[Samba] Corruption of winbind cache after converting NT4 to AD domain

Rowland Penny rpenny at samba.org
Fri Feb 11 22:05:48 UTC 2022 

On Sat, 2022-02-12 at 00:34 +0300, Michael Tokarev via samba wrote:
> Hi!
> 
> We've been using NT4 domain with samba for many years (more than a
> decade for sure),
> quite successfully.  And instead of fighting with it every time, we
> finally decided
> to convert it to AD.  And with that, we faced numerous quite bad
> issues, so that
> our network isn't working right for over a week already. Here's one
> of the issues
> (more to follow).
> 
> I created a new machine for the DC, parallel to the fileserver which
> was everything
> at once.  Copied all configuration and data to it, and did
> classicupgrade there.
> Which worked fine after several attempts (we had to fix some issues,
> that's ok).
> 
> The main fileserver - I stopped it, moved everything out, leaving
> just the share
> definitions in conffile, and joined it to the domain (net ads join
> member). Which
> also went fine. and after configuring nsswitch and other stuff, it
> started working.
> 
> And immediately we faced a problem with roaming profiles - at first
> windows did
> everything but after a few logins/logouts it refused to syncronize
> profile telling
> that its owner is wrong - "Unix user mjt" instead of "DOMAIN\mjt".
> 
> After long and painful debugging (since there's very little info
> about how it all
> works, which components does what and how it all should be done) it
> all boiled down
> to winbind cache corruption/pollution. Somewhat similar to this one:
> 
>    
> https://lists.samba.org/archive/samba-technical/2019-February/132730.html
> 
> except that in our case it is different.
> 
> After net cache flush I lookup every uid we have with wblookup --uid-
> info.
> Everything's fine, every uid is looked up fine.  But after some
> random
> time, wbinfo --uid-info start to return DOMAIN_NOT_FOUND errors to
> one or
> two, some more time and the amount of "not found" entries grows and
> grows.
> 
> 
> 
> 
> There are just selected parts of the picture, whole winbind trace
> file is here:
> http://www.corpit.ru/mjt/tmp/winbind.trc
> 
> Obviously, from now on, uid 1068 does not work anymore.  Over time,
> more and more
> uids stops working, until next `net cache flush'.
> 
> 
> Now, the most "interesting" part, besides the obvious wrong behavour
> somewhere.
> 
> For a long time, we had unix users with their own regular home
> directories,
> shell access and lots of work in linux.  As far as I can see, in
> order to
> use AD domain, we should convert linux users to AD, so that a user is
> EITHER
> in linux OR in AD, but not both.  I found nothing conclusive about
> this,

The old way was to have a Unix user and a Samba user, this mapped
Windows users to Unix users. Now, with AD, you only have one user and
that user is stored in AD. Winbind maps the AD user to a Unix ID and
hence makes the user a Unix user. This all means that if you have a
user called 'fred' in AD and /etc/passwd , you should remove the local
Unix user from /etc/passwd.
  
>  it
> is just my gut feeling, - there's no direct requirement like this in
> the docs

This was explained in the Samba wiki, but someone has just removed it.

> I found so far.  But I see that people do it like this, not mixing
> uids and
> usernames.  It is just my gut feeling maybe I'm wrong..

It is not so much that you are mixing uids and usernames, you seem to
be possibly mixing users.
 
> 
> So there are two parts of the question:
> 
> First, how such setup should be done? We really used to linux auth
> and linux
> work, it's somewhat unnatural to rely on the AD when dealing with
> local linux
> accounts.  But at the same time, these account should have access
> from windows
> to their files.  And most important, _why_ this setup should be done?

You should only have users in AD and 'getent passwd username' should
produce output, something like this:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

I can assure that 'rowland' isn't in /etc/passwd
 
> 
> And second, what to do with this cache corruption, how to prevent it?

Setup your system correctly.

> Is it
> possible to perform AD auth by samba AND linux auth when logging in
> to the linux
> machine?  Adding --no-cache to winbind command line helped, but this
> obviously
> is not a good solution...

No, it is BAD solution.

> 
> System info:
> 
> samba 4.13.13+dfsg-1~deb11u2 on debian bullseye, current.
> 
> smb.conf:
> [global]
>    server string = %h samba server %v
>    netbios name = TSRV
>    netbios aliases = LINUX FS

I do not recommend using 'netbios aliases' use a dns 'CNAME' instead.

>    realm = TLS.MSK.RU
>    workgroup = TLS
>    server role = member server
>    security = ADS
> 
>    idmap config TLS : backend = ad
>    idmap config TLS : range = 1000-3000
>    idmap config TLS : schema_mode = rfc2307
>    idmap config TLS : unix_primary_group = yes
>    template homedir = /home/%U
>    idmap config * : backend = tdb
>    idmap config * : range = 5000-7000
> 
> ...share definitions...
> 
> Thank you for the time! It turned out to be quite a bit longer than I
> expected...

No problem, I await your further questions :-)

Rowland

More information about the samba mailing list