[Samba] Corruption of winbind cache after converting NT4 to AD domain
Rowland Penny
rpenny at samba.org
Fri Feb 11 22:05:48 UTC 2022
On Sat, 2022-02-12 at 00:34 +0300, Michael Tokarev via samba wrote:
> Hi!
>
> We've been using NT4 domain with samba for many years (more than a
> decade for sure),
> quite successfully. And instead of fighting with it every time, we
> finally decided
> to convert it to AD. And with that, we faced numerous quite bad
> issues, so that
> our network isn't working right for over a week already. Here's one
> of the issues
> (more to follow).
>
> I created a new machine for the DC, parallel to the fileserver which
> was everything
> at once. Copied all configuration and data to it, and did
> classicupgrade there.
> Which worked fine after several attempts (we had to fix some issues,
> that's ok).
>
> The main fileserver - I stopped it, moved everything out, leaving
> just the share
> definitions in conffile, and joined it to the domain (net ads join
> member). Which
> also went fine. and after configuring nsswitch and other stuff, it
> started working.
>
> And immediately we faced a problem with roaming profiles - at first
> windows did
> everything but after a few logins/logouts it refused to syncronize
> profile telling
> that its owner is wrong - "Unix user mjt" instead of "DOMAIN\mjt".
>
> After long and painful debugging (since there's very little info
> about how it all
> works, which components does what and how it all should be done) it
> all boiled down
> to winbind cache corruption/pollution. Somewhat similar to this one:
>
>
> https://lists.samba.org/archive/samba-technical/2019-February/132730.html
>
> except that in our case it is different.
>
> After net cache flush I lookup every uid we have with wblookup --uid-
> info.
> Everything's fine, every uid is looked up fine. But after some
> random
> time, wbinfo --uid-info start to return DOMAIN_NOT_FOUND errors to
> one or
> two, some more time and the amount of "not found" entries grows and
> grows.
>
>
>
>
> There are just selected parts of the picture, whole winbind trace
> file is here:
> http://www.corpit.ru/mjt/tmp/winbind.trc
>
> Obviously, from now on, uid 1068 does not work anymore. Over time,
> more and more
> uids stops working, until next `net cache flush'.
>
>
> Now, the most "interesting" part, besides the obvious wrong behavour
> somewhere.
>
> For a long time, we had unix users with their own regular home
> directories,
> shell access and lots of work in linux. As far as I can see, in
> order to
> use AD domain, we should convert linux users to AD, so that a user is
> EITHER
> in linux OR in AD, but not both. I found nothing conclusive about
> this,
The old way was to have a Unix user and a Samba user, this mapped
Windows users to Unix users. Now, with AD, you only have one user and
that user is stored in AD. Winbind maps the AD user to a Unix ID and
hence makes the user a Unix user. This all means that if you have a
user called 'fred' in AD and /etc/passwd , you should remove the local
Unix user from /etc/passwd.
> it
> is just my gut feeling, - there's no direct requirement like this in
> the docs
This was explained in the Samba wiki, but someone has just removed it.
> I found so far. But I see that people do it like this, not mixing
> uids and
> usernames. It is just my gut feeling maybe I'm wrong..
It is not so much that you are mixing uids and usernames, you seem to
be possibly mixing users.
>
> So there are two parts of the question:
>
> First, how such setup should be done? We really used to linux auth
> and linux
> work, it's somewhat unnatural to rely on the AD when dealing with
> local linux
> accounts. But at the same time, these account should have access
> from windows
> to their files. And most important, _why_ this setup should be done?
You should only have users in AD and 'getent passwd username' should
produce output, something like this:
rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
I can assure that 'rowland' isn't in /etc/passwd
>
> And second, what to do with this cache corruption, how to prevent it?
Setup your system correctly.
> Is it
> possible to perform AD auth by samba AND linux auth when logging in
> to the linux
> machine? Adding --no-cache to winbind command line helped, but this
> obviously
> is not a good solution...
No, it is BAD solution.
>
> System info:
>
> samba 4.13.13+dfsg-1~deb11u2 on debian bullseye, current.
>
> smb.conf:
> [global]
> server string = %h samba server %v
> netbios name = TSRV
> netbios aliases = LINUX FS
I do not recommend using 'netbios aliases' use a dns 'CNAME' instead.
> realm = TLS.MSK.RU
> workgroup = TLS
> server role = member server
> security = ADS
>
> idmap config TLS : backend = ad
> idmap config TLS : range = 1000-3000
> idmap config TLS : schema_mode = rfc2307
> idmap config TLS : unix_primary_group = yes
> template homedir = /home/%U
> idmap config * : backend = tdb
> idmap config * : range = 5000-7000
>
> ...share definitions...
>
> Thank you for the time! It turned out to be quite a bit longer than I
> expected...
No problem, I await your further questions :-)
Rowland
More information about the samba
mailing list