[Samba] inconsistend ID mapping with rid backend and ctdb

Thu Feb 24 19:58:14 UTC 2022

On Thu, 2022-02-24 at 19:28 +0000, Jochen Korge || PCSM GmbH via samba
wrote:
> 	Error verifying signature: parse error
> Hi,
> 
> we realized some permission-Issues (Some users were unable to change
> or write files and folders, read-permissions seemed to work as
> expected).
> 
> After some investigation we encounter "flapping" UID/GID mappings
> between the configured RID and TDB ranges.
> E.g. the group "domain-users" flaps between 3008 and 1000513, an
> Admin-User Account flaps between 3097 and 1001103.
> After startup it seems to take ids in the higher (rid) range and
> after some hours it swaps to the lower (tdb) range.
> The really strange part is, that the different gids were shown at the
> same time on the three servers.
> When I restart only one machine, it shows IDs in the 1m range, while
> the other 2 stay at 3k.
> Within a machine, getent and wbinfo stay consistent, between machines
> (even ctdb status shows healthy cluster) the results are sometimes
> inconsistent.
> 
> Only strange behavior (apart from changing IDs) I found:
> wbinfo -s SomeSID
> OURDOMAIN\username
> 
> Wbinfo -lookup-sids SomeSID
> SomeSID -> <none>\username
> 
> What might have caused that havoc:
> I changed (after the problems emerged)
>         idmap config OUR.DOMAIN.FQDN

That was incorrect

> to
>         idmap config OURDOMAIN

That is correct

> 
> Setup-Information:
> Our Setup consists of 3 Machines running Samba 4.13.13 (Debian
> Bullseye) with CTDB as Member Servers and vfs_ceph backend. Clients
> are 100% Windows (from XP to 11) and users are all from the Domain.
> AD-side is one Windows 2019 DC holding all FSMO roles behind a
> Firewall, 2 Samba-ADDCs serving the clients and CTDB-cluster.

How have you joined a Samba DC to a 2019 domain ?

> 
> Relevant testparm output (consistent between machines):
> [global]
>         clustering = Yes
>         kerberos method = secrets and keytab
>         netbios aliases = OURNASHA OURNAS01 OURNAS02 OURNAS03

>         netbios name = OURNASHA
>         realm = OUR.DOMAIN.FQDN
>         registry shares = Yes
>         security = ADS
>         server min protocol = NT1

Why use SMBv1 ? does something rely on it.

>         server role = member server
>         winbind enum groups = Yes
>         winbind enum users = Yes

You can remove the 'enum' lines, you do not need them.

>         winbind expand groups = 4
>         winbind refresh tickets = Yes
>         winbind use default domain = Yes
>         workgroup = OURDOMAIN
>         smbd: backgroundqueue = no
>         idmap config OURDOMAIN : range = 1000000-1999999
>         idmap config OURDOMAIN : backend = rid

You should get constant numbers now and that should include Domain
Users, which should get '1000513'

>         idmap config * : range = 3000-7999
>         ctdb:registry.tdb = yes
>         idmap config * : backend = tdb
>         admin users = @domänen-admins @sudo
>         hide unreadable = Yes
> 
> [share]
>         kernel share modes = No
>         map acl inherit = Yes
>         path = /share1/
>         read only = No
>         vfs objects = acl_xattr ceph_snapshots ceph
>         acl_xattr:ignore system acls = yes
>         ceph: user_id = samba.gw
>         ceph: config_file = /etc/ceph/ceph.conf

Rowland