[Samba] inconsistend ID mapping with rid backend and ctdb

Jochen Korge || PCSM GmbH Jochen.Korge at pcsm.de
Thu Feb 24 19:28:52 UTC 2022


we realized some permission-Issues (Some users were unable to change or write files and folders, read-permissions seemed to work as expected).

After some investigation we encounter "flapping" UID/GID mappings between the configured RID and TDB ranges.
E.g. the group "domain-users" flaps between 3008 and 1000513, an Admin-User Account flaps between 3097 and 1001103.
After startup it seems to take ids in the higher (rid) range and after some hours it swaps to the lower (tdb) range.
The really strange part is, that the different gids were shown at the same time on the three servers.
When I restart only one machine, it shows IDs in the 1m range, while the other 2 stay at 3k.
Within a machine, getent and wbinfo stay consistent, between machines (even ctdb status shows healthy cluster) the results are sometimes inconsistent.

Only strange behavior (apart from changing IDs) I found:
wbinfo -s SomeSID

Wbinfo -lookup-sids SomeSID
SomeSID -> <none>\username

What might have caused that havoc:
I changed (after the problems emerged)
        idmap config OUR.DOMAIN.FQDN
        idmap config OURDOMAIN

Our Setup consists of 3 Machines running Samba 4.13.13 (Debian Bullseye) with CTDB as Member Servers and vfs_ceph backend. Clients are 100% Windows (from XP to 11) and users are all from the Domain.
AD-side is one Windows 2019 DC holding all FSMO roles behind a Firewall, 2 Samba-ADDCs serving the clients and CTDB-cluster.

Relevant testparm output (consistent between machines):
        clustering = Yes
        kerberos method = secrets and keytab
        netbios aliases = OURNASHA OURNAS01 OURNAS02 OURNAS03
        netbios name = OURNASHA
        realm = OUR.DOMAIN.FQDN
        registry shares = Yes
        security = ADS
        server min protocol = NT1
        server role = member server
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind expand groups = 4
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = OURDOMAIN
        smbd: backgroundqueue = no
        idmap config OURDOMAIN : range = 1000000-1999999
        idmap config OURDOMAIN : backend = rid
        idmap config * : range = 3000-7999
        ctdb:registry.tdb = yes
        idmap config * : backend = tdb
        admin users = @domänen-admins @sudo
        hide unreadable = Yes

        kernel share modes = No
        map acl inherit = Yes
        path = /share1/
        read only = No
        vfs objects = acl_xattr ceph_snapshots ceph
        acl_xattr:ignore system acls = yes
        ceph: user_id = samba.gw
        ceph: config_file = /etc/ceph/ceph.conf

Help is really appreciated

Cheers Jochen

Mit freundlichen Grüßen / best regards,
Jochen Korge
Mobil +49 711 28695277

Crailsheimerstrasse 15, 70435, Stuttgart
Tel.  +49 711 230 44 96
Fax  +49 711 230 44 97
Geschäftsführer: Thomas Martin | Sitz der Gesellschaft: Stuttgart
Amtsgericht Stuttgart HRB-Nr.: 733394 / USt.-Idnr.: DE815181359

More information about the samba mailing list