
> [global]
>        clustering = yes
>        ctdb:registry.tdb = yes
>        include = registry
>
> And the registry 'net conf list' I provided in my previous post.
>
> śr., 14 gru 2022 o 12:49 Leszek Szczepanowski <twinsen at mspanc.net>
> napisał(a):
>
>> Hi,
>>
>> I was investigating why one user cannot write to the share.
>> I recognized by using temporary 777 rights on that share, that despite it
>> coming as exactly the same group as mine that is "Domain Users", the files
>> are created with different GID.
>>
>> drwxrwxrwx+  2 25360 100513 4096 Dec 14 11:27 FFFF
>> drwxrwxrwx+  2 47740  10513 4096 Dec 14 12:22 TEst123
>>
>> First one is mine
>> second one is his
>>
>> [root at fs01 MK]# wbinfo -U 10513
>> S-1-5-21-725345543-1060284298-1708537768-513
>> [root at fs01 MK]# wbinfo -U 100513
>> S-1-5-21-725345543-1060284298-1708537768-513
>> [root at fs01 MK]# wbinfo -Y "S-1-5-21-725345543-1060284298-1708537768-513"
>> 100513
>> [root at fs01 MK]# wbinfo
>> --lookup-sids="S-1-5-21-725345543-1060284298-1708537768-513"
>> S-1-5-21-725345543-1060284298-1708537768-513 -> <none>\Domain Users 2
>> [root at fs01 MK]# wbinfo -n "XXX\domain users"
>> S-1-5-21-725345543-1060284298-1708537768-513 SID_DOM_GROUP (2)
>> [root at fs01 MK]# wbinfo -n "domain users"
>> S-1-5-21-725345543-1060284298-1708537768-513 SID_DOM_GROUP (2)
>> [root at fs01 MK]# wbinfo -g "Domain Users 2"
>> [full output of all AD groups]
>> wbinfo -g "Domain Users gfdsgfdsfdsfdsfdsa"
>> [same output of all AD groups"
>>
>>  Here smb.conf:
>>
>> [global]
>>         logging = syslog
>>         clustering = yes
>>         security = ads
>>         realm = XXX.REDKNEE.COM
>>         map acl inherit = yes
>>         workgroup = XXX
>>         kerberos method = secrets and keytab
>>         idmap config * : backend = tdb
>>         ctdb:registry.tdb = yes
>>         netbios name = FS
>>         idmap config XXX: backend = rid
>>         idmap config * : range = 1000-7999
>>         winbind enum users = yes
>>         winbind enum groups = yes
>>         winbind refresh tickets = yes
>>         dedicated keytab file = /etc/krb5.keytab
>>         log level = 3
>>         password server = 172.16.32.5
>>         idmap config XXX: range = 10000-199999
>>
>> [symptoms]
>>         read only = no
>>         inherit acls = yes
>>         guest ok = no
>>         browseable = yes
>>         path = /mnt/glusterfs/symptoms/
>>         create mask = 0777
>>         force create mode = 0777
>>         directory mask = 0777
>>         force directory mode = 0777
>>
>> Please note that 777 is temporary, for debugging purposes :)
>>
>> Please advice why is that?
>> --
>> Leszek A. Szczepanowski
>> twinsen at mspanc.net
>>
>
>
> --
> --
> Leszek A. Szczepanowski
> twinsen at mspanc.net
>


-- 
-- 
Leszek A. Szczepanowski
twinsen at mspanc.net

More information about the samba mailing list